PIPEDA Compliance: Privacy Guide for Businesses


Private sector organizations that collect personal data in Canada are subject to the Personal Information Protection and Electronic Document Act (PIPEDA). It is designed to protect personal information during commercial transactions. You must comply with 10 fair principles. These guidelines govern the collection, use, disclosure and access of personal information.

Who does PIPEDA Affect?

This applies to all private-sector organizations in Canada that use, disclose or collect personal information as part of a commercial activity. A commercial activity is “any particular transaction, act or conduct or any regular course or conduct that has a commercial character. This includes the selling, bartering, leasing or leasing donor, membership, or other fundraising lists.”

This law is not applicable to Quebec, British Columbia, and Alberta. They have their own privacy laws. Organizations subject to similar provincial privacy laws are often exempted from PIPEDA in their province. Regardless of origin, all businesses that handle personal information in Canada are subject to PIPEDA.


PIPEDA is always applicable to federally regulated entities that do business in Canada. If you are unsure if your company is covered by PIPEDA, you can use the tool.

What is it covering?

PIPEDA refers to personal information. It is “any factual and subjective information, whether recorded or not, concerning an identifiable individual”. Some examples include:

  • Age, name, ID numbers and income.
  • Opinions, evaluations, comments or disciplinary actions.
  • Files of employees, credit and loan records, medical records, existence or potential dispute between a consumer & a merchant, as well as intentions (e.g. To change jobs

You must comply with 10 principles that govern collection, use, and disclosure of personal data. These are the principles:


Your company is responsible for all personal information it has under its control. The PIPEDA compliance officer must be appointed by you. You are responsible for all personal information, including any that is transferred to third parties. You will need to develop and implement policies and procedures for managing customers’ personal information.

Identifying Purposes

PIPEDA requires that all information collected must be used for a specific purpose. This principle must be adhered to. You should document the reason you ask for the information. Tell the customers why at the time you collect it. If you intend to use the information for another purpose, you must obtain their consent again. If you don’t have a purpose for the information, you should delete it.


PIPEDA’s important mandate is to collect meaningful consent. For the collection, use, and disclosure of personal information by companies, they must obtain consent. People must be able to understand the terms of their consent in order for it to be meaningful. It is important to explain what information is being collected to the public and how it will be used. It is important that consent can be withdrawn at any time by individuals, provided they are given reasonable notice and comply with contractual and legal restrictions. People must be made aware of the consequences of withdrawing consent, such as financial loss and loss of services. PIPEDA permits two types of consent, implied and express. To avoid possible problems, it is better to stick with express consent. However, PIPEDA regulations only require express consent to be given when:

  • The information being collected, used, or disclosed is confidential.
  • The collection, use, or disclosure of information is beyond the reasonable expectations of an individual.
  • The collection, use, or disclosure of data creates a significant residual risk of serious harm.

Limiting Collection

This rule closely relates to the identifying purpose. The law requires companies to collect only the personal data that is necessary to fulfil a purpose. It requires you to be honest when explaining your reasons for collecting personal information. Your staff should be able explain to their supervisors why they need this information.

Retention, Limitation, Disclosure and Limiting Use

PIPEDA stipulates that personal information must only be used or disclosed for the purposes it was collected. You must also ensure that information is only kept for the intended purpose. You must obtain consent from each individual if you wish to use or disclose personal information for another purpose. You should be cautious about the data retention part. Other regulations may also require you to keep certain personal information for a specific amount of time. When deciding how long to keep that information, these factors should be taken into account.


Companies should have procedures in place to minimize the risk of incorrect information being used when making decisions about individuals or disclosing it. It is important to keep your information current and remind users to update their own information. It is also important to establish policies regarding what information should be updated frequently, such as an individual’s preferences or address. You can omit information such as date of birth from the regular updates. To verify that the information is accurate and complete, you should keep track of all steps taken.


Personal information must be protected by companies in a manner that is appropriate for the level of its importance. To protect personal information, you should establish a security policy and implement good security safeguards. Physical measures (e.g. locked filing cabinets, alarm systems) and up-to-date technology (e.g. passwords encryption firewalls and security patches) as well as organizational controls (e.g. Security clearances and access controls. You should take into account the sensitiveness of the information and the potential harm to the individual. Also, consider the extent of information distribution, how large the information is, what format it is, where it is stored, and the risks to your company. To ensure that safeguards are current, they should be reviewed frequently. This is where you can use industry-standard security frameworks in order to show that your implementations comply with industry best practices. Security audits, penetration testing and vulnerability scans can be used to show that you have done your research to protect your company’s data. Employees should also be taught how to be security-aware and what it means to protect personal information.


Openness should be a key part of your company’s information management policies. It should be easily accessible for customers at no cost. It should not contain technical or legal jargon that is difficult to comprehend by the average person.

Individual Access

Individuals have the right to access personal information held by an organization. They can also challenge its accuracy and request that it be changed. This should be done free of charge. It is also important to be able to explain where, how and to whom the information was used. You should provide this information within 30 days. In some cases, you can extend the time by up to 30 days.


A person must be able challenge the organization’s compliance to any information principles in PIPEDA. This individual should be able address the matter directly with the person responsible for compliance with PIPEDA. All complaints should be investigated and a process established for handling them and investigating. Inform complainants about the recourse options available to them, including within your company, industry associations, regulatory bodies, and the OPC.

Penalties and Fines

Fines up to $100,000 CAD for violating PIPEDA are possible. There are three instances where PIPEDA could be used to prosecute criminals

  • After receiving a request for review, purposely destroy information
  • Retaliatory behavior towards employees who try to follow PIPEDA
  • After a complaint has been filed, conducting investigations


PIPEDA is a regulation that applies to Canadian companies doing commercial business. There are some exceptions for non-profit businesses and certain provinces, but most businesses that collect personal data for commercial purposes are subject to PIPEDA. Businesses must obtain consent from consumers before collecting personal information. They must also be collecting it for a specific purpose, and inform the consumer when they ask for consent. Only businesses are allowed to keep personal information for the purpose it was collected. After that, it must be destroyed. Consumers must have the ability to access their data and update it. All communications must be simple and understandable. Communicating with consumers should not involve legal jargon, or complex expressions.