The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian federal privacy law that regulates how the private sector collects, uses and discloses the personal information of their clients. It also deals with the security of storing and processing that personal data.
PIPEDA originally went into law in 2000. Since then it has been modified several times with the biggest changes introduced in 2015. The amendment known as the Digital Privacy Act included mandatory breach notification requirements and enhanced powers for Canada’s Privacy Commissioner.
Although many sources suggest otherwise, the Canadian act covers businesses operating outside Canada. While the text itself is silent about international reach, the Federal Court of Canada has ruled that PIPEDA should apply if there’s “a real and substantial connection between the foreign organization and Canada and a physical presence is not required”.
This means that if your business offers products or services to Canadian residents, it’s subject to the act.
Rather toothless until now, PIPEDA is set to receive a more threatening bite. Navdeep Bains, the Canadian Minister of Innovation, has announced the government’s proposals to modernize the law. The changes are said to revamp PIPEDA and match the standards set by Europe’s GDPR.
What does this mean for you and what steps should you take to operate in line with Canadian law? Keep reading to learn the key provisions of PIPEDA and the proposed changes. We’ll also give you ways the law could impact your digital strategy, including how you collect analytics data.
Private organizations operating in Canada are in most cases subject to PIPEDA. There’s no threshold when it comes to size or number of employees. The law applies to sole proprietors and large enterprises alike. The same rules go for foreign organizations dealing with the data of Canadian residents.
But as always, there are some exceptions. Organizations outside PIPEDA’s scope include:
- Those operating entirely in Alberta, British Columbia or Quebec – provinces where local laws similar to PIPEDA are already in effect
- Non-profit organizations, political parties and associations, educational institutions and hospitals – if they don’t engage in any commercial activities
In PIPEDA, the notion of personal information involves any information about an identifiable individual:
- Age, name, ID numbers, income, ethnic origin, blood type
- Opinions, evaluations, comments, social status, disciplinary actions
- Employee files, credit records, loan records, medical records
What’s more, the law also includes cookies containing a unique identifier. You can read in the Office of the Privacy Commissioner of Canada’s guide on Web tracking with cookies that:
If the cookie contains a unique identifier, then information about your visits to different websites can be linked together.
Further, if any of the sites (such as social networking sites) collect personal information, this information might also be collected by the advertisers. In this way, advertising companies are able to track the websites that you visit and build up detailed personal profiles […].
This means that the law also applies to marketing tools, including analytics platforms, operating on cookies.
The Canadian law has been built around ten fundamental privacy principles:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
From the digital marketing and analytics point of view, the provisions can be boiled down to these key points:
1) You’re responsible for personal information under your control and you must appoint someone to be in charge of your company’s compliance. Under PIPEDA this person is called the Chief Privacy Officer (CPO).
2) You must limit your collection of personal information to what’s needed for the purposes set by your company (e.g. analytics, remarketing or A/B testing). You need to make sure that the personal information about your visitors is accurate, complete and up-to-date.
3) You can’t obtain, use or disclose personal information without prior consent.
Important note! The requirements for lawful consent under PIPEDA are less strict and less defined than for GDPR. In its current form, PIPEDA allows companies to seek implied or express consent where:
Express consent is given through a specific action, e.g. clicking the “I agree” button on a consent request banner.
Implied consent is obtained through a person’s actions or inaction. For example, when a user has been given an opportunity to opt out but refused to do so.
If you’re not sure which method applies in your case, the Office of the Privacy Commissioner of Canada has Guidelines for obtaining meaningful consent that suggest:
“Organizations must generally obtain express consent when:
- The information being collected, used or disclosed is sensitive
- The collection, use or disclosure is outside of the reasonable expectations of the individual
- The collection, use or disclosure creates a meaningful residual risk of significant harm”
Also have in mind that if a visitor places a complaint about your privacy practices, you may need to prove that you obtained a valid consent from them. For that reason it would make sense to stick to express consent whenever possible.
5) You must inform every interested individual about the collection, use and disclosure of their personal information and give them access to it. They should also have a chance to review the accuracy and completeness of their data. Finally, they should be able to challenge your organization’s compliance with PIPEDA principles and bring their challenge to your Chief Privacy Officer (CPO).
6) You must protect personal data using security measures proportional to the sensitivity of the information. In the case of a personal data breach, you need to report it to the Privacy Commissioner of Canada, notify the affected individuals and keep record of the breach.
The fines for a breach of PIPEDA requirements are up to $100,000.
Free comparison of 5 leading enterprise-ready web analytics tools
Compare over 30 features of web analytics software: Piwik PRO, Google Analytics 360, Adobe Analytics, etracker Analytics (Enterprise) and Countly Enterprise
While PIPEDA shares some common points with GDPR, the two laws don’t have the same strength or impact on business. They differ especially in their consent requirements and penalties for non-compliance.
