PIPEDA compliance with RecordPoint

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal directive for data privacy in Canada.

It became law on April 13, 2000, and governs how private sector organizations who do business in Canada protect consumer data. Companies who collect and process consumer data in Canada must comply with this legislation, and with RecordPoint, they can be confident that their data governance and data privacy standards are in compliance.

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal law in Canada that governs how private sector organizations ensure the privacy of consumer data. It was passed on April 13, 2000, as part of an effort to build consumer trust in e-commerce. The law has since gone through several reviews, with the first one occurring in 2007.

PIPEDA applies to any private-sector organization that collects, uses, or discloses personal information in the course of a commercial activity throughout Canada. The law defines a commercial activity as any transaction, act, conduct, or regular course of conduct that is commercial in nature. This can mean selling goods and services, bartering, and/or the leasing of donor, membership, or other fundraising lists.

As specified in PIPEDA, personal information refers to data about an identifiable individual, not including the name, title or business address, or telephone number of an employee of an organization.

PIPEDA empowers individuals with the right to:

  • Know why a company or organization collects, uses, or discloses their personal information
  • Expect the reasonable and appropriate collection, use, and disclosure of their personal information as well as not to use the information for any purpose other than that to which they have consented
  • Know who is responsible for protecting their personal information
  • Expect organizations to protect their personal information by taking appropriate security measures
  • Expect that their personal information is accurate, complete, and up-to-date within the organization's databases
  • Obtain access to their personal information and ask for corrections if necessary
  • Complain about how an organization handles their personal information if they feel their privacy rights have not been respected

PIPEDA requires a few things from organizations, including:

  • Receiving consent from consumers before collecting data
  • Supplying an individual with a product or service even if they refuse to have their data collected, unless the data collection is necessary for the transaction
  • Collecting information by fair and lawful means
  • Having personal information policies that are clear, understandable, and readily available

Some businesses are exempt from PIPEDA – companies who comply with provincial legislation in Alberta, British Columbia, and Quebec don't have to follow PIPEDA guidelines because those provincial laws are similar in scope to the law.

How can businesses comply with PIPEDA?

Businesses required to comply with PIPEDA need to follow the 10 fair information principles.

How RecordPoint can help

RecordPoint is designed with key features designed to assist with PIPEDA compliance. These features include:

Data minimization

Proactively dispose of data you don’t need with custom retention policies that make minimization effortless.

AI classification

Use AI to classify data instantly, so you know exactly where sensitive data lives and how to protect it.

Compliance task automation

Automate compliance tasks with AI and machine learning models trained on your data.

Penalties for noncompliance

Penalties for noncompliance with PIPEDA come in three forms:

  • Financial penalties – Business and organizations can be fined up to $100,000 CAD for each violation of PIPEDA. The Office of the Privacy Commissioner (OPC) is aggressive in investigating complaints about violations, with Home Depot of Canada recently being found to violate PIPEDA by sharing data with a service provider without explicit consent.
  • Class-action lawsuits or other legal actions –The OPC is limited in terms of what penalties it can assess, but organizations in violation of PIPEDA may be referred to the Attorney General of Canada for additional legal action. As a result of this referral, organizations could be audited, forced into compliance agreements, or be forced to disclose company behavior to the public among other punishments.
  • Reputation impact – OPC publicly denouncing a business for violating PIPEDA could result in a loss of consumer trust. This may result in fewer consumers doing business with that organization and result in knock-on financial impacts.

Frequently asked questions

Have another question? Looking for more details? Reach out to our friendly team who will be happy to help.

Contact us
What kind of data is covered under PIPEDA?
What businesses are covered under PIPEDA?