All Blog Posts

Canada’s PIPEDA

In this blogpost, learn more about Canada’s PIPEDA, its requirements for your website’s use of cookies and trackers, and how to become compliant with Cookiebot consent management platform (CMP).

Published January 17, 2022.

Canada’s PIPEDA is a federal data privacy law governing the gathering, use and disclosure of personal information for commercial use in the country.

PIPEDA compliance requires you to obtain meaningful consent from users in order to collect and use their data, and the law applies to any website in the world that processes personal information from Canadian residents for commercial use.

Quick summery

Canada’s PIPEDA, in brief

Canada has several federal data privacy laws and even more provincial ones, which all make up an interwoven network of data protection across the country.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal data privacy law that governs the commercial use of Canadian residents’ personal information.

In PIPEDA, personal information is defined as any kind of data that can identify an individual, including the data that most cookies and trackers collect from your website’s users, such as IP addresses, unique IDs, search and browser history.

Did you know that websites on average have 20 cookies in use?
Scan your website for free to detect and control them all

Person holding out an orange leaf - Cookiebot
Canada’s PIPEDA protects Canadian residents from unwanted harvest of their personal information.

PIPEDA took effect in 2000 and has been amended several times to meet the changes that have swept our digital landscapes in the past two decades.

Most notably, PIPEDA is scheduled to receive a major overhaul sometime in 2021 and be turned into the Consumer Privacy Protection Act (CPPA), expanding rights for Canadian residents and updating the current consent regime, as part of the implementation of Canada’s Digital Charter.

Canada’s PIPEDA has received an adequacy decision from the EU Commission, ensuring the free flow of personal data back and forth between Canada and the EU (note: only PIPEDA has been deemed adequate, and it is therefore only data transfers to and from the commercial, private sector of Canada that is secured with the EU.

In short, Canada’s PIPEDA regulates all gathering, use and disclosure of personal information in the private sector through its 10 PIPEDA Principles; chief among them the requirements that you inform users in detail about your website’s data collection, and obtain their prior, meaningful consent.

PIPEDA is enforced by the Canadian Privacy Commissioner (OPC) and applies to all websites and companies in the world that process personal information from Canadian residents for commercial use.

Scan your website for free to see if you have users from Canada

Person holding 40 Canadian dollars - Cookiebot
Fines for non-compliance with PIPEDA can reach CAD 100,000.

Canada’s PIPEDA quick breakdown –

  • Canada’s PIPEDA took effect in April 2000 and was last amended in 2018. An overhaul of the law is scheduled to take place in 2021, repealing and replacing core parts of PIPEDA with the new Consumer Privacy Protection Act (CPPA).
  • Canada’s PIPEDA governs all gathering, use and disclosure for commercial purposes of the personal information of Canadian residents. Use of personal information by the federal government is regulated by the separate federal Privacy Act.
  • Canada’s PIPEDA defines personal information as information about an identifiable individual, which includes IP addresses, cookies, search and browser history collected by most websites through third-party cookies and trackers. Some data can be viewed as more sensitive than other, e.g. medical data and sexual orientation, and will require express consent from users.
  • Canada’s PIPEDA applies to any website in the world that processes personal information from Canadian residents for commercial use.
  • Canada’s PIPEDA empowers Canadian users with the rights to access their personal information, correct it and to challenge your website’s PIPEDA compliance through the Privacy Commissioner.
  • Canada’s PIPEDA operates by its 10 PIPEDA Principles, which regulate compliance for websites, companies and organizations processing Canadian residents’ personal information. They include the requirements to inform users about all data collection operations and to obtain explicit or implicit consent from users, depending on the nature of the data you collect.
  • Canada’s PIPEDA does not prohibit transfers of personal information outside of Canada, but does hold you liable for privacy breaches and non-compliance.
  • Canada’s PIPEDA is enforced by the Privacy Commissioner.
  • Non-compliance with Canada’s PIPEDA can result in fines up to CAD 100,000.
Person sitting on rocks with the sea in the background at sunset - Cookiebot
Canada’s PIPEDA revolves around “meaningful consent”, which you must obtain prior to gathering user data.

