Quick summery
Canada’s PIPEDA, in brief
Canada has several federal data privacy laws and even more provincial ones, which all make up an interwoven network of data protection across the country.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal data privacy law that governs the commercial use of Canadian residents’ personal information.
In PIPEDA, personal information is defined as any kind of data that can identify an individual, including the data that most cookies and trackers collect from your website’s users, such as IP addresses, unique IDs, search and browser history.
Did you know that websites on average have 20 cookies in use?
Scan your website for free to detect and control them all
PIPEDA took effect in 2000 and has been amended several times to meet the changes that have swept our digital landscapes in the past two decades.
Most notably, PIPEDA is scheduled to receive a major overhaul sometime in 2021 and be turned into the Consumer Privacy Protection Act (CPPA), expanding rights for Canadian residents and updating the current consent regime, as part of the implementation of Canada’s Digital Charter.
Canada’s PIPEDA has received an adequacy decision from the EU Commission, ensuring the free flow of personal data back and forth between Canada and the EU (note: only PIPEDA has been deemed adequate, and it is therefore only data transfers to and from the commercial, private sector of Canada that is secured with the EU.
In short, Canada’s PIPEDA regulates all gathering, use and disclosure of personal information in the private sector through its 10 PIPEDA Principles; chief among them the requirements that you inform users in detail about your website’s data collection, and obtain their prior, meaningful consent.
PIPEDA is enforced by the Canadian Privacy Commissioner (OPC) and applies to all websites and companies in the world that process personal information from Canadian residents for commercial use.
Scan your website for free to see if you have users from Canada
Canada’s PIPEDA quick breakdown –
- Canada’s PIPEDA took effect in April 2000 and was last amended in 2018. An overhaul of the law is scheduled to take place in 2021, repealing and replacing core parts of PIPEDA with the new Consumer Privacy Protection Act (CPPA).
- Canada’s PIPEDA governs all gathering, use and disclosure for commercial purposes of the personal information of Canadian residents. Use of personal information by the federal government is regulated by the separate federal Privacy Act.
- Canada’s PIPEDA defines personal information as information about an identifiable individual, which includes IP addresses, cookies, search and browser history collected by most websites through third-party cookies and trackers. Some data can be viewed as more sensitive than other, e.g. medical data and sexual orientation, and will require express consent from users.
- Canada’s PIPEDA applies to any website in the world that processes personal information from Canadian residents for commercial use.
- Canada’s PIPEDA empowers Canadian users with the rights to access their personal information, correct it and to challenge your website’s PIPEDA compliance through the Privacy Commissioner.
- Canada’s PIPEDA operates by its 10 PIPEDA Principles, which regulate compliance for websites, companies and organizations processing Canadian residents’ personal information. They include the requirements to inform users about all data collection operations and to obtain explicit or implicit consent from users, depending on the nature of the data you collect.
- Canada’s PIPEDA does not prohibit transfers of personal information outside of Canada, but does hold you liable for privacy breaches and non-compliance.
- Canada’s PIPEDA is enforced by the Privacy Commissioner.
- Non-compliance with Canada’s PIPEDA can result in fines up to CAD 100,000.
Try Cookiebot consent management platform (CMP)
Scan your website to see what cookies and trackers are in operation
PIPEDA compliance with Cookiebot CMP
Cookiebot CMP by Usercentrics is the world’s leading solution for controlling cookies and trackers on your website to ensure compliance with all major data privacy laws on the planet, including Canada’s PIPEDA, EU’s GDPR, UK’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA and many others.
As Canada’s PIPEDA require you to inform users and obtain their consent, PIPEDA compliance means knowing and controlling all cookies and tracking technologies in use on your website, plus having a solution for collecting the valid consents of users to all of those cookies that you use.
This is a time-consuming and difficult task for any website, regardless of size and shape.
Luckily, Cookiebot CMP is a plug-and-play solution that has completely automated the entire PIPEDA compliance process for you and your website.
Built around a powerful scanner that detects every single cookie and similar tracking technology, Cookiebot CMP gives you total insight into your domain’s personal information processing activities.
Cookiebot CMP gives you detailed information on each cookie on your website, including its purpose, duration, technical specifications and provider – facts that you need to inform your users about as part of your PIPEDA compliance.
Through highly customizable consent banners that can be shaped to fit the compliance requirements specific to any region’s data privacy law, including Canada’s PIPEDA, Cookiebot CMP offers a simple way of collecting users’ valid, informed consent.
