Any business that handles personal information from Canadian residents needs to make sure that it maintains a Privacy Policy that complies with Canadian data protection laws.

This article will cover the Canadian privacy laws that companies that do business with Canadian citizens need to be aware of, as well as how to write, display, and get agreement to your Privacy Policy so that it complies with Canadian privacy legislation.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Why is a Privacy Policy Required in Canada?

Companies that collect, use, or disclose personal information from Canadian citizens are required to maintain a Privacy Policy on their websites and apps in order to comply with Canadian privacy laws.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's primary federal privacy law designed to protect Canadian residents' personal data.

Businesses that deal with Canadian residents' personal information should also be aware of other Canadian provincial privacy laws that may apply to them, such as Alberta's Personal Information Protection Act (PIPA), British Columbia's Freedom of Information and Protection of Privacy Act (FIPPA), and Quebec's Privacy Act.

Failure to comply with Canadian privacy laws can result in fines of up to $100,000 per violation.

What is Personal Information?

Personal information is a category of information that can be used on its own or in combination with other information to identify an individual. Personal information includes individual's names, ages, ID numbers, ethnicity, and health and financial information.

The Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA applies to most private-sector, for-profit businesses in Canada that handle Canadian resident's personal information, as well as federally regulated organizations that do business within Canada, such as airlines, banks, and telecommunications companies.

Businesses from countries outside of Canada that collect personal information from or sell goods and services to Canadian residents are also legally obligated to comply with PIPEDA.

PIPEDA requires that applicable businesses maintain a Privacy Policy that contains specific clauses, and restricts the collection, use, and sharing of user's personal information to that which is absolutely necessary for a company to do business.

Protection of Personal Information Principles

There are 10 principles that businesses need to follow in order to comply with the PIPEDA.

1. Accountability

This principle requires that businesses designate an individual to be held accountable for the organization's privacy practices. It also requires businesses to protect the personal information that they collect and use, and have a process in place for receiving and responding to consumers' questions and concerns.

2. Identifying Purposes

This principle requires a business to inform its consumers why it is collecting their personal information, either before or at the time that it collects the information.

Except under certain medical, legal, or security circumstances, businesses must get consent from consumers before collecting their personal information.

A business must take steps to ensure that consumers are aware of and agree to the purposes for which it is collecting their personal information. Businesses must also allow consumers to withdraw their consent at any time, and should let them know the consequences of removing consent.

4. Limiting Collection of Information

Businesses need to let consumers know what types of personal information they collect and for what purposes, and only collect information for those purposes.

5. Limiting Use, Disclosure, and Retention of Information

This principle requires businesses to use personal information only for the purposes it was collected, unless they get consent to use the data for other purposes, or are legally required to share the information.

It also requires businesses to keep the information they collect only as long as it is needed to fulfill its purposes. Once a business is finished using personal information, it must destroy or anonymize the data.

6. Accuracy

Businesses must make sure that the personal information they collect is accurate and up to date.

7. Safeguards

Businesses need to keep the personal information they collect safe, and take special care with sensitive personal information. Physical, technical, and organizational security measures should be used to keep collected data secure.

8. Openness

This principle requires businesses to make the following information available to and easily accessible by its consumers:

  • The name and address of the individual who is accountable for the personal information the business collects
  • How consumers can access their personal information
  • What kind of information the business collects and what it is used for
  • A copy of any information about the business's policies, standards, or codes
  • What information the business shares with its subsidiaries

9. Individual Access

This principle allows consumers to request information about whether a business holds their personal information. Businesses must also allow consumers to access and modify their personal information.

10. Challenging Compliance

Businesses must have processes in place for consumers to request information about or file complaints pertaining to their personal information.

The Personal Information Protection Act (PIPA)

The Personal Information Protection Act (PIPA)

The Personal Information Protection Act (PIPA) is Alberta's privacy law, and applies to for-profit businesses that are provincially regulated, as well as some non-profit organizations.

