Logo Logo
Cookiebot

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

PIPEDA compliance with Cookiebot CMP.

Published February 3, 2021.

 

Canada’s PIPEDA is a federal data privacy law governing the gathering, use and disclosure of personal information for commercial use in the country.

PIPEDA compliance requires you to obtain meaningful consent from users in order to collect and use their data, and the law applies to any website in the world that processes personal information from Canadian residents for commercial use.

In this blogpost, we break down Canada’s PIPEDA, its requirements for your website’s use of cookies and trackers, and how to obtain PIPEDA compliance.

Quick summery


Canada’s PIPEDA, in brief

Canada has several federal data privacy laws and even more provincial ones, which all make up an interwoven network of data protection across the country.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal data privacy law that governs the commercial use of Canadian residents’ personal information.

In PIPEDA, personal information is defined as any kind of data that can identify an individual, including the data that most cookies and trackers collect from your website’s users, such as IP addresses, unique IDs, search and browser history.

Did you know that websites on average have 20 cookies in use?
Scan your website for free to detect and control them all



PIPEDA compliance with Cookiebot CMP.

Canada’s PIPEDA protects Canadian residents from unwanted harvest of their personal information.



PIPEDA took effect in 2000 and has been amended several times to meet the changes that have swept our digital landscapes in the past two decades.

Most notably, PIPEDA is scheduled to receive a major overhaul sometime in 2021 and be turned into the Consumer Privacy Protection Act (CPPA), expanding rights for Canadian residents and updating the current consent regime, as part of the implementation of Canada’s Digital Charter.

Canada’s PIPEDA has received an adequacy decision from the EU Commission, ensuring the free flow of personal data back and forth between Canada and the EU (note: only PIPEDA has been deemed adequate, and it is therefore only data transfers to and from the commercial, private sector of Canada that is secured with the EU.

In short, Canada’s PIPEDA regulates all gathering, use and disclosure of personal information in the private sector through its 10 PIPEDA Principles; chief among them the requirements that you inform users in detail about your website’s data collection, and obtain their prior, meaningful consent.

PIPEDA is enforced by the Canadian Privacy Commissioner (OPC) and applies to all websites and companies in the world that process personal information from Canadian residents for commercial use.

Scan your website for free to see if you have users from Canada



Canada's PIPEDA requires consent.

Fines for non-compliance with PIPEDA can reach CAD 100,000.



Canada’s PIPEDA quick breakdown



Cookiebot CMP enables compliance with Canada's PIPEDA.

Canada’s PIPEDA revolves around “meaningful consent”, which you must obtain prior to gathering user data.



Try Cookiebot consent management platform (CMP)

Scan your website to see what cookies and trackers are in operation



PIPEDA compliance with Cookiebot CMP


Cookiebot CMP is the world’s leading solution for controlling cookies and trackers on your website to ensure compliance with all major data privacy laws on the planet, including Canada’s PIPEDA, EU’s GDPR, UK’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA and many others.

As Canada’s PIPEDA require you to inform users and obtain their consent, PIPEDA compliance means knowing and controlling all cookies and tracking technologies in use on your website, plus having a solution for collecting the valid consents of users to all of those cookies that you use.

This is a time-consuming and difficult task for any website, regardless of size and shape.

Luckily, Cookiebot CMP is a plug-and-play solution that has completely automated the entire PIPEDA compliance process for you and your website.

Built around a powerful scanner that detects every single cookie and similar tracking technology, Cookiebot CMP gives you total insight into your domain’s personal information processing activities.

Cookiebot CMP gives you detailed information on each cookie on your website, including its purpose, duration, technical specifications and provider – facts that you need to inform your users about as part of your PIPEDA compliance.



Cookiebot CMP consent banner for PIPEDA compliance

Cookiebot CMP consent banner for PIPEDA compliance



Through highly customizable consent banners that can be shaped to fit the compliance requirements specific to any region’s data privacy law, including Canada’s PIPEDA, Cookiebot CMP offers a simple way of collecting users’ valid, informed consent.

