Sample Privacy Policy for Canada

In Canada, the Personal Information Protection and Electronic Documents Act (or PIPEDA), governs the collection and use of personal information and how it's protected.

If your business is operating from Canada, learn the best practices to implement for your PIPEDA-compliant Privacy Policy and/or privacy practices.

The PIPEDA law from Canada

Canada Flag

The PIPEDA Act requires covered organizations and other entities (businesses) to get a user's consent when collecting, using or disclosing that user's personal information.

Whatever personal information you collect from users may only be used for the express purpose for which it was collected and nothing more.

Any additional use outside the original scope requires further consent from the user. Also, users must be assured that the information collector (the business, the website, the mobile app) will reasonably protect their information.

Any commercial activity that uses, collects, or discloses some kind of personal information is covered by the regulations of the PIPEDA Act in Canada.

Commercial activity means any particular transaction, act, conduct, or any regular course of conduct that is commercial in character, including selling, bartering or leasing of donor, membership or fundraising lists.

This would inherently include websites, mobile apps, Facebook apps, desktop apps. If all these platforms are operated in any of those capacities specified above, it's covered by the Canada's Act.

Shopify is based in Canada and their Privacy Policy informs users about what personal information Shopify might be collecting and how they are using that information:

Screenshot of Shopify Privacy Policy

For example:

If a business isn't generating any revenue from a website or mobile app, they still might be covered. If the personal information being gathered from users is used for future website and app development or to improve the experience of users on the website or mobile app, then the website/mobile app's commercial success is indirectly benefiting.

Therefore, it's covered.

Personal information can be a nebulous term. It could be anything that someone finds to be private in nature.

PIPEDA statutorily defines "personal information" to include any factual or subjective information, recorded or not, about an identifiable individual. This includes:

  • name
  • age
  • ID numbers
  • income
  • ethnic origin
  • blood type
  • opinions
  • evaluations
  • comments
  • social status
  • disciplinary actions
  • employee files
  • credit records
  • loan records
  • medical records
  • the existence of a dispute between a consumer and a merchant
  • and so on

As you can see, PIPEDA's scope of coverage is comprehensive.

Specific exceptions are excluded from coverage, such as personal information collected solely for artistic, journalistic, or literary purposes and information collected by designated governmental agencies.

The principles from PIPEDA

Canada's PIPEDA Act forms a base rule that there's an overarching obligation to maintain responsibility for the guarding of personal information and the fair handling at all times through the entire organization and in all third party dealings.

Businesses are compelled that any collection, use or disclosure of personal information must only be for a reasonable purpose.

Alongside this base rule, Schedule I of PIPEDA lays 10 Fair Information Principles that businesses must follow to remain in compliance with the Act:

Accountability

Businesses must be accountable. To fulfill this principle, assign an individual from your business to be responsible for active compliance with Canada's PIPEDA Act.

A business should take extra precautions to protect the personal information it collects from users. As a business owner, you should develop a series of policies to keep the collected information protected.

Accountability goes farther than just a business owner's own actions.

Any third parties that personal information is shared with obligates the original information collector to be responsible for any mishandling from that interaction.

Shopify (which started in Canada and has a local presence there) informs users that any third-party that Shopify might partner with is required to have a similar Privacy Policy as their own:

Shopify Third-Party Privacy Policy

It reads:

Shopify may use third party service providers to provide certain services to you and we may share Personal Information with such service providers. We require any company with which we may share Personal Information to protect that data in a manner consistent with this policy and to limit the use of such Personal Information to the performance of services for Shopify.

Identify Purposes

The purpose of collecting a piece of personal information must always be clear.

At the point of collecting any type of information, mention why the information is being gathered and what its purpose will be.

Your Privacy Policy should include mentions why certain types of personal information are collected and what's the purpose of the collection.