Cookiebot CMP safely stores all collected consents, automatically renews consent on a regular basis and makes it easy for your website’s users to withdraw their consent as easily as they gave it.
Try Cookiebot CMP for PIPEDA compliance today
Scan your website for free to see what cookies and trackers are in use
Visit the Canadian Privacy Commissioner (OPC) for more on PIPEDA compliance
Get started with Cookiebot CMP and Google Consent Mode
Canada’s PIPEDA, in detail
Let’s break down Canada’s PIPEDA even further and look at its 10 PIPEDA Principles, how it interacts with provincial data privacy laws around Canada (e.g. Albert and Ontario), and hold it up against the EU’s GDPR for comparison.
The 10 PIPEDA Principles
Canada’s PIPEDA revolves around the ten so-called fair information principles that spell out the rules and regulations around the use of personal information for commercial purposes.
PIPEDA’s definition of commercial purpose includes acts such as selling or trading of your users’ data, e.g. in exchange for analytics services or marketing schemes.
If your website collects personal information from Canadian residents, such as IP addresses or search history, and then trades this information with a third-party service in exchange for tracking of users or marketing services, you are likely liable for PIPEDA compliance – no matter where in the world you and your website is operated from.
Did you know that websites on average have 20 cookies in use?
Scan your website for free to detect and control them all
The 10 PIPEDA Principles are –
- Accountability
- Identifying purposes
- Consent
- Limiting
- Collection
- Limiting use, disclosure, and retention accuracy
- Safeguards
- Openness
- Individual Access
- Challenging compliance
PIPEDA Principle 1 – Accountability
The first PIPEDA Principle makes it clear that you are responsible for all personal information that your website collects, and that you must have a designated representative in charge of ensuring your PIPEDA compliance.
Additionally, you need to develop and implement privacy policies and practices, which must be readily available for your users to read.
Learn more from the Privacy Commissioner (OPC)
PIPEDA Principle 2 – Identifying Purposes
Why does your website collect the personal information that it does?
This is the question that the second PIPEDA Principle requires you to answer – in detail and prior to actually collecting any personal information from your users.
Learn more from the Privacy Commissioner (OPC)
PIPEDA Principle 3 – Consent
This is the most important PIPEDA Principle of all.
In a nutshell: you must obtain the meaningful consent from users before collecting, using and sharing their personal information.
“Meaningful consent” under PIPEDA involves informing your users of exactly what they are consenting to, e.g. telling them what cookies your website uses, why and what the data is going to be used for.
PIPEDA states that consent is only valid, if it is “reasonable to expect” that your users understand the nature, purpose and consequence of your website’s personal information processing.
Additionally, consent under PIPEDA can either be implied consent or express consent.
Implied consent means that your website can collect personal information from users on the assumption that they will consent, without the need for them to explicitly and actively give their consent.
However, for implied consent to be valid, you must still inform your users prior to collection about –
- what kinds of personal information your website will collect,
- for what purposes your website collets this data,
- who you share this data with (e.g. third parties such as Google or Facebook),
- and what the risks and consequences are for users.
Try Cookiebot CMP for PIPEDA compliance today
Express consent means the active and explicit action on part of the user that constitutes consent, e.g. clicking a button or ticking a box to signal that they allow the subsequent collection of their personal information.
This form of consent is obligatory when processing personal information that can be considered sensitive of nature – e.g. medical and health data, information about an individual’s sexual orientation or religious beliefs.
However, making sure that you always collect express from all your website’s users is a safe way to avoid any grey areas of potential non-compliance with PIPEDA.
Additional requirements for valid consent include –
- Inform users in an easily accessible way, e.g. your website’s privacy policy.
- Users must be able to revoke their consent at any time, as easily as they gave it.
- Reobtain consent from users, when you make significant changes to your website’s cookie-setup, its privacy practices, or introduce new uses and purposes for its data collection, among other things.
- Obtain express consent from a parent or guardian for children under the age of 13.
Try Cookiebot CMP free for 14 days – or forever if you have a small website.
Scan your website to see what cookies and trackers are in use
Learn more from the Privacy Commissioner (OPC)
PIPEDA Principle 4 – Limiting Collection
The crux of the fourth PIPEDA Principle is this: your website is not allowed to collect personal information in ways that exceed or are beside the stated purposes, to which your users have already consented.