Cookiebot CMP safely stores all collected consents, automatically renews consent on a regular basis and makes it easy for your website’s users to withdraw their consent as easily as they gave it.

Try Cookiebot CMP for PIPEDA compliance today

Scan your website for free to see what cookies and trackers are in use

Visit the Canadian Privacy Commissioner (OPC) for more on PIPEDA compliance

Get started with Cookiebot CMP and Google Consent Mode



PIPEDA compliance with Cookiebot CMP.



Canada’s PIPEDA, in detail


Let’s break down Canada’s PIPEDA even further and look at its 10 PIPEDA Principles, how it interacts with provincial data privacy laws around Canada (e.g. Albert and Ontario), and hold it up against the EU’s GDPR for comparison.

See the full PIPEDA law text



The 10 PIPEDA Principles

Canada’s PIPEDA revolves around the ten so-called fair information principles that spell out the rules and regulations around the use of personal information for commercial purposes.

PIPEDA’s definition of commercial purpose includes acts such as selling or trading of your users’ data, e.g. in exchange for analytics services or marketing schemes.

If your website collects personal information from Canadian residents, such as IP addresses or search history, and then trades this information with a third-party service in exchange for tracking of users or marketing services, you are likely liable for PIPEDA compliance – no matter where in the world you and your website is operated from.

Did you know that websites on average have 20 cookies in use?
Scan your website for free to detect and control them all

The 10 PIPEDA Principles are –



Canada's PIPEDA requires consent from end-users.

The ten PIPEDA Principles apply to all personal information processing for commercial use.



PIPEDA Principle 1 – Accountability

The first PIPEDA Principle makes it clear that you are responsible for all personal information that your website collects, and that you must have a designated representative in charge of ensuring your PIPEDA compliance.

Additionally, you need to develop and implement privacy policies and practices, which must be readily available for your users to read.

Learn more from the Privacy Commissioner (OPC)



PIPEDA Principle 2 – Identifying Purposes

Why does your website collect the personal information that it does?

This is the question that the second PIPEDA Principle requires you to answer – in detail and prior to actually collecting any personal information from your users.

Learn more from the Privacy Commissioner (OPC)



PIPEDA Principle 3 - Consent

This is the most important PIPEDA Principle of all.

In a nutshell: you must obtain the meaningful consent from users before collecting, using and sharing their personal information.

“Meaningful consent” under PIPEDA involves informing your users of exactly what they are consenting to, e.g. telling them what cookies your website uses, why and what the data is going to be used for.



PIPEDA compliance with Cookiebot CMP.

Consent can be both express and implied, depending on the sensitivity of the personal information..



PIPEDA states that consent is only valid, if it is “reasonable to expect” that your users understand the nature, purpose and consequence of your website’s personal information processing.

Additionally, consent under PIPEDA can either be implied consent or express consent.

Implied consent means that your website can collect personal information from users on the assumption that they will consent, without the need for them to explicitly and actively give their consent.

However, for implied consent to be valid, you must still inform your users prior to collection about –

Try Cookiebot CMP for PIPEDA compliance today

Express consent means the active and explicit action on part of the user that constitutes consent, e.g. clicking a button or ticking a box to signal that they allow the subsequent collection of their personal information.

This form of consent is obligatory when processing personal information that can be considered sensitive of nature – e.g. medical and health data, information about an individual’s sexual orientation or religious beliefs.

However, making sure that you always collect express from all your website’s users is a safe way to avoid any grey areas of potential non-compliance with PIPEDA.

Additional requirements for valid consent include –

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website to see what cookies and trackers are in use

Learn more from the Privacy Commissioner (OPC)



Cookiebot CMP enables compliance with Canada's PIPEDA

Canada’s PIPEDA applies to any website in the world, regardless of its location, if it uses personal information from inside the country.



PIPEDA Principle 4 – Limiting Collection

The crux of the fourth PIPEDA Principle is this: your website is not allowed to collect personal information in ways that exceed or are beside the stated purposes, to which your users have already consented.