Try Cookiebot consent management platform (CMP)

Scan your website to see what cookies and trackers are in operation

PIPEDA compliance with Cookiebot CMP

Cookiebot CMP by Usercentrics is the world’s leading solution for controlling cookies and trackers on your website to ensure compliance with all major data privacy laws on the planet, including Canada’s PIPEDA, EU’s GDPRUK’s GDPRCalifornia’s CCPABrazil’s LGPDSouth Africa’s POPIA and many others.

As Canada’s PIPEDA require you to inform users and obtain their consent, PIPEDA compliance means knowing and controlling all cookies and tracking technologies in use on your website, plus having a solution for collecting the valid consents of users to all of those cookies that you use.

This is a time-consuming and difficult task for any website, regardless of size and shape.

Luckily, Cookiebot CMP is a plug-and-play solution that has completely automated the entire PIPEDA compliance process for you and your website.

Built around a powerful scanner that detects every single cookie and similar tracking technology, Cookiebot CMP gives you total insight into your domain’s personal information processing activities.

Cookiebot CMP gives you detailed information on each cookie on your website, including its purposedurationtechnical specifications and provider – facts that you need to inform your users about as part of your PIPEDA compliance.

Cookieboot Pop Up Banner - Cookiebot
Cookiebot CMP consent banner for PIPEDA compliance

Through highly customizable consent banners that can be shaped to fit the compliance requirements specific to any region’s data privacy law, including Canada’s PIPEDA, Cookiebot CMP offers a simple way of collecting users’ valid, informed consent.

Cookiebot CMP safely stores all collected consents, automatically renews consent on a regular basis and makes it easy for your website’s users to withdraw their consent as easily as they gave it.

Try Cookiebot CMP for PIPEDA compliance today

Scan your website for free to see what cookies and trackers are in use

Visit the Canadian Privacy Commissioner (OPC) for more on PIPEDA compliance

Get started with Cookiebot CMP and Google Consent Mode

Canada’s PIPEDA, in detail

Let’s break down Canada’s PIPEDA even further and look at its 10 PIPEDA Principles, how it interacts with provincial data privacy laws around Canada (e.g. Albert and Ontario), and hold it up against the EU’s GDPR for comparison.

See the full PIPEDA law text

The 10 PIPEDA Principles

Canada’s PIPEDA revolves around the ten so-called fair information principles that spell out the rules and regulations around the use of personal information for commercial purposes.

PIPEDA’s definition of commercial purpose includes acts such as selling or trading of your users’ data, e.g. in exchange for analytics services or marketing schemes.

If your website collects personal information from Canadian residents, such as IP addresses or search history, and then trades this information with a third-party service in exchange for tracking of users or marketing services, you are likely liable for PIPEDA compliance – no matter where in the world you and your website is operated from.

Did you know that websites on average have 20 cookies in use?
Scan your website for free to detect and control them all

The 10 PIPEDA Principles are –

  • Accountability
  • Identifying purposes
  • Consent
  • Limiting
  • Collection
  • Limiting use, disclosure, and retention accuracy
  • Safeguards
  • Openness
  • Individual Access
  • Challenging compliance
Canadian lake with mountains & trees in the background - Cookiebot
The ten PIPEDA Principles apply to all personal information processing for commercial use.

PIPEDA Principle 1 – Accountability

The first PIPEDA Principle makes it clear that you are responsible for all personal information that your website collects, and that you must have a designated representative in charge of ensuring your PIPEDA compliance.

Additionally, you need to develop and implement privacy policies and practices, which must be readily available for your users to read.

Learn more from the Privacy Commissioner (OPC)

PIPEDA Principle 2 – Identifying Purposes

Why does your website collect the personal information that it does?

This is the question that the second PIPEDA Principle requires you to answer – in detail and prior to actually collecting any personal information from your users.

