Since 2001, the collection, use and disclosure of personal information in the course of commercial activities in Canada has been governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Three provinces have elected to implement general privacy laws that regulate the private sector in those specific provinces, and which have been declared to be “substantially similar” to PIPEDA: British Columbia’s Personal Information Protection Act; Alberta’s Personal Information Protection Act; and Quebec’s Act respecting the protection of personal information in the private sector. The federal statute applies to all federally regulated businesses (including employee personal information) and to the handling of personal information in the course of commercial activity, except where a provincial statute applies. 

Each jurisdiction (federal, provincial and territorial) has laws that protect personal information that is collected by governments and the broader public sector, including public education. 

A number of provinces have implemented health privacy laws to regulate the collection and use of personal health information in connection with the management and delivery of healthcare services.

PIPEDA is grounded in the federal jurisdiction over trade and commerce, so applies broadly to organizations that collect, use or disclose personal information in the course of commercial activities. Such organizations are responsible for personal information under their control, and continue to be responsible for it when transferred to a third party for processing. 

The three provincial private sector privacy laws will apply to organizations that collect, use or disclose personal information within those provinces. 

Canadian privacy laws generally do not apply directly to organizations that are processing personal information on behalf of others. The original custodian of the information remains entirely responsible for the handling of the data, including handling by their service provider, and is required to have a contract with the service provider respecting data protection. 

Canadian privacy laws do not apply to the collection, use or disclosure of personal information that is carried out exclusively for journalistic, literary or artistic purposes. 

Canada’s federal privacy law will apply to the collection, use and disclosure of personal information in the course of commercial activities, where there is a “real and substantial connection” to Canada (unless a designated provincial privacy law applies to the activity). Similarly, Alberta, British Columbia and Quebec privacy laws will apply where there is a “real and substantial connection” between the activity and the particular province. Regulators and the courts will generally assume that a “real and substantial connection” exists where the data subject resides within their jurisdiction or the organization is domiciled in that jurisdiction. The federal regulator has also taken the view that PIPEDA will apply in all cases where personal information is transferred into Canada, or is transferred across provincial borders. 

Canadian privacy laws generally regulate the “collection, use and disclosure” of personal information. The regulations would apply to the full lifecycle of personal information that is under an organization’s control, including disposal of that information. Personal information that is transferred by an organization to a third party for processing on its behalf would still be deemed to be under the control of the original organization. 

Canadian privacy laws apply to “personal information,” which is simply defined to be “information about an identifiable individual.” If the information directly or indirectly identifies an individual, it will be considered to be personal information. Information that is anonymous, meaning that there is no reasonable likelihood that an individual could be identified from the information, would not be “personal information” and is outside the scope of regulation. De-identified information (where there’s a possibility of re-identification) is treated as personal information. 

Canadian privacy laws also generally exclude, either from the definition of personal information or elsewhere in the statute, “business contact information” when it is exclusively used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession. Business contact information would include the individual’s name, position name or title, work address, work telephone number, work fax number or work email address. There is also a similar exclusion for “work product,” being information prepared by an individual as a part of their employment or business functions. Work product would not be personal information of the author, but it may contain personal information related to others.

The federal privacy law only applies to employee personal information if the organization is a “federal work, undertaking or business.” The British Columbia, Alberta and Quebec statutes do apply to employee personal information in those provinces.

Canadian privacy laws require a higher level of consent for the collection, use and disclosure of personal information that is “sensitive,” and a higher level of protection. Sensitive personal information is not defined in Canadian privacy statutes, but is generally recognized to be a continuum including information of a more intimate, private nature or where the misuse of the information could result in harm to the individual. The scope of possible harm is broad and includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Examples of information that would be considered sensitive in Canadian privacy law include:

• race, ethnicity, sex, gender, sexual orientation, and sex life; 
• medical, financial or employment data; 
• identification numbers and financial account numbers;
• biometric data and genetic data;
• religious or philosophical beliefs; 
• geolocation data; and
• children’s data. 

Consent. Businesses, under Canadian privacy laws, generally must obtain knowledgeable informed consent from the individual concerned in order to collect, use or disclose their personal information. While there are exceptions to the consent rule (described below), these are generally not applicable for most processing of personal information. 

Valid consent. The consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. At the time of collection of personal information, or before, the organization must make clear to the individual all of the purposes for which they are proposing to use the information in question. In the province of Quebec, individuals also must be informed of the means by which the information is collected, the individual’s rights of access and rectification, and their right to withdraw consent. If the information will be communicated outside of Quebec, the individual must be notified of the possibility. Also, in Quebec, consent must be “unbundled” from other agreements and terms. 

The form of consent that is used must be appropriate to the sensitivity of the personal information in question. The more sensitive the information, the higher the burden is to explain the purposes to the individual and to give the individual a clear choice of whether to agree to those purposes. Opt-out consent or implied consent is generally not appropriate where the information may be sensitive.