PIPA was created to protect individuals' personal information, and provide them with access to their personal information. It limits the types and amount of personal information that businesses can collect from consumers, as well as data collection methods.

PIPA also requires businesses to only use or disclose the personal information it collects for "reasonable purposes."

Part 4 of the official text of PIPA explains that a business must let individuals know that it is collecting their personal information either before or at the time of collection, and describes the personal information collection limits the business must abide by:

PIPA text Part 4: Collection of Personal Information excerpt

To comply with PIPA, organizations must get consumers' consent before collecting their personal information, and can only collect personal information essential to doing business.

The Freedom of Information and Protection of Privacy Act (FIPPA)

The Freedom of Information and Protection of Privacy Act (FIPPA)

The Freedom of Information and Protection of Privacy Act (FIPPA) is British Coloumbia's privacy law, which governs how public bodies treat personal information, and gives individuals the right to access and change their personal information. FIPPA does not apply to private-sector organizations.

FIPPA requires that public bodies (such as provincial agencies, boards, municipalities, and colleges) protect the personal information they collect, and follow rules around how they collect, use, and disclose personal information.

Quebec's Privacy Act

Quebec's Privacy Ac

Quebec's Privacy Act is designed to protect individuals' personal information. It requires private-sector organizations to keep the personal information they collect confidential, and only share the information with third parties under specific circumstances.

The act also requires businesses to give individuals access to their personal information.

The table of contents of the Privacy Act includes sections on protecting and collecting personal information, as well as keeping personal information confidential and granting individuals access to their personal information.

One of the best ways to ensure compliance with Canadian privacy laws is to maintain a clearly written and up-to-date Privacy Policy on your website and apps that covers Canada's federal privacy legislation requirements.

How to Write a Canada-compliant Privacy Policy

How to Write a Canada-compliant Privacy Policy

To ensure that your Privacy Policy complies with Canada's privacy legislation, you should make sure that it includes specific clauses relating to the PIPEDA's 10 protection of personal information principles, and the following information:

Your Contact Information

Displaying your contact information in your Privacy Policy can help you to comply with PIPEDA's Accountability, Openness, Individual Access, Challenging Compliance, and Consent principles.

Alimentation Couche-Tard's Privacy Policy includes a clause that contains the address of its appointed Privacy Officer, a telephone number, and a link to its Individual Rights Request Form:

Alimentation Couche-Tard Privacy Policy: Who can you contact with privacy questions clause

What Types of Information You Collect, and How

You should include a clause in your Privacy Policy that lets consumers know what kinds of personal information you collect, and how you may collect it. Informing consumers about the types of information you collect can help you to comply with PIPEDA's Limiting Use, Disclosure, and Retention and Consent principles.

George Weston Limited's Privacy Policy outlines the types of personal information it collects and the ways in which it collects it; both directly from users and indirectly, through the use of cookies:

George Weston Limited Privacy Policy: Personal Information we Collect and How we Collect it clause

What You Do With the Information You Collect

It's important to inform consumers about how you use the personal information you collect. Notifying consumers about what you do with their personal information is required by PIPEDA's Identifying Purposes and Limiting Use, Disclosure, and Retention principles.

The Royal Bank of Canada's Privacy Principles includes a How We Use Your Information clause that details the purposes for which it collects personal information:

Royal Bank of Canada Privacy Principles: How We Use Your Information section

Security Measures

Your Privacy Policy should inform consumers of the physical, technical, and organizational measures your business undertakes in order to keep the personal information it collects safe.

Letting consumers know how you keep their data secure helps you to comply with PIPEDA's Safeguards principle.

