Personal Information Protection and Electronic Documents Act (PIPEDA) – Brief Overview

Back to Resources

Developed to promote consumer confidence in eCommerce the Personal Information Protection and Electronic Documents Act (PIPEDA) became law in April 2000.

PIPEDA is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business.

Due to the borderless nature of the digital eco-system, an increasingly important intention of the law is to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens.

PIPEDA must be reviewed by Parliament every five years.

Defining Personal Information

“Personal Information”, as specified in PIPEDA, is as follows: information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

The law gives individuals the right to

  • know why an organization collects, uses or discloses their personal information;
  • expect an organization to collect, use or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented;
  • know who in the organization is responsible for protecting their personal information;
  • expect an organization to protect their personal information by taking appropriate security measures;
  • expect the personal information an organization holds about them to be accurate, complete and up-to-date;
  • obtain access to their personal information and ask for corrections if necessary; and
  • complain about how an organization handles their personal information if they feel their privacy rights have not been respected.

The law requires organizations to

  • obtain consent when they collect, use or disclose their personal information;
  • supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
  • collect information by fair and lawful means; and
  • have personal information policies that are clear, understandable and readily available.

IAB Canada is very actively engaged in communication around proposed amendments to PIPEDA having submitted several responses during industry consultations as well as in-person testimonial at the House of Commons.

IAB Canada recently published a useful checklist for organizations to use as a general guideline to help ensure best practices when handling data.