Privacy Laws In Canada: How Your Personal Information is Protected

If you’ve been keeping up with the news, you’ve probably noticed that privacy law has been a hot topic over the past few years (*cough* GDPR *cough*). It can be difficult to parse all this new information, especially in the context of Canadian organizations and consumers. In light of this, we called up our lawyer (Hi Kim!) and asked if she could help us break down the most important privacy laws in Canada—the ones that actually affect you.

The two Canadian privacy laws that you need to know about are:

  1. the Privacy Act
  2. the Personal Information Protection and Electronic Documents Act (“PIPEDA”)

The Privacy Act only applies to federal institutions, while PIPEDA applies to private sector organizations in provinces excluding Alberta, British Columbia, and Quebec. If you live in one of these provinces, be sure to check the provincial privacy laws that apply to you!

For all other provinces (such as Ontario, where Speedyrails is located), PIPEDA is the foundation for online personal information protection. It applies to (non-federally-regulated) organizations that conduct business in Canada. In a nutshell, the law affects how these organizations can collect, use, retain, or disclose personal information. This means that if your organization conducts business in Canada and is not a charity, not-for-profit, political party, or association, PIPEDA should apply to you. Most of the time, organizations need valid consent from individuals to collect, use, or disclose personal information.

If PIPEDA applies to your organization, you must:

  1. Adopt appropriate privacy policies, designate a privacy representative, and have a compliance system in place.
  2. Set out the purpose for collecting, using, and disclosing personal information at or before collection.
  3. Obtain valid consent, express or implied, written or oral, before collection, and should inform the individual about the purpose for collection.
  4. Only collect information required for their identified purposes.
  5. Only keep, use, or disclose the personal information as necessary and once the personal information is not required, it must be disposed of securely and permanently.
  6. Make efforts to ensure that personal information is as up-to-date, accurate, and complete as possible for the identified purpose.
  7. Protect personal information against loss, theft, unauthorized access, disclosure, copying, use or modification.
  8. Ensure that if an individual requests their personal information, the organization will provide the personal information in an understandable form.  If asked, the organization must also outline their privacy practices, including but not limited to their privacy representative or contact information, access procedures, what personal information they have, and their disclosure or information sharing practices.
  9. Provide individuals, if requested by the individual, with information within 30 days regarding where their personal information is held (or where the personal information has or will be disclosed), and be provided access to the information at no cost to the individual.  If the personal information is inaccurate, the individual can demand that the organization corrects any errors.
  10. Have in place a privacy complaint or request intake system, including a complaint and resolution processes.

If you’re a consumer, you have the right to:

  • Know why your personal information is being collected, used, or disclosed.
  • Give, withhold, or withdraw your consent regarding your personal information.
  • Know what personal information an organization has about you, what they have done with your personal information, how and where they have stored your information, and how they protect your personal information.
  • Have your personal information be corrected if it is inaccurate.

For example, consumers have the right to know what personal information is collected about them from the websites they visit. Websites can collect tons of data from you, including your email address, IP address, browser information, cookie information, and more.

Under PIPEDA, organizations only need “implied consent” from consumers before they can start collecting information. That being said, you have the right to withdraw your consent whenever you want to (you don’t need any more reason than that). Or, you can ask the organization to correct any inaccurate information. As soon as the purpose for collecting the information no longer applies, the organization must stop storing this information and have it erased from all their records and servers.

Although Canada has privacy laws in place to protect consumers, new laws are popping up all around the world to create better regulation and consequences for privacy law breaches.

Canada is not immune to such changes (nor should we be). In November 2017, 17 years after the law was introduced, the federal government decided to formally review PIPEDA. In February 2018, the committee published “Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act” which recommends changes to refresh PIPEDA and keep it up-to-date with global laws and the ever-evolving technological landscape.

Here are some recommendations from the report to bring PIPEDA up to speed:

  • Implementing an opt-in consent model.
  • Implementing measures to improve transparency.
  • Changing the form of revocation.
  • Updating what is considered a legitimate business interest (for setting out purposes of collecting, using, or disclosing personal information).
  • Updating the rules on consent for minors.
  • Implementing a right of data portability (which means individuals can request organizations to delete all their personal information).
  • Improving the Privacy Commissioner’s powers, authority to audit, and allow more serious fines for non-compliance.

Organizations can start implementing these recommendations now to stay ahead of the curve, even though the law hasn’t changed yet. Note that if a Canadian company has European customers, these recommendations should already be in place in order to comply with the GDPR. If we make these recommended changes to the law, there will be more transparency as to how personal information is treated, a right to obtain your information, and a right to be forgotten. Plus, there would be bigger fines for organizations that do not comply with PIPEDA. 

As technology grows and changes, so will our legislature. It’s more important than ever for Canadian organizations with an online presence to ensure that their data collection, use, storage, and disclosure activities comply with any upcoming changes to PIPEDA or other applicable laws.

If organizations are in breach of their obligations under PIPEDA, individuals can bring complaints to the Office of the Privacy Commissioner:  

The content on this website is provided for informational purposes only and does not constitute legal advice or opinion of any kind. Should you require legal advice or more information, you can reach Smutylo Sigler law firm at 613-869-5440 or send an email to

Leave a Comment