Businesses and your personal information

September 2016

When you do business with a company, you do more than simply exchange money for a product or service. You may also leave behind a trail of personal information about yourself, including, for example, your name, address, credit card number and spending habits.

Modern commerce often involves personal information. But sharing your personal information with businesses doesn't mean giving up control over it.  On the contrary, privacy laws in Canada give you a meaningful say in how your personal data is collected, used and disclosed.

Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), sets the ground rules for handling of personal information in course of commercial activities.

It applies equally to small and big businesses, whether they operate out of an actual building or only online.

This document provides an overview of how PIPEDA applies, as well as your rights under the law.

Is every business subject to PIPEDA?

PIPEDA applies to private enterprises across Canada, except in provinces that have adopted substantially similar privacy legislation, namely Québec, British Columbia, and Alberta.

Some provinces fall into this category with respect to personal health information held by health information custodians under health sector privacy laws in those provinces.

However, even in those provinces with substantially similar legislation, and elsewhere in Canada, PIPEDA continues to apply to personal information collected, used or disclosed by all federally regulated organizations such as radio and television stations, airports and airlines, railways and telecommunication companies.

PIPEDA also applies to all personal data that flows across provincial or national borders, in the course of commercial transactions involving organizations subject to the Act or to substantially similar legislation.

Tip: Determining whether an enterprise is subject to PIPEDA can be complicated. For more information, see our Summary of privacy laws in Canada, or to use our online tool: What Organization to Contact if You Have a Privacy Issue.

What is personal information?

PIPEDA protects information about an identifiable individual. Personal information includes your:

• Name, race, ethnic origin, religion, marital status, educational level;
• E-mail address and messages, IP (Internet protocol) address;
• Age, height, weight, medical records, blood type, DNA code, fingerprints, voiceprint;
• Income, purchases, spending habits, banking information, credit/debit card data, loan or credit reports, tax returns;
• Social Insurance Number (SIN) or other identification numbers.

What does PIPEDA say?

PIPEDA requires private-sector organizations to collect, use or disclose your personal information by fair and lawful means, with your consent, and only for purposes that are stated and reasonable.

An organization may only collect personal information that is essential to the business transaction. If further information is requested, you are entitled to ask why, and to decline to provide it if you are dissatisfied with the answer. You should still be able to complete the transaction, even if you refuse to give out more personal information than is warranted.

Organizations are also obliged to protect your personal information through appropriate security measures, and to destroy it when it’s no longer needed for the original purposes.

You have the right to expect the personal information the organization holds about you to be accurate, complete and up-to-date. That means you have a right to see it, and to ask for corrections if they got it wrong.

Tip: You can also approach the privacy officer if you wish to see what information the organization has collected about you. Check out our fact sheet for help on accessing your personal information.

PIPEDA sets out 10 "fair information principles" which collectively form the underpinnings of PIPEDA.

Fair Information Principles

1. Accountability - Organizations should appoint someone to be responsible for privacy issues. They should make information about their privacy policies and procedures to available to customers.
2. Identifying purposes - Organization must identify the reasons for collecting your personal information before or at the time of collection.
3. Consent - Organizations should clearly inform you of the purposes for the collection, use or disclosure of personal information.
4. Limiting collection - Organizations should limit the amount and type of the information gathered to what is necessary.
5. Limiting use, disclosure and retention - In general, organizations should use or disclose your personal information only for the purpose for which it was collected, unless you consent. They should keep your personal information only as long as necessary.
6. Accuracy - Organizations should keep your personal information as accurate, complete and up to date as necessary.
7. Safeguards - Organizations need to protect your personal information against loss or theft by using appropriate security safeguards.
8. Openness - An organization’s privacy policies and practices must be understandable and easily available.
9. Individual access - Generally speaking, you have a right to access the personal information that an organization holds about you.
10. Recourse (Challenging compliance) - Organizations must develop simple and easily accessible complaint procedures. When you contact an organization about a privacy concern, you should be informed about avenues of recourse.

Tip: To better understand the responsibilities that organizations have under PIPEDA, please refer to our Privacy Guide for Businesses.

What else should I know?

There are some exceptions to the consent principle. For example, police who show they need personal information for an investigation or during an emergency may not be required under PIPEDA to obtain consent to collect it.

Also PIPEDA does not apply to an employee’s name, title, business address, telephone number and email address, which an organization collects, uses or discloses solely for the purpose of communicating with individuals in relation to their employment, business or profession.

PIPEDA also exempts organizations that collect, use or disclose personal information solely for journalistic, artistic or literary purposes.

And, finally, it is also important to note that PIPEDA applies to commercial activities, therefore, an individual’s collection, use or disclosure of personal information strictly for personal purposes are not covered by the law.

What if I have privacy concerns about a business?

If you have concerns about how a business has handled your personal information, your first step should generally be to raise the concern directly with the organization.  In many cases, you may be able to resolve an issue very quickly.

Tip: We have developed some material to help you raise a privacy concern with business.

What if my concerns are not addressed?

If you have spoken directly with the organization but are not satisfied with the outcome, you have the right to file a complaint with us, the Office of the Privacy Commissioner of Canada. 

Tip: Before considering lodging a complaint, we encourage you to review our Guide to the PIPEDA complaint process. You do not need to hire a consultant or lawyer to help you file a complaint. If you have questions about your privacy rights or our complaints process, you can contact our Information Officers by calling 1-800-282-1376.

For more information

• Fact sheet on Privacy Legislation in Canada
• A Guide for Individuals – Protecting Your Privacy: An Overview of the Office of the Privacy Commissioner of Canada and Federal Privacy Legislation