Learn more from the Privacy Commissioner (OPC)

This is the most important PIPEDA Principle of all.

In a nutshell: you must obtain the meaningful consent from users before collecting, using and sharing their personal information.

“Meaningful consent” under PIPEDA involves informing your users of exactly what they are consenting to, e.g. telling them what cookies your website uses, why and what the data is going to be used for.

Flagpole with the flag of Canada  - Cookiebot
Consent can be both express and implied, depending on the sensitivity of the personal information.

PIPEDA states that consent is only valid, if it is “reasonable to expect” that your users understand the nature, purpose and consequence of your website’s personal information processing.

Additionally, consent under PIPEDA can either be implied consent or express consent.

Implied consent means that your website can collect personal information from users on the assumption that they will consent, without the need for them to explicitly and actively give their consent.

However, for implied consent to be valid, you must still inform your users prior to collection about –

  • what kinds of personal information your website will collect,
  • for what purposes your website collets this data,
  • who you share this data with (e.g. third parties such as Google or Facebook),
  • and what the risks and consequences are for users.

Try Cookiebot CMP for PIPEDA compliance today

Express consent means the active and explicit action on part of the user that constitutes consent, e.g. clicking a button or ticking a box to signal that they allow the subsequent collection of their personal information.

This form of consent is obligatory when processing personal information that can be considered sensitive of nature – e.g. medical and health data, information about an individual’s sexual orientation or religious beliefs.

However, making sure that you always collect express from all your website’s users is a safe way to avoid any grey areas of potential non-compliance with PIPEDA.

Additional requirements for valid consent include –

  • Inform users in an easily accessible way, e.g. your website’s privacy policy.
  • Users must be able to revoke their consent at any time, as easily as they gave it.
  • Reobtain consent from users, when you make significant changes to your website’s cookie-setup, its privacy practices, or introduce new uses and purposes for its data collection, among other things.
  • Obtain express consent from a parent or guardian for children under the age of 13.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Scan your website to see what cookies and trackers are in use

Learn more from the Privacy Commissioner (OPC)

Toronto waterfront at night  - Cookiebot
Canada’s PIPEDA applies to any website in the world, regardless of its location, if it uses personal information from inside the country.

PIPEDA Principle 4 – Limiting Collection

The crux of the fourth PIPEDA Principle is this: your website is not allowed to collect personal information in ways that exceed or are beside the stated purposes, to which your users have already consented.

If you want to use personal information for different purposes, you must rewrite your privacy policy to include these new purposes – and renew the consent of your users.

Learn more from the Privacy Commissioner (OPC)

PIPEDA Principle 5 – Limiting Use, Disclosure, and Retention

Similar to the fourth, the fifth PIPEDA principle requires you to only use and disclose personal information in the ways that you’ve stated in your privacy policy, and to which your users have already consented.

You are also only allowed to keep personal information (known as “retention”) for as long as needed to serve the purposes that you’ve informed your users about and to which they’ve consented.

As with the previous principle, should you change the ways you want to use or share personal information on your website, you must inform users anew and obtain their consent again.

Learn more from the Privacy Commissioner (OPC)

PIPEDA Principle 6 – Accuracy

It’s a requirement for PIPEDA compliance that the personal information your website collects is accurate and complete, as well as up to date.

Canadian residents have the right to access data collected about them and the right to have it corrected, should they find it inaccurate.

Learn more from the Privacy Commissioner (OPC)

Toronto skyline - Cookiebot
Canadian users are empowered with the enforceable rights of access and correction.

PIPEDA Principle 7 – Safeguards

It is also your responsibility to keep collected personal information safe and secure.

Though Canada’s PIPEDA doesn’t specify exactly what kinds of security measures you must take on your website in order to protect your users’ personal information, this PIPEDA principle helps you get an overview of the safeguards required.