However, the Canadian authorities noticed that the act is slowly losing touch with today’s privacy standards. The most recent attempt to bring Canada up to speed with modern data protection laws came in the form of The Digital Charter in 2019. Since the Digital Charter is only a guideline, not a binding document, the next logical step for legislators is to revise current law and put the charter’s principles in practice.
This is already happening. Although there are no official amendment drafts to date, last year the Canadian government prepared a document that sets the direction for future changes. It’s called Strengthening Privacy for the Digital Age – Proposals to modernize the Personal Information Protection and Electronic Documents Act.
The list of the suggested tweaks covers many aspects of handling personal information. Below are the key takeaways concerning digital marketing and web analytics:
The current wording of PIPEDA doesn’t give you precise instructions on collecting consents, but the proposal aims to change this by:
- Providing clearer information about when requesting consent is not appropriate
- Replacing the notion of “implied consent” with a concept similar to GDPR’s “legitimate interests“
- Prohibiting contracts in which access to information or services is conditional on consent to data collection and processing
According to the proposal, the new amendment to the law may incorporate pseudonymous information into the exceptions to consent. At the same time, this kind of data will require special protection.
PIPEDA already provides a right of access that requires businesses to give an individual a copy of their personal information if they request it.
The proposed changes to PIPEDA include a new right to data mobility. If an individual requests access to their personal information, you should provide them with a copy of their data in an “easily accessible format”.
You’ll also need to come up with a way to delete user’s data if they request it.
Finally, the proposal announces new powers for the Office of the Canadian Privacy Commissioner. This will allow them to better enforce PIPEDA and issue fines and penalties directly.
Although it is not yet known how the new amendment of PIPEDA will unfold, the government’s proposal to modernize the law gives some cues on the directions it could take.
Below are some of the most important action points for dealing with analytics data under PIPEDA:
Collecting or holding data, especially personal information, that you’re not using is potentially risky and has no business benefit. You should only collect and keep what you can use.
A CPO should be responsible for your company’s compliance with law and protection of personal information. If your company operates worldwide, you need a CPO (or data protection officer) to act in line with other regulations such as GDPR anyway. That person will also guide you through the Canadian privacy regulation landscape.
Implied or explicit consent? To decide, study the guidelines and assess which solution makes the most sense for your organization. But at the same time, have in mind that the upcoming changes to PIPEDA are said to strengthen the rules around consent.
If the predictions turn out to be true, the Canadian act will employ a concept of legitimate interest similar to the one laid out in GDPR. Under GDPR, legitimate interest is not an accepted legal ground for handling analytics data, so the chances are that you may need to switch to explicit consent to remain compliant.
If you want to learn more about the notion of legitimate interests, be sure to read these guidelines by the UK Information Commissioner’s Office.
The next step would be to rethink your analytics choices. If you want to collect personal information about your clients, you need software that will allow you to fulfill the obligations of PIPEDA. It should also allow you to collect personal information in the first place.
Let’s take the example of Google Analytics. The platform forbids you from storing personally identifiable information (PII), the American equivalent of personal information, on its servers. But at the same time it collects cookie IDs, advertising IDs, IP addresses and other end user identifiers that are considered personal information under PIPEDA.
Because of that, you may end up in a situation where you don’t collect any personal information except for online identifiers. But you’ll still have to deal with all the obligations of PIPEDA.
It’s worth considering other analytics platforms that allow you to store more meaningful pieces of personal information. Of course, that software will also need to give you the means to protect the privacy and security of your data.
Alternatively, you could switch to a product that allows you to avoid personal information and the liabilities its collection entails. The best way to do this is by using advanced anonymization methods.
If you’ve chosen to use express consent, now you need to think about how you will respect user rights.
The act alone doesn’t specify how to collect consents and process user requests. However, there are several solutions that have worked well under GDPR, for instance consent managers. Some of them, including Piwik PRO Consent Manager, allow you to display different consent requests in different local jurisdictions. Thanks to this, with the help of one tool you will meet the obligations of multiple privacy laws, such as GDPR, LGPD in Brazil and of course, PIPEDA.
Bear in mind that even if you choose to obtain implied consent, you still need to assure that your visitors can exercise their right to access and rectify their data or revoke consent. You can process such queries manually or automate the process using a data request manager.
Although 2020 hasn’t brought any new changes to PIPEDA, it seems that the main reason for this might be the global pandemic. While the current situation may have shifted the government’s priorities, we can expect that the changes will only be temporarily postponed but not canceled. We’ll keep you posted!
Meanwhile, if you’re interested in how Piwik PRO can help you comply with PIPEDA, be sure to contact our team. We’ll be happy to fill you in on the details!