Introduction

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the collection, use, and disclosure of personal information in the private sector.  As a baseline, any website that collects personal information on Canadians should have a Privacy Policy. Canadians need to be able to give you consent to your data collection, usage, and disclosure practices. The Privacy Policy is the tool by which you gather their consent.  The Privacy Policy is often found in concert with the Terms of Service, a contract that governs use of your website, and the Cookies Policy, a policy that governs your use of cookies and other automated trackers.

What are the Penalties for Breaching PIPEDA?

The potential penalties for breaching PIPEDA are severe. If your organization is found to be non-compliant with PIPEDA, you may be fined up to $100,000 per infraction. You may additionally be subject to further legal action from the Office of the Privacy Commissioner and/or the Attorney General of Canada.

What is considered “personal information”?

A privacy policy is needed if you collect personal information on Canadians. “Personal information” is broadly defined in PIPEDA as any “information about an identifiable individual,” whether public or private, with limited exceptions. The key to determining whether it counts as “personal information” is whether the information identifies an individual. This would include obvious data like a person’s name, age, address, email, phone number, social insurance number, and date of birth. It may also include more specific data including a person’s ID number, income, ethnic origin, blood type, opinions, evaluations, comments, social status, or disciplinary actions.

When is a Privacy Policy Needed?

In general terms, a privacy policy is needed if you collect personal information on Canadians. In addition, it should be heavily considered if your website has any of the following interactive features, which may collect personal information:

• a mailing list sign-up
• a contact form
• a user registration
• a user profile or back-end
• user reviews
• user comments
• on-site purchases
• on-site downloads and uploads

What’s covered in a Privacy Policy?

There’s no one-size-fits-all for a good privacy policy. It’s a highly customizable policy that depends on the nature of your business, the sophistication of your website, and the extent of your data collection, usage, and disclosure practices.  In general, a privacy policy should address the 10 FAIR information Principles of PIPEDA, and should cover the following topics, where applicable:

• Consent to the privacy policy
• Geographic, age, or other user restrictions
• The types of data collected on the user
• The methods by which data is collected
• The use of automated technologies like cookies, pixels, and trackers
• How and where the data is stored
• The ways the data is used
• The disclosure of data with third parties
• How the data is protected and retained
• How the user can withdraw their consent or correct mistakes