Among the proposed safeguards in PIPEDA are –

  • Up to date encryption technologies, fire walls and security systems,
  • Organizational practices and controls for handling personal information,
  • Regular review of security and encryption measures,

Personal information must be protected by appropriate security relative to the sensitivity of the information. Is the data collected of a more sensitive nature, e.g. data on your users’ sexual orientation, it will require stronger safeguards than less sensitive data.

Learn more from the Privacy Commissioner (OPC)

PIPEDA Principle 8 – Openness

Your website needs to be transparent, honest and clear about the kinds of personal information it collects, what it uses it for and the ways in which it gathers and shares it. This eight PIPEDA Principle clarifies that your privacy policies and information to users must be easy to understand and written in plain language (i.e. not long legal texts). Information to be open about to your website’s users include –

  • individual responsible for your website’s privacy policies and practices,
  • contact information for users to send access requests via,
  • information on how your users can be granted access to the personal information your website has collected about them,
  • the ways in which users can complain to you,
  • information on what kinds of personal information you share with third parties from your website, and the purposes.

Learn more from the Privacy Commissioner (OPC)

PIPEDA Principle 9 – Individual Access

Canadian residents have the right to access what personal information your website has collected from them, as well as the right to have it corrected if the data not accurate or complete.

This ninth PIPEDA Principle spells out how you are required to respond to such requests from users, including –

  • Telling users what personal information your website has collected from them,
  • How your website has collected the data (by which means),
  • How your website has used the collected data,
  • With whom the data has been shared,

Learn more from the Privacy Commissioner (OPC)

PIPEDA Principle 10 – Challenging Compliance

If users find that you are non-compliant with PIPEDA, e.g. because you violate or don’t live up to one of the above nine PIPEDA Principles, they are legally allowed to challenge your compliance status.

The last PIPEDA principle spells out how such challenges must be issued and how you must respond to them, i.e. by providing users with a simple way to give their complaint and informing them of their rights to refer to the Privacy Commissioner (OPC).

Learn more from the Privacy Commissioner (OPC)

Road with trees on either side with a skyscrapers in the background - Cookiebot
PIPEDA governs in parallel with similar data privacy laws in Alberta, British Columbia and Quebec.

PIPEDA and provincial data privacy laws

PIPEDA and Alberta, PIPEDA and British Columbia, PIPEDA and Quebec

Though Canada’s PIPEDA is a federal data privacy law, several Canadian provinces have similar data privacy laws that are in effect in parallel with PIPEDA.

The following provincial data privacy laws are considered equivalent to PIPEDA, so if you’re in compliance with them, it means you are exempt from also seeking compliance with PIPEDA –

Firstly, Alberta’s Personal Information Protection Act (PIPA) regulates the commercial use of personal information in Alberta, enforced and supervised by the Information and Privacy Commissioner of Alberta.

Secondly, British Columbia’s Personal Information Protection Act (PIPA) regulates the commercial use of personal information in British Columbia, enforced and supervised by the Information and Privacy Commissioner of British Columbia.

Lastly, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector regulates the commercial use of personal information in Quebec, enforced and supervised by the Commission d’accès à l’information du Québec.

Person holding an orange leaf - Cookiebot
PIPEDA compliance is not required if you’re already in compliance with some provincial data laws.

Try Cookiebot CMP for free today

Scan your website to see what cookies are in use

PIPEDA vs GDPR

Canada’s PIPEDA has been in force since 2000 and reflects a pre-GDPR time of data protection (although it has been amended several times in response to changes in global data privacy).

The biggest similarities between PIPEDA and GDPR are –

  • PIPEDA and GDPR both revolve around user consent as the mechanism that allows your website to collect and use personal information from your visitors.
  • PIPEDA and GDPR both define personal information/personal data broadly to include common trackers, cookies and other data that your website collects every day.
  • PIPEDA and GDPR both require you to inform your users about your website’s intended collection and use of their data.
  • PIPEDA and GDPR both require you to limit the use, disclosure and retention of the data, as well as to provide security and safeguards around the collected data.
  • PIPEDA and GDPR require you to only use data for the stated purpose or otherwise renew user consent. Both laws hold you accountable for ensuring the accuracy of the data.
  • PIPEDA and GDPR both empower users with the right to access their collected data, and the right to have it corrected if inaccurate.
Combined flag of the European Union and the Canadian flag - Cookiebot
One of the biggest differences between PIPEDA and GDPR is their scope.