If you want to use personal information for different purposes, you must rewrite your privacy policy to include these new purposes – and renew the consent of your users.
Learn more from the Privacy Commissioner (OPC)
PIPEDA Principle 5 – Limiting Use, Disclosure, and Retention
Similar to the fourth, the fifth PIPEDA principle requires you to only use and disclose personal information in the ways that you’ve stated in your privacy policy, and to which your users have already consented.
You are also only allowed to keep personal information (known as “retention”) for as long as needed to serve the purposes that you’ve informed your users about and to which they’ve consented.
As with the previous principle, should you change the ways you want to use or share personal information on your website, you must inform users anew and obtain their consent again.
Learn more from the Privacy Commissioner (OPC)
PIPEDA Principle 6 – Accuracy
It’s a requirement for PIPEDA compliance that the personal information your website collects is accurate and complete, as well as up to date.
Canadian residents have the right to access data collected about them and the right to have it corrected, should they find it inaccurate.
Learn more from the Privacy Commissioner (OPC)
PIPEDA Principle 7 – Safeguards
It is also your responsibility to keep collected personal information safe and secure.
Though Canada’s PIPEDA doesn’t specify exactly what kinds of security measures you must take on your website in order to protect your users’ personal information, this PIPEDA principle helps you get an overview of the safeguards required.
Among the proposed safeguards in PIPEDA are –
- Up to date encryption technologies, fire walls and security systems,
- Organizational practices and controls for handling personal information,
- Regular review of security and encryption measures,
Personal information must be protected by appropriate security relative to the sensitivity of the information. Is the data collected of a more sensitive nature, e.g. data on your users’ sexual orientation, it will require stronger safeguards than less sensitive data.
Learn more from the Privacy Commissioner (OPC)
PIPEDA Principle 8 – Openness
Your website needs to be transparent, honest and clear about the kinds of personal information it collects, what it uses it for and the ways in which it gathers and shares it. This eight PIPEDA Principle clarifies that your privacy policies and information to users must be easy to understand and written in plain language (i.e. not long legal texts). Information to be open about to your website’s users include –
- individual responsible for your website’s privacy policies and practices,
- contact information for users to send access requests via,
- information on how your users can be granted access to the personal information your website has collected about them,
- the ways in which users can complain to you,
- information on what kinds of personal information you share with third parties from your website, and the purposes.
Learn more from the Privacy Commissioner (OPC)
PIPEDA Principle 9 – Individual Access
Canadian residents have the right to access what personal information your website has collected from them, as well as the right to have it corrected if the data not accurate or complete.
This ninth PIPEDA Principle spells out how you are required to respond to such requests from users, including –
- Telling users what personal information your website has collected from them,
- How your website has collected the data (by which means),
- How your website has used the collected data,
- With whom the data has been shared,
Learn more from the Privacy Commissioner (OPC)
PIPEDA Principle 10 – Challenging Compliance
If users find that you are non-compliant with PIPEDA, e.g. because you violate or don’t live up to one of the above nine PIPEDA Principles, they are legally allowed to challenge your compliance status.
The last PIPEDA principle spells out how such challenges must be issued and how you must respond to them, i.e. by providing users with a simple way to give their complaint and informing them of their rights to refer to the Privacy Commissioner (OPC).
Learn more from the Privacy Commissioner (OPC)
PIPEDA and provincial data privacy laws
PIPEDA and Alberta, PIPEDA and British Columbia, PIPEDA and Quebec
Though Canada’s PIPEDA is a federal data privacy law, several Canadian provinces have similar data privacy laws that are in effect in parallel with PIPEDA.
The following provincial data privacy laws are considered equivalent to PIPEDA, so if you’re in compliance with them, it means you are exempt from also seeking compliance with PIPEDA –
Firstly, Alberta’s Personal Information Protection Act (PIPA) regulates the commercial use of personal information in Alberta, enforced and supervised by the Information and Privacy Commissioner of Alberta.
Secondly, British Columbia’s Personal Information Protection Act (PIPA) regulates the commercial use of personal information in British Columbia, enforced and supervised by the Information and Privacy Commissioner of British Columbia.
Lastly, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector regulates the commercial use of personal information in Quebec, enforced and supervised by the Commission d’accès à l’information du Québec.
Try Cookiebot CMP for free today
Scan your website to see what cookies are in use
PIPEDA vs GDPR
Canada’s PIPEDA has been in force since 2000 and reflects a pre-GDPR time of data protection (although it has been amended several times in response to changes in global data privacy).
