PIPEDA, CPPA & Cookie Consent in Canada

PIPEDA: The Basics

Let’s start with an overview of PIPEDA, or the Personal Information Protection and Electronic Documents Act. This law aims to protect the personal information of Canadian residents and ensure that it is kept private and secured.

According to PIPEDA, personal information includes identifying information like your name, date of birth, IP address, cookies, and more. It applies to any organization that collects, discloses, or utilizes personal information for commercial activities.

Through its ten principles, it governs all the collection, use, and disclosure of private data in Canada:

Governing Principles

These are ten governing principles under PIPEDA:

1. 1. Accountability: The organization that collects the information will be held accountable for compliance. This accountability still applies to any data transferred to another vendor for processing.
   2. Identifying Purposes: The business must identify the purpose of the data collection. Thus purpose should be clear at the time of collection.
   3. Consent: The individual must be aware that the information is being collected and what it will be used for. Similarly, the individuals must first provide their consent.
   4. Limiting Collection: Only the information needed to achieve the organization’s purpose can be collected. The collection process shall also be fair and lawful.
   5. Limiting Use, Disclosure, and Retention: A business cannot use personal data for any other purpose other than what they disclosed. They must get additional consent as required by law to use the data in other areas, and they can only retain the information until it fulfills that purpose.
   6. Accuracy: The organization must ensure that all personal data is complete and accurate, as needed for their purposes.
   7. Safeguards: Appropriate measures must be taken to safeguard personal and sensitive information.
   8. Openness: The organization must make its policies and practices that govern how they manage personal data available to users. They should be able to review these practices before giving their consent to share information.
   9. Individual Access: An individual must be given details about the existence, use, and disclosure of personal data upon request. They will also get access to the data so they can challenge the accuracy and completeness, if necessary.
   10. Challenging Compliance: Individuals can challenge an organization’s compliance with the principles described above. There should be a designated role within the organization to address these concerns.

Here you can find the actual PIPEDA text.

Use the CookieFirst consent management platform for PIPEDA compliance. The CookieFirst CMP offers a comprehensive cookie policy generator, customizable cookie banner or cookie notice and third-party script management.

Obligations Under PIPEDA

So, what exactly is a business required to do to comply with PIPEDA?

The most important aspect of this legislation is consent. Organizations must obtain consent from everyone before they gather, use, or disclose any personal information. Similarly, they must continue to provide products and services even if a person refuses to provide consent – unless the data is essential to complete the transaction.

Your organization must also develop clear and understandable data policies that can be supplied to users and demonstrate compliance with PIPEDA.

Data privacy acts like the PIPEDA and the CPPA require user consent before obtaining and processing personal data.

Consumer Rights

PIPEDA provides extensive rights to consumers when it comes to data privacy. They can ask why their data is being collected or used and get access to those specific records.

Individuals have the right to know who is responsible for protecting their data. They can also expect the organization to take minimum safety measures to keep it secured. If they feel that their private details were not handled properly, they can complain to the appropriate party within the company.

PIPEDA and Cookie Consent

Since PIPEDA requires you to obtain consent from your users before collecting and sharing their personal information, the law also applies to cookies. Although this definition is still evolving, the fact is that organizations must obtain clear consent before tracking data.

When an organization asks for consent, they must indicate whether those details will be shared with another organization or third party. Likewise, they must describe why the information is being collected and the purpose it will be used for.

To comply with this legislation, the users must also have access to the privacy rules and regulations that will govern how the organization manages its data.

What does this look like in practice?

In simple terms, users must have a clear opportunity to say yes or no to cookies. You must provide users with the choice right away before they use the product or service, and you should explain the terms plainly. If you would like to know more about the types of cookies, then read our article: What are cookies ?

What is the CPPA?

In November 2020, the Canadian government introduced the CPPA – or the Consumer Privacy Protection Act. This legislation is very similar to the GDPR in Europe and aims to enhance the protections under PIPEDA to further protect residents.

While the governing principles of PIPEDA will remain unchanged, it will establish new rules about how businesses can collect, use, and disclose personal information. It will be enforced starting in late 2021 and will apply to all organizations that access the information of Canadian citizens for commercial gain.

Other enhancements under this new regulation will allow individuals to control the transfer of personal information between organizations. They will also have the right to request this data be deleted if they chose to withdraw their consent.

Even if users consent to share their data, the CPPA will require the business to remove specific identifiers – like names – from the data that they hold.

Under the CPPA, express consent to collect cookies will be considered the default requirement. Although that doesn’t mean implied consent through notice will not be acceptable in certain circumstances, it will require businesses to take extra measures to comply.

For instance, implied consent might work if the website owner only uses cookies to improve the user experience or gather usage data for themselves. On the other hand, if the cookies will collect data to share with third parties to develop targeted ads, they will likely need prior express consent.