Canadian Data Privacy Law: PIPEDA

"Privacy will continue on a similar path as the evolution of cybersecurity. Like with security, a standard of constant privacy will become the new normal," Chris Babel, CEO TrustArc.


In just 2018 alone, we’ve seen a multitude of new privacy laws. GDPR. California’s Consumer Privacy Act. Colorado Protections for Consumer Data Privacy law. Vermont’s data broker law. And as of Nov. 1, Canada’s new data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), went into effect.


PIPEDA, like other privacy laws, in that organizations "must obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy."


"Personal Information", as specified in PIPEDA, is as follows: information about an identifiable individual. Personal information collected for government or by an employer are not covered.


The Act gives individuals the right to:

  • know why an organization collects, uses or discloses their personal information;
  • expect an organization to collect, use or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented;
  • know who in the organization is responsible for protecting their personal information;
  • expect an organization to protect their personal information by taking appropriate security measures;
  • expect the personal information an organization holds about them to be accurate, complete and up-to-date;
  • obtain access to their personal information and ask for corrections if necessary; and
  • complain about how an organization handles their personal information if they feel their privacy rights have not been respected.


The Act requires organizations to: 

  • obtain consent when they collect, use or disclose their personal information;
  • supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
  • collect information by fair and lawful means; and
  • have personal information policies that are clear, understandable and readily available.



In general, PIPEDA applies to organizations’ commercial activities in all provinces, except organizations that collect, use or disclose personal information entirely within provinces that have their own privacy laws, which have been declared substantially similar to the federal law. In such cases, it is the substantially similar provincial law that will apply instead of PIPEDA, although PIPEDA continues to apply to federal works, undertakings or businesses and to interprovincial or international transfers of personal information.


Penalties are much lighter for PIPEDA than other privacy regulations. Data breaches are to be reported to the Office of the Privacy Commissioner (OPC). Failure to report a breach to either the OPC or to the affected customers or no record of total data breaches is kept can cost organizations fines as much as $100,000.


It is important to note, that organizations that already meet the standards of GDPR and any U.S. laws may be covered enough to not have to worry about PIPEDA.


In an increasingly digitized world, Digital Edge values privacy and is committed to protecting your personal data. Data and the protection of data are at the core of everything we do. As such, our business is built on Stability, Security, Efficiency, and Compliance, enabling us to protect our customers’ most valuable assets. We are committed to complying with the new legislation and will collaborate with partners throughout this process.  Not ready? Need assistance? For more information on this regulation and to ensure that your organization is following the critical compliance requirements contact Digital Edge today!

Danielle Johnsen
VP of Compliance

Danielle V. Johnsen joined the Digital Edge team in 2015 as the VP of Compliance.  With a passion for information security and organizational compliance, Danielle’s vision is to enable collaboration between 'The Business' and Information Technology, thus creating common objectives and outcomes that benefit the organization, while staying in compliance with all regulatory bodies and companywide policies. Specializing in security frameworks and policies such as: ISO 9001, ISO 27001, NYS DFS 500, NIST, HIPPA, GDPR, PCI, OSPAR, and more! 


Was this article helpful?