The Protecting Your Personal Information clause in Enbridge's Privacy Policy goes over the steps it takes to keep the personal information it collects safe, including only collecting information necessary to doing business, making sure only authorized staff have access to the information it collects, and demanding that any third parties it shares personal information with meet its security standards:

Enbridge Privacy Statement: Protecting Your Personal Information clause

How Users Can Access Their Information

Your business needs to have a process in place that allows consumers to access and edit their personal information as desired, as required by PIPEDA's Openness and Accuracy principles.

The Power Corporation of Canada's Privacy Policy contains a Your Rights clause that informs consumers how they can make requests pertaining to their personal information:

Power Corporation of Canada Privacy Policy: Your Rights clause

Who You Share Information With

Letting consumers know what third parties you share their personal information with helps you to comply with PIPEDA's Openness principle.

Brookfield's Privacy Policy lets consumers know the circumstances in which it shares the personal information it collects:

Brookfield Privacy Policy: Disclosure of Personal Information Obtained Through our Website clause

Another level to legal compliance is making your Privacy Policy easily accessible and visible to the public. The next chapter will look at this topic.

How to Display a Canadian Law-Compliant Privacy Policy

How to Display a Canadian Law-Compliant Privacy Policy

Once your Privacy Policy is written, it's important to make it easily accessible. Some common places to put a link to your Privacy Policy include in your website footer, on your ecommerce checkout page, on your account sign-up or login page, and within your app download page.

Putting a link to your Privacy Policy in your website footer is an effective placement strategy, as it enables users to access information about your data handling practices from any page of your website.

Manulife puts a link to its Privacy Policy in its website footer alongside links to other pages of its website:

Manulife website footer with Privacy Policy link highlighted

Checkout Page

If you sell products or services, you should consider putting a link to your Privacy Policy within your checkout page so that users have a chance to access it before making a purchase.

Here's an example of how this could look:

Generic checkout page with Privacy Policy link highlighted

Account Login Page

Putting a link to your Privacy Policy on your account sign-up or login page ensures that users have the opportunity to read it before they create an account with your business or any time they sign in.

McKesson Corporation's customer registration form includes a link to its Privacy Notice, as well as checkboxes that users must tick signifying that they consent to its legal agreements before completing the sign-up process:

McKesson Customer Center Registration Form with Privacy Notice links highlighted

App Listing/Download Page

Many businesses put a link to their Privacy Policies on their app download page, giving users the ability to read about their privacy practices before downloading their app.

The Globe and Mail app's App Store Preview features a link to its Privacy Policy in its Information section:

The Globe and Mail Apple App Store listing with Privacy Policy link highlighted

In addition to displaying your Privacy Policy, you should always request that users agree to the terms within it. This helps protect you legally in a number of ways. We'll look at this topic next.

How to Get Agreement to a Canadian Privacy Policy

How to Get Agreement to a Canadian Privacy Policy

The best way to make sure that consumers agree to your Privacy Policy is to use an "I Agree" checkbox. Using a checkbox that consumers must click before making a purchase, creating or signing into an account, or using your website or app ensures that they consent to your Privacy Policy before accessing your products or services.

Here's an example of a checkbox on an account registration page that users must tick if they wish to create an account with the company. Ticking the box shows agreement to the Privacy Policy:

Generic registration form with Agree to Privacy Policy checkbox highlighted

Summary

Canadian federal and provincial privacy laws require businesses that handle personal information to have practices in place for protecting the information they collect.

Maintaining a Privacy Policy that is accessible from your website or mobile app is one of the simplest ways to ensure compliance with PIPEDA and other Canadian privacy laws.

In order to write a Privacy Policy that complies with Canadian privacy regulations, you will need to make sure that it contains specific clauses, including:

  • What kind of information you collect and how you collect it
  • What you do with the information you collect
  • How you keep the information you collect safe
  • Your contact information
  • How individuals can access and change their personal information
  • Any third parties you share information with

Common places to display a link to your Privacy Policy include your website footer, checkout page, account login page, and on your app download page.

The best way to get agreement to your Privacy Policy is to use "I Agree" checkboxes on your website and apps.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy