What Is PIPEDA, and How Does It Affect Organizations Doing Business In Canada?

Across the world, countries are becoming more concerned about their citizens’ data privacy. The 2021 Cyberthreat Defense Report (CDR) by CyberEdge Group found that 85.7 percent of Canadian businesses were hit by at least one cyberattack in 2021. The frequency and seriousness of cyberattacks like data breaches and identity theft have propelled countries like Canada to establish strict laws to protect their citizens’ sensitive data. One of those laws is PIPEDA. If you do business in Canada, it’s imperative that you fully understand what this federal law is and how you can adhere to these principles, thus avoiding serious fines, lawsuits, reputation loss, or worse – permanent closure.  

What Is PIPEDA? 

Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s primary federal law that defines how businesses can collect, use, or disclose personally identifiable information (PII) when carrying out commercial activities. Under this law, there are 10 fair information principles that organizations must follow regarding individuals.

Specifically, these rules ensure that individuals: 

• Give consent to the use of their personal information 
• Can access their information 
• Can correct their information 
• Know it will be protected 

PII can include: 

• Addresses 
• Blood type 
• Credit records 
• DNA 
• Driver’s licenses 
• Ethnic or national origin  
• Education 
• Employment history 
• Full names 
• ID numbers 
• Incomes 
• Marital status 
• Medical history 
• Opinions 
• Political affiliations and beliefs 
• Social insurance number 

PII excludes any business information needed to maintain business operations, such as business addresses, email addresses, employee names, phone numbers, and titles. 

If a business violates any PIPEDA principle, individuals have the right to formally report this to the Office of the Privacy Commissioner or even the Federal Court. Depending on the violation, businesses may also be charged with criminal offenses.  

Who Oversees PIPEDA? 

The Office of the Privacy Commissioner of Canada (OPC) is in charge of regulating PIPEDA. It’s important to note that the OPC only investigates and handles data security complaints. Indeed, this regulator lacks the power to order compliance or impose fines on businesses.  

When Was PIPEDA Established?  

PIPEDA was established on April 13, 2000.  

Who Does PIPEDA Affect? 

PIPEDA applies to any business that handles personal information involving a commercial activity that does not qualify for an exemption. In Canada, private sector organizations and federal works, undertakings, or businesses (FWUBs) must follow this law. Private organizations can include partnerships, small to medium-sized businesses (SMBs), and privately-managed corporations. To avoid confusion, it’s helpful for companies to understand what these three core topics mean under this privacy law – personal information, commercial activity, and exemptions.  

Personal Information 

PIPEDA defines personal information as “information about an identifiable individual,” while the Office of the Privacy Commissioner indicates that this sensitive information can be factual or subjective. Various examples help illustrate this point, such as using activities and employee or consumer statuses to describe a person. Additionally, handling personal information involves collecting, using, or disclosing this information. Indeed, this data does not have to be recorded or stored somewhere to be considered personal information.   

Commercial Activity  

As for commercial activity, PIPEDA uses a more specific definition: “Any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.” For organizations that do business in Canada, keep in mind that the activity for which they are using the information is what must be commercial rather than the personal information itself. It can be challenging to determine what constitutes commercial activity because this definition is ever-changing to keep the pace of evolving technology. A typical example of commercial activity would be a company’s site used to promote its business.  

Exemptions  

Like any privacy law, there are specific exemptions in place for PIPEDA. These exemptions can be based on who you are, what information you handle, where you handle it, or why you do it. 

Who You Are

• Federal government organizations listed under the Privacy Act are exempt from PIPEDA. 
• Provincial and territorial governments and agencies are exempt.  
• Not-for-profit groups, charity groups, political parties, and political associations are typically exempt. However, this law does apply when businesses are engaging in commercial activity that isn’t “central to their mandate.”
• Hospitals, municipalities, schools, and universities are generally exempt since a provincial law covers them.  

What Information You Handle

As long as a business only contacts an individual in a professional capacity, this contact information is generally exempt from PIPEDA. 

Where You Handle the Personal Information 

Depending on where a business is located, they may be exempt from this law if their province already has a privacy law. The Office of the Privacy Commissioner indicates that this typically applies to Alberta, British Columbia, and Quebec. Furthermore, this exemption can also extend to personal health information used in commercial activities in the following provinces: 

• Labrador 
• New Brunswick 
• Newfoundland 
• Nova Scotia 
• Ontario 

Keep in mind that this specific exemption does not apply to federally regulated organizations, only commercial ones.  

How Tokenization Can Help Businesses Under PIPEDA Compliance 

Since organizations depend on sustainable growth to stay in business, these privacy laws are a constant reminder that data privacy and security must be a top priority with every business decision. Federal regulations like PIPEDA and GDPR will likely continue to evolve and require businesses to follow suit. Instead of falling victim to cyberattacks, penalties, and losing customers, business owners can adopt a layered security approach that will protect their customers’ personal information, help them maintain critical business utility, scale their business, and stay out of compliance scope. How is this possible? There are numerous solutions, but one effective option is tokenization. Tokenization refers to replacing sensitive data like PII with randomly generated data called tokens. Depending on the business use case, these tokens can contain some or none of the original input data. Indeed, this security solution can help companies avoid disaster if they do business in Canada and beyond. Contact a TokenEx expert today to learn how we can help you achieve peace of mind that your customers’ personal information will be protected, and you can achieve PIPEDA compliance.