If you want to use personal information for different purposes, you must rewrite your privacy policy to include these new purposes – and renew the consent of your users.

Learn more from the Privacy Commissioner (OPC)



PIPEDA Principle 5 – Limiting Use, Disclosure, and Retention

Similar to the fourth, the fifth PIPEDA principle requires you to only use and disclose personal information in the ways that you’ve stated in your privacy policy, and to which your users have already consented.

You are also only allowed to keep personal information (known as “retention”) for as long as needed to serve the purposes that you’ve informed your users about and to which they’ve consented.

As with the previous principle, should you change the ways you want to use or share personal information on your website, you must inform users anew and obtain their consent again.

Learn more from the Privacy Commissioner (OPC)



PIPEDA Principle 6 – Accuracy

It’s a requirement for PIPEDA compliance that the personal information your website collects is accurate and complete, as well as up to date.

Canadian residents have the right to access data collected about them and the right to have it corrected, should they find it inaccurate.

Learn more from the Privacy Commissioner (OPC)



Canada's PIPEDA can result in fines up to CAD 100,000.

Canadian users are empowered with the enforceable rights of access and correction.



PIPEDA Principle 7 – Safeguards

It is also your responsibility to keep collected personal information safe and secure.

Though Canada’s PIPEDA doesn’t specify exactly what kinds of security measures you must take on your website in order to protect your users’ personal information, this PIPEDA principle helps you get an overview of the safeguards required.

Among the proposed safeguards in PIPEDA are –

Personal information must be protected by appropriate security relative to the sensitivity of the information. Is the data collected of a more sensitive nature, e.g. data on your users’ sexual orientation, it will require stronger safeguards than less sensitive data.

Learn more from the Privacy Commissioner (OPC)



PIPEDA Principle 8 – Openness

Your website needs to be transparent, honest and clear about the kinds of personal information it collects, what it uses it for and the ways in which it gathers and shares it. This eight PIPEDA Principle clarifies that your privacy policies and information to users must be easy to understand and written in plain language (i.e. not long legal texts). Information to be open about to your website’s users include –

Learn more from the Privacy Commissioner (OPC)



PIPEDA Principle 9 – Individual Access

Canadian residents have the right to access what personal information your website has collected from them, as well as the right to have it corrected if the data not accurate or complete.

This ninth PIPEDA Principle spells out how you are required to respond to such requests from users, including –

Learn more from the Privacy Commissioner (OPC)



PIPEDA Principle 10 – Challenging Compliance

If users find that you are non-compliant with PIPEDA, e.g. because you violate or don’t live up to one of the above nine PIPEDA Principles, they are legally allowed to challenge your compliance status.

The last PIPEDA principle spells out how such challenges must be issued and how you must respond to them, i.e. by providing users with a simple way to give their complaint and informing them of their rights to refer to the Privacy Commissioner (OPC).

Learn more from the Privacy Commissioner (OPC)



PIPEDA compliance with Cookiebot CMP.

PIPEDA governs in parallel with similar data privacy laws in Alberta, British Columbia and Quebec.



PIPEDA and provincial data privacy laws


PIPEDA and Alberta, PIPEDA and British Columbia, PIPEDA and Quebec

Though Canada’s PIPEDA is a federal data privacy law, several Canadian provinces have similar data privacy laws that are in effect in parallel with PIPEDA.

The following provincial data privacy laws are considered equivalent to PIPEDA, so if you’re in compliance with them, it means you are exempt from also seeking compliance with PIPEDA –

Firstly, Alberta’s Personal Information Protection Act (PIPA) regulates the commercial use of personal information in Alberta, enforced and supervised by the Information and Privacy Commissioner of Alberta.

Secondly, British Columbia’s Personal Information Protection Act (PIPA) regulates the commercial use of personal information in British Columbia, enforced and supervised by the Information and Privacy Commissioner of British Columbia.

Lastly, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector regulates the commercial use of personal information in Quebec, enforced and supervised by the Commission d’accès à l’information du Québec.



Compliance with Canada's PIPEDA by Cookiebot CMP.

PIPEDA compliance is not required if you’re already in compliance with some provincial data laws.



Try Cookiebot CMP for free today

Scan your website to see what cookies are in use



PIPEDA vs GDPR


Canada’s PIPEDA has been in force since 2000 and reflects a pre-GDPR time of data protection (although it has been amended several times in response to changes in global data privacy).

The biggest similarities between PIPEDA and GDPR are –



PIPEDA compliance with Cookiebot CMP.

One of the biggest differences between PIPEDA and GDPR is their scope.



The biggest differences between PIPEDA and GDPR are –

With the impending 2021 overhaul of PIPEDA, which will repeal and replace large parts of the law with the new Consumer Privacy Protection Act (CPPA), Canada’s data protection regime might move even closer to EU’s GDPR, bringing even stronger data privacy to Canadian users than PIPEDA offers currently.



Summary of Canada’s PIPEDA


PIPEDA compliance with Cookiebot CMP

Canada’s PIPEDA is a strong and veteran data privacy law that like its EU counterpart, the GDPR, provides for a substantial consent regime, which empowers Canadian residents with actionable and enforceable rights over the personal information they share every day online.

PIPEDA requires your website to obtain the valid consent from users before collecting or using any of their personal information, and to inform users about the details of your website’s data collection processes.

Cookiebot CMP is a plug-and-play PIPEDA compliance solution that can automate all data privacy requirements for your website.

Cookiebot CMP offers full and automated compliance with not only Canada’s PIPEDA, but the EU’s GDPR, UK’s GDPR, California’s CCPA/CPRA, Brazil’s LGPD, South Africa’s POPIA, Singapore’s PDPA and many others.

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website to see what cookies and trackers are in use

Learn more about GDPR compliance



FAQ


What is Canada’s PIPEDA?

Canada’s PIPEDA is the federal law governing the gathering, use and disclosure for commercial purposes of the personal information of Canadian residents. Through its 10 PIPEDA Principles, the law lays out requirements and compliance obligations that include informing users of the purposes of data collection, obtaining user consent before collecting personal information and ways to safeguard and secure collected user data.

Try Cookiebot CMP for free today for PIPEDA compliance



Who does Canada’s PIPEDA apply to?

Canada’s PIPEDA applies to any website or company anywhere in the world that handles personal information from Canadian residents for commercial purposes. This means that if your website has users from Canada, you’re liable for PIPEDA compliance.

Scan your website with Cookiebot CMP to see if you process data from Canada



What is personal information under PIPEDA?

Canada’s PIPEDA defines personal information broadly as any kind of data that can identify an individual. This includes common personal information collected by most websites through cookies and trackers, such as IP addresses, unique IDs, search and browser history.

Scan your website to see what cookies and trackers are in use



What does PIPEDA compliance entail?

You must inform users in detail of your website’s personal information processing, including the purposes for collection and use. This can be done in your website’s privacy policy. You must also obtain the meaningful consent from users before processing any of their personal information. Meaningful consent can be implied, unless the personal information is of a sensitive nature, in which case you must obtain the explicit consent from your website’s visitors.

Become PIPEDA compliant with Cookiebot CMP



Resources


Try Cookiebot CMP free for 30 days – or forever if you have a small website

PIPEDA in brief by the Canadian Privacy Commissioner (OPCD)

Office of the Privacy Commissioner of Canada (OPCD)

PIPEDA Principles overview by the Privacy Commissioner (OPCD)

New proposed law, CPPA, to repeal and replace PIPEDA

Canada’s Digital Charter

Federal privacy reform in Canada: The Consumer Privacy Protection Act (CPPA), IAPP

IAB Canada’s Draft Transparency & Consent Framework (open for public comments till March 20, 2021)

New Google Consent Mode 

Cookiebot integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free