What Privacy Laws Does My Business Need to Follow?

Many businesses in Canada are becoming more aware that they have privacy obligations, but are still confused about which laws apply to them.  

This post will break down the various pieces of privacy legislation and when they may apply to your business.

PIPEDA (The Personal Information Protection and Electronic Documents Act) - this is Canadian federal legislation.  It applies to businesses who collect "personal information" in the course of their commercial activities.  "Personal information" includes any information that is linked to an identifiable individual.  This applies to all businesses in most of Canada (see below).

Province Specific Privacy Laws - Some provinces in Canada have made their own privacy laws that apply either in place of PIPEDA (Quebec, Alberta, BC) or in addition to PIPEDA (i.e. for health-related information - Ontario, NB, NL and NS).  To read further on these provincial laws - click here.  For some organizations, the significance of health privacy legislation may be that they need to store their data in Canada (instead of servers outside of Canada).

GDPR (General Data Protection Regulation) - this is legislation from the European Union that applies to businesses in Canada if they are targeting people in the EU with their marketing (and collecting personal data from them).  A significant difference from PIPEDA is that you need express consent to collect and process data.

CCPA (California Consumer Privacy Act) - this is relatively new US legislation and it the most stringent privacy legislation in the US.  It has been referred to as "GDPR lite".  Canadian companies would only need to comply if they had gross revenue over $25m, more than 50,000 customers, or whose revenue is 50% or more based on user data (i.e. not too many of my clients :).

Other states in the US have privacy legislation which is generally less strict than PIPEDA.

Have any privacy-related questions?  Send me an email at [email protected].