That's how HootSuite, a Canada-based business, informs users in their Privacy Policy about what personal information is collected from users when new users are creating an account:

HootSuite Privacy Policy On Personal Info at Registration

The same applies if you develop a mobile app or a desktop app. Your Privacy Policy should make clear what kind of personal information your app is collecting and why.

Rover, a company based in Toronto, Canada, develops a beacon platform for retailers to use that involves a mobile app as well. Its Privacy Policy informs users about what personal information might be collected and its use:

Screenshot of Rover Privacy Policy

The more clear the purpose of the information use, the better.

Consent

Under Canada's PIPEDA, informed consent must be meaningful and clear.

Before getting consent from a user, you should explain how the information you'll collect will be used. This shouldn't be done in a deceptive manner.

This requirement can create certain difficulties on mobile apps because of its screen limitations. No reasonable person will actually read and consent to a 50-page consent agreement or 10-page Privacy Policy on their smartphone screen.

Here's how eBay designed their Privacy Policy on its iOS app:

eBay Privacy Policy Embedded on Mobile App

While the full Privacy Policy of eBay isn't shown on the mobile screen, a user can read the Privacy Policy summary and learn the highlights of eBay's privacy practices on their mobile.

According to PIPEDA, consent should be asked not only before obtaining a piece of information but also to be continually updated and asked. There are several exceptions to this, but these exceptions should rely on after every other step has been implemented.

Limit Collection

Personal information shouldn't be collected haphazardly and users mustn't be misled on the reasons for which the information is being collected.

The scope of information that's gathered should be narrow and tailored to the exact requirements needed.

Nothing more or less.

Limit Use, Disclosure And Retention

Businesses must only use personal information only for the purpose the user agreed upon and must keep the personal information as long as necessary to achieve its purpose.

Once that information is no longer necessary for the purpose it was gathered, it must be destroyed, erased or rendered anonymous.

Information that isn't necessary and is stored all time without purpose poses a potential breach of data.

Datacratic (based in Canada), in their Privacy Policy, informs users that no personal information is collected while users are browsing their website unless users voluntarily choose to provide certain personal information:

Datacratic excerpt on Personal Info in Privacy Policy

It reads:

Daatacratic does not collect any personally identifiable information about you when you visit the Website unless you voluntarily provide this information, for example by contacting us through our email forms (including sending us queries or responding through the Website to our job postings.) Personal information collected in these cases may include your name, contact details, email address, telephone number and your resume.

Accuracy

All uses of users' information must be done accurately and appropriately. Personal information records must be kept complete, organized, and as up to date as possible.

Regularly used personal information must be regularly kept up to date.

Safeguards

Personal information that's collected through a website or mobile app must be protected from theft, loss, unauthorized access, disclosure, use, copying or modification regardless of how the information is stored.

The sensitive nature of the information collected, the amount of it and the extent of any breaches of safeguards are all taken into account when considering whether a business has met its duty.

Open Access

The policies must be clear and easily understood by a reasonable layperson.

Checkfront (based in Canada) provides a very easy to read Privacy Policy for users to learn what information is begin collected and how is it used:

Screenshot of Checkfront Privacy Policy

Individual Access

Individuals whose personal information has been used or given have a right to access that information.

Businesses, once requested, must inform users of all information the business has on them and provide full and accurate disclosure on how it's being used.

Challenging Compliance

Finally, businesses must provide some form of complaint procedure for users.

All complaints must be investigated to some capacity and corrective action must be taken if warranted.

How to comply with PIPEDA

How should a business move forward and improve their website or mobile app, while adhering to these regulations imposed by PIPEDA?

Below are a series of questions broken into categories that should be considered before you make the decision if your website or mobile app is market ready.

Consider what information is going to be collected from users:

  • Is the information you're going to collect considered personal information under Canada's PIPEDA Act?
  • Will the information be used as a part of a routine business practice? e.g. email addresses to access restricted sections of your website or your mobile app
  • Is there a designated place that files with this kind information will be kept, either digitally or physically? e.g. a database
  • Who will have access to the collected information, both internally and externally? e.g. who can read the database
  • Have you updated your Privacy Policy to include what type of personal information you collect?

