NEW – IAB Canada Response to the Office of the Privacy Commissioner of Canada Strategic Plan – March 28th, 2024

IAB Canada Response on the Draft Guidance for Processing Biometrics, February 16, 2024

Developed to promote consumer confidence in eCommerce the Personal Information Protection and Electronic Documents Act (PIPEDA) became law in April 2000.

PIPEDA is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business.

Due to the borderless nature of the digital eco-system, an increasingly important intention of the law is to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens.

PIPEDA must be reviewed by Parliament every five years.

Defining Personal Information

“Personal Information”, as specified in PIPEDA, is as follows: information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

  • The law gives individuals the right to
    • know why an organization collects, uses or discloses their personal information;
    • expect an organization to collect, use or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented;
    • know who in the organization is responsible for protecting their personal information;
    • expect an organization to protect their personal information by taking appropriate security measures;
    • expect the personal information an organization holds about them to be accurate, complete and up-to-date;
    • obtain access to their personal information and ask for corrections if necessary; and
    • complain about how an organization handles their personal information if they feel their privacy rights have not been respected.
  • The law requires organizations to
    • obtain consent when they collect, use or disclose their personal information;
    • supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
    • collect information by fair and lawful means; and
    • have personal information policies that are clear, understandable and readily available.

IAB Canada is very actively engaged in communication around proposed amendments to PIPEDA having submitted several responses during industry consultations as well as in-person testimonial at the House of Commons.

IAB Canada recently published a useful checklist for organizations to use as a general guideline to help ensure best practices when handling data.

Other Resources

Submission to the Office of the Privacy Commissioner of Canada Consultation on Transfers for Processing - 2019

To view the submission, please click here.

IAB Canada Policy Update - April 2019

An update on key IAB Canada privacy initiatives including work being done in Europe and the US, as well as themes and developments in Canada in the privacy and regulatory arena.

To view the deck, please click here.

IAB Canada Policy Update - December 2018

On December 5th, 2018, at our Spotlight on Policy webinar,  IAB Canada and Adam Kardash, Chair Privacy and Data Management at Osler, Hoskin& Harcourt LLP presented the following:

  • PIPEDA’s Security Breach Notification Requirements
  • CASL – Significant Anti-Spam Law Development

You can find the presentation here.

New Guidelines for Mandatory Breach Reporting under PIPEDA and how they Impact Digital Advertising - 2018

As anticipated, the Office of the Privacy Commissioner of Canada (OPC) clarified where obligation lies in reporting a data breach, while personal information is resting with a third-party processor. Developed to assist organizations in meeting their breach reporting and record-keeping obligations under PIPEDA’s mandatory breach reporting regime, this come into full force on November 1, 2018.

This critical piece of PIPEDA legislation impacts virtually all IAB Canada members and we strongly recommend you review these final guidelines with your internal privacy compliance officer and all members of the organization dealing directly with data management and processing. We also recommend that you discuss this will your media partners to ensure these new guidelines are fully understood.

The principal organization retains control of personal data, throughout the entire process, and therefore retains accountability and the responsibility for reporting a breach.

To summarize, the OPC reinforces that the principal organization bears the responsibility in reporting the breach. As they have control of the personal information it is therefore their responsibility to report a violation.

To quote the guidelines:

The Act requires an organization to report a breach involving personal information under its control. Therefore, the obligation to report the breach rests with an organization in control of the personal information implicated in the breach”

The OPC then goes on to address the questions of responsibility and control once personal information has been transferred to a third party:

In this regard, we note that PIPEDA’S accountability principle provides that an organization remains responsible for the personal information it has transferred to a third party for processing. In addition, we have heard from many stakeholders that requiring both the principal organization and the processor to report the breach would be largely inconsistent with existing business practices and raise various operational concerns”

IAB Canada would like to stress the importance of maintaining a secured partner strategy. It is more important than ever to ensure that you have trusted vendors who are in full compliance of PIPEDA regulation. We strongly recommend that this is reflected in your agreements and that you revisit any existing contracts to revise as necessary.

Our Policy & Regulatory Affairs Committee will be monitoring this matter and we will provide any updates as they become available. If you or anyone in your organization have any interest in applying for the Policy & Regulatory Committee, please contact

A Checklist of Privacy Regulatory Authority Expectations - May 2017

IAB Canada recently held a Privacy for Publishers workshop covering off the latest developments in privacy legislation in Canada. There was a lengthy discussion about responsibilities around personal information as well as best practices.

As a follow-up IAB Canada released a checklist that was developed by our Head of Policy and Regulatory Affairs, Adam Kardash at Osler. The checklist is derived from a 26-page guidance document released in 2012 by the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioners of Alberta and British Columbia entitled “Getting Accountability Right with a Privacy Management Program”.

We hope you find the document useful as you develop your internal compliance management program.

IAB Privacy Compliance Checklist – May 2017


If you have any questions, or would like to discuss further, please reach out to