The biggest differences between PIPEDA and GDPR are –

  • PIPEDA applies only to commercial use of personal information vs GDPR applies to both public and private sector use of personal data.
  • PIPEDA considers “implied consent” valid vs GDPR requires you to obtain “explicit consent”.
  • PIPEDA does not have an adequacy mechanism but requires each website who wishes to transfer personal information abroad to use contractual privacy clauses vs GDPR requires a country to have an adequate level of data protection in order for your website to freely transfer personal data from the EU to it.

With the impending 2021 overhaul of PIPEDA, which will repeal and replace large parts of the law with the new Consumer Privacy Protection Act (CPPA), Canada’s data protection regime might move even closer to EU’s GDPR, bringing even stronger data privacy to Canadian users than PIPEDA offers currently.

Summary of Canada’s PIPEDA

PIPEDA compliance with Cookiebot CMP

Canada’s PIPEDA is a strong and veteran data privacy law that like its EU counterpart, the GDPR, provides for a substantial consent regime, which empowers Canadian residents with actionable and enforceable rights over the personal information they share every day online.

PIPEDA requires your website to obtain the valid consent from users before collecting or using any of their personal information, and to inform users about the details of your website’s data collection processes.

Cookiebot CMP by Usercentrics is a plug-and-play PIPEDA compliance solution that can automate all data privacy requirements for your website.

Cookiebot CMP offers full and automated compliance with not only Canada’s PIPEDA, but the EU’s GDPRUK’s GDPRCalifornia’s CCPA/CPRABrazil’s LGPDSouth Africa’s POPIASingapore’s PDPA and many others.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Scan your website to see what cookies and trackers are in use

Learn more about GDPR compliance

FAQ

What is Canada’s PIPEDA?

Canada’s PIPEDA is the federal law governing the gathering, use and disclosure for commercial purposes of the personal information of Canadian residents. Through its 10 PIPEDA Principles, the law lays out requirements and compliance obligations that include informing users of the purposes of data collection, obtaining user consent before collecting personal information and ways to safeguard and secure collected user data.

Try Cookiebot CMP for free today for PIPEDA compliance

Who does Canada’s PIPEDA apply to?

Canada’s PIPEDA applies to any website or company anywhere in the world that handles personal information from Canadian residents for commercial purposes. This means that if your website has users from Canada, you’re liable for PIPEDA compliance.

Scan your website with Cookiebot CMP to see if you process data from Canada

What is personal information under PIPEDA?

Canada’s PIPEDA defines personal information broadly as any kind of data that can identify an individual. This includes common personal information collected by most websites through cookies and trackers, such as IP addresses, unique IDs, search and browser history.

Scan your website to see what cookies and trackers are in use

What does PIPEDA compliance entail?

You must inform users in detail of your website’s personal information processing, including the purposes for collection and use. This can be done in your website’s privacy policy. You must also obtain the meaningful consent from users before processing any of their personal information. Meaningful consent can be implied, unless the personal information is of a sensitive nature, in which case you must obtain the explicit consent from your website’s visitors.

Become PIPEDA compliant with Cookiebot CMP

Resources

Try Cookiebot CMP free for 14 days – or forever if you have a small website

PIPEDA in brief by the Canadian Privacy Commissioner (OPCD)

Office of the Privacy Commissioner of Canada (OPCD)

PIPEDA Principles overview by the Privacy Commissioner (OPCD)

New proposed law, CPPA, to repeal and replace PIPEDA

Canada’s Digital Charter

Federal privacy reform in Canada: The Consumer Privacy Protection Act (CPPA), IAPP

IAB Canada’s Draft Transparency & Consent Framework (open for public comments till March 20, 2021)

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.