As maintaining accountability is one of the Fair Information Principles and one of the more important ones, a clear chain of command for responsibility is critical:

  • Is there a designated privacy officer who can ensure compliance with PIPEDA?
  • Is it more than one designated person? If yes, are the responsibilities clearly designated for each person?
  • Will your staff know who answers to requests for personal information, correction, and complaints? Will that be clear to users?
  • Will your staff know how to accurately understand and explain PIPEDA and how it is implemented throughout the business?
  • Have you updated your Privacy Policy to inform users where to send their complaints and questions regarding your privacy practices? e.g. to a specific email address or via postal mail

Before you publish your Privacy Policy, consider the following:

  • Does the Privacy Policy detail how the information is being gathered or how users can make a complaint?
  • Is the use and purpose of the collected personal information described clearly?
  • Is the Privacy Policy visible and conspicuously placed on your website or mobile app?
  • Have your reviewed the Privacy Policy for accuracy?
  • Does your Privacy Policy include a section for users to know where to direct their complaints or questions?

How the information is collected, used, disclosed and retained must be identified to all parties involved: business, users, third parties, and so on. Key questions to consider here are:

  • Have you identified the purposes for which you collect the personal information?
  • Are you detailing these purposes to users at the point of or before the information is going to be collected?
  • Is the information you're collecting actually for the purposes that are mentioned in your Privacy Policy?
  • Is there any documentation supporting this?
  • Is there a timetable for retaining and destroying old and inaccurate personal information?
  • How will old and inaccurate personal information be disposed of?

In accordance with PIPEDA, scrutinizing every detail about the regular uses and removal of users' private information will allow the business to be certain that their actions are in compliance with the formal regulation.

Another crucial Fair Information Principal is consent. Appropriately asking for consent from a user is important:

  • Does your staff know that consent must be gained before or at point of collection and then again for any new use or disclosure of such information?
  • Is express consent asked where possible? Particularly for extra sensitive information such as credit cards and identification numbers?
  • Is the request for consent clear and understandable to the user?

These are some simple questions that can help you when you begin drafting your Privacy Policy.

It's important to note that businesses need to receive legitimate consent from a user regarding the business' privacy practices (and thus consent the terms from its Privacy Policy). This is called a clickwrap agreement.

Otherwise, the consent to abide by the Privacy Policy might no longer be enforceable.

Accurate record keeping of information is another important aspect that must be considered:

  • Is the information being gathered sufficiently accurate and up to date, taking into account efforts to not inappropriately misuse someone's information?
  • Are updates documented?
  • Is this information distributed to third parties accurate, if third parties are involved?

Remember: any miscommunication about the personal information could result in breaching PIPEDA.

Implementing safeguards to protected the personal information you collect is mandatory:

  • Do safeguards prevent inappropriate access, modification, collection, use, and disclosure of information?
  • Are the safeguards appropriate in correspondence to the sensitivity, scale, format and method of storage of the information?
  • Is there a hierarchy who knows what levels of information are being collected?
  • Are there any rules prohibiting or permitting certain staff from accessing the private information once it's been gathered?

When the user either requests to access what information was collected or complains about your Privacy Policy, the business must be able to respond appropriately:

  • Is staff aware of the legal time limits on responding to requests?
  • Can information be retrieved for requests with minimal interruption to the daily function of the business?
  • Is the information provided at minimal or no cost to the user?
  • Is the information provided in a clear manner?
  • Are alternatives for disabled people available, such as Braille and Audio tapes?
  • Can individuals file complaints easily?
  • Are complaints responded to in an expedient manner?
  • Are complaints investigated to some extent? Are the complainants advised on their possible options?
  • When complaints are justified, are there any appropriate corrective actions taken in response?