The biggest similarities between PIPEDA and GDPR are –
- PIPEDA and GDPR both revolve around user consent as the mechanism that allows your website to collect and use personal information from your visitors.
- PIPEDA and GDPR both define personal information/personal data broadly to include common trackers, cookies and other data that your website collects every day.
- PIPEDA and GDPR both require you to inform your users about your website’s intended collection and use of their data.
- PIPEDA and GDPR both require you to limit the use, disclosure and retention of the data, as well as to provide security and safeguards around the collected data.
- PIPEDA and GDPR require you to only use data for the stated purpose or otherwise renew user consent. Both laws hold you accountable for ensuring the accuracy of the data.
- PIPEDA and GDPR both empower users with the right to access their collected data, and the right to have it corrected if inaccurate.
The biggest differences between PIPEDA and GDPR are –
- PIPEDA applies only to commercial use of personal information vs GDPR applies to both public and private sector use of personal data.
- PIPEDA considers “implied consent” valid vs GDPR requires you to obtain “explicit consent”.
- PIPEDA does not have an adequacy mechanism but requires each website who wishes to transfer personal information abroad to use contractual privacy clauses vs GDPR requires a country to have an adequate level of data protection in order for your website to freely transfer personal data from the EU to it.
With the impending 2021 overhaul of PIPEDA, which will repeal and replace large parts of the law with the new Consumer Privacy Protection Act (CPPA), Canada’s data protection regime might move even closer to EU’s GDPR, bringing even stronger data privacy to Canadian users than PIPEDA offers currently.
Summary of Canada’s PIPEDA
PIPEDA compliance with Cookiebot CMP
Canada’s PIPEDA is a strong and veteran data privacy law that like its EU counterpart, the GDPR, provides for a substantial consent regime, which empowers Canadian residents with actionable and enforceable rights over the personal information they share every day online.
PIPEDA requires your website to obtain the valid consent from users before collecting or using any of their personal information, and to inform users about the details of your website’s data collection processes.
Cookiebot CMP by Usercentrics is a plug-and-play PIPEDA compliance solution that can automate all data privacy requirements for your website.
Cookiebot CMP offers full and automated compliance with not only Canada’s PIPEDA, but the EU’s GDPR, UK’s GDPR, California’s CCPA/CPRA, Brazil’s LGPD, South Africa’s POPIA, Singapore’s PDPA and many others.
Try Cookiebot CMP free for 14 days – or forever if you have a small website.
Scan your website to see what cookies and trackers are in use
Learn more about GDPR compliance
FAQ
What is Canada’s PIPEDA?
Canada’s PIPEDA is the federal law governing the gathering, use and disclosure for commercial purposes of the personal information of Canadian residents. Through its 10 PIPEDA Principles, the law lays out requirements and compliance obligations that include informing users of the purposes of data collection, obtaining user consent before collecting personal information and ways to safeguard and secure collected user data.
Who does Canada’s PIPEDA apply to?
Canada’s PIPEDA applies to any website or company anywhere in the world that handles personal information from Canadian residents for commercial purposes. This means that if your website has users from Canada, you’re liable for PIPEDA compliance.
Scan your website with Cookiebot CMP to see if you process data from Canada
What is personal information under PIPEDA?
Canada’s PIPEDA defines personal information broadly as any kind of data that can identify an individual. This includes common personal information collected by most websites through cookies and trackers, such as IP addresses, unique IDs, search and browser history.
Scan your website to see what cookies and trackers are in use
What does PIPEDA compliance entail?
You must inform users in detail of your website’s personal information processing, including the purposes for collection and use. This can be done in your website’s privacy policy. You must also obtain the meaningful consent from users before processing any of their personal information. Meaningful consent can be implied, unless the personal information is of a sensitive nature, in which case you must obtain the explicit consent from your website’s visitors.
Resources
Try Cookiebot CMP free for 14 days – or forever if you have a small website
PIPEDA in brief by the Canadian Privacy Commissioner (OPCD)
Office of the Privacy Commissioner of Canada (OPCD)
PIPEDA Principles overview by the Privacy Commissioner (OPCD)
New proposed law, CPPA, to repeal and replace PIPEDA
Federal privacy reform in Canada: The Consumer Privacy Protection Act (CPPA), IAPP
IAB Canada’s Draft Transparency & Consent Framework (open for public comments till March 20, 2021)