Consent may be implied by an individual’s actions, provided it is reasonable to expect in the circumstances that the individual understands the nature, purpose and consequences of the collection, use or disclosure of the personal information.

There is not a specific obligation to document consent, but the onus will be on the organization to prove that they obtained adequate consent in any particular circumstances. 

Exceptions to consent. In certain limited circumstances, an organization can collect, use or disclose personal information without the knowledge and consent of the individual, such as:

• when clearly in the interests of the individual and consent cannot be obtained in a timely way;
• for certain investigations; 
• where required by law;
• acting in respect of an emergency that threatens the life, health or security of an individual; and
• disclosures to legal counsel, collecting a debt and reporting a crime.

Accountability. An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with its privacy obligations. This is generally referred to as a privacy officer. In Quebec, if a privacy officer is not named, the obligations fall on the Chief Executive Officer. 

Documenting purposes. Businesses need to document the purposes for which they propose to collect, use or disclose personal information. All such purposes must be what a reasonable person would consider appropriate in the circumstances.

Limitations. Businesses can only collect personal information that is reasonably necessary for the purposes for which it was collected and for which consent was obtained, and can only use it for those purposes. Personal information can only be retained for as long as is reasonably necessary for those purposes, although information that has been used to make a decision affecting an individual should be retained to provide them a meaningful opportunity to request access to the information and challenge the decision.

Safeguarding. Businesses must implement reasonable safeguards that are appropriate to the sensitivity of the personal information, including protections against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. 

Breaches of security safeguards. Canadian privacy laws, other than those in British Columbia, require reporting to the Privacy Commissioner and notice to affected individuals where there is a breach of security safeguards that could reasonably be expected to cause a real risk of significant harm to the individual. Whether there is a real risk of significant harm is assessed in light of all of the circumstances of the incident, and the nature and sensitivity of the personal information at issue. The forms and contents of such notices and reports are prescribed in regulations. There is also an obligation to document all breaches of security safeguards and to retain such records for two years.

Transparency. In addition to the obligation to provide notice of purposes to the individual when seeking consent, organizations must make available to the public information about their personal information management practices. This information shall be made available in a form that is generally understandable. The information made available must include: (a) the name or title and contact information for the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded; (b) the means of gaining access to personal information held by the organization; (c) a description of the type of personal information held by the organization, including a general account of its use; and (d) what personal information is made available to related organizations (such as subsidiaries or affiliates). For Alberta, this notice must include information about whether the data will be transferred outside of Canada, and for Quebec, notice about whether the data will be transferred outside of the province. 

Accuracy. Personal information shall be as accurate, complete, and up to date as is necessary for the purposes for which it is to be used. The extent to which personal information shall be accurate, complete, and up to date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up to date to minimize the possibility that inappropriate information may be used to make a decision about the individual. An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.

Privacy Impact Assessment. Where the Quebec law applies, businesses must conduct a privacy impact assessment for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information. Businesses must also ensure that the project allows computerized personal information collected from the person concerned to be communicated to them in a structured, commonly used technological format. 

The conduct of a privacy impact assessment must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored. Also under Quebec’s law, before communicating personal information outside Quebec, a privacy impact assessment must be carried out, taking into account: (1) the sensitivity of the information; (2) the purposes for which it is to be used; (3) the protection measures, including those that are contractual, that would apply to it; and (4) the legal framework applicable in the jurisdiction in which the information would be communicated, including the personal information protection principles applicable in that jurisdiction. The information may be communicated if the assessment establishes that it would receive “adequate protection,” in particular in light of generally recognized principles regarding the protection of personal information. The communication of the information must be the subject of a written agreement that takes into account, in particular, the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment.

Information about the purposes for which personal information is collected. At the time of collection of personal information, or before, the organization must make clear to the individual all of the purposes for which they are proposing to use the information in question. In the province of Quebec, individuals also must be informed of the means by which the information is collected, the individual’s rights of access and rectification, and the right to withdraw consent. If the information will be communicated outside of Quebec, the individual must be notified of the possibility. 

Transparency. Individuals have a right to information about an organization’s personal information management practices, as described above in the portion of the response to Question 8 entitled “Transparency.”

Consent revocation or withdrawal. An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal. Such a withdrawal will not have retrospective effect.

Individual access. Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. The individual should be informed of the origin of the information and be given an account of any third parties to whom the information has been disclosed. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.

Direct mail. Sending marketing communications via regular mail (post) is not regulated in Canada, provided the content of such communications is lawful. 

Electronic marketing. Sending marketing communications by use of “commercial electronic messages” (email and SMS) is heavily regulated in Canada pursuant to “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act” (commonly referred to as “Canada’s Anti-Spam Law” (CASL)). 

In connection with any commercial activity, it is prohibited to send a commercial electronic message to a recipient unless there is consent to send the message or an exception to the consent rule applies. All electronic messages that have a marketing or promotional purpose would be considered to be a “commercial electronic message,” but a factual message involving a pre-existing commercial relationship or activity that provides additional information, clarification, or completes the transaction involving a commercial activity already underway is not a commercial electronic message. For example, a confirmation email sent to a customer regarding their account, is not a commercial electronic message.

Consent to receive commercial electronic messages can be given expressly or may be implied in certain circumstances, such as where there is an existing business relationship of the types set out in the act. 

At the time express consent is sought, the business must provide the consumer with certain prescribed information. In addition, commercial electronic messages must include prescribed information identifying the sender and including a readily performed unsubscribe mechanism. Every unsubscribe must be implemented without delay, within a maximum of 10 business days. 

CASL contemplates significant penalties: administrative monetary penalties of up to CAD 1 million for an individual and CAD 10 million for a corporation. There is also a risk of liability for officers and directors. 

Telephone marketing. Telephone marketing in Canada is regulated pursuant to the “Unsolicited Telecommunications Rules,” which include the “National Do Not Call Rules” and the “Telemarketing Rules,” overseen by the telecommunications regulator. Companies that engage in telemarketing to consumers are required to register and to subscribe to the “National Do Not Call List.” Telemarketing companies are prohibited from placing telemarketing calls to consumers whose numbers are on this “do not call list.” Companies must also maintain their own internal “do not call list” and give effect to a consumer’s request to not be contacted by the company again for telemarketing purposes for at least three years. The Telemarketing Rules prescribe mandatory information to be provided during telemarketing calls, and limit when and how such calls can be made.

The maximum penalty for a violation of the Unsolicited Telecommunications Rules is CAD 1,500 in the case of an individual and CAD 15,000 in the case of a corporation. A violation that continues for more than one day constitutes a separate violation for each day during which it continues.

Privacy laws in Canada do not prevent the transfer of personal information outside of Canada, but all organizations need to ensure adequate protection wherever the data is stored or processed. The original organization remains responsible for privacy law compliance regardless of the location of the data, and is expected to enter into an agreement with the transferee to ensure this compliance. 

For information related to residents of the province of Quebec, the organization must first carry out a privacy impact assessment to ensure that it receives “adequate protection” before communicating personal information outside of the province. This privacy impact assessment must take into account: (1) the sensitivity of the information; (2) the purposes for which it is to be used; (3) the protection measures, including those that are contractual, that would apply to it; and (4) the legal framework applicable in the state in which the information would be communicated, including the personal information protection principles applicable in that state.

Canadian privacy regulators have broad powers they can exercise in the course of an investigation, including powers to: 

• summon and enforce the appearance of persons to give testimony; 
• compel oral and written evidence under oath;
• compel the production of records; 
• receive any evidence regardless of whether it is or would be admissible in a court of law;
• at any reasonable time, enter any premises, other than a dwelling-house, occupied by an organization; 
• converse in private with any person in any premises entered and otherwise carry out in those premises any inquiries that the Commissioner sees fit; and
• examine or obtain copies of or extracts from records found in any premises entered that contain any matter relevant to the investigation.

The Privacy Commissioners of Canada and British Columbia are empowered to carry out audits of organizations if there are reasonable grounds to believe the organization is not complying with the relevant act. In connection with such audits, they have the same powers as can be exercised in connection with an investigation.

The Privacy Commissioner of Canada is an ombudsperson, meaning that the office has limited enforcement power. At the conclusion of an investigation, the Commissioner is required to issue a report of findings to the parties. Upon receipt of the report of findings, the complainant may commence an application in the Federal Court of Canada. The Commissioner may also initiate an application to the court, with the consent of the complainant. The court is given broad remedial powers, including the power to: (a) order an organization to correct its practices in order to comply with its obligations; (b) order an organization to publish a notice of any action taken or proposed to be taken to correct its practices; and (c) award damages to the complainant, including damages for any humiliation that the complainant has suffered. While the court may order punitive damages, it is not able to impose penalties such as fines. 

The federal act, PIPEDA, does not provide for penalties or sanctions for general non-compliance, although there are some specific offenses that can result in fines of up to CAD 100,000. These include: (a) failing to retain personal information that has been the subject of an access request until the individual is able to exhaust their recourse rights under the Act; (b) failure to report a breach of security safeguards that creates a real risk of significant harm to an individual; (c) failure to keep records of breaches of security safeguards; (d) breach of employee protections against reprisals; and (e) obstructing a Commissioner’s investigation or audit.

Both Alberta’s and British Columbia’s acts create a range of offenses with penalties of up to CAD  100,000. These include: (a) using deception or coercion to collect personal information in contravention of the act; (b) disposing of personal information with an intent to evade a request for access to the personal information; (c) obstructing the commissioner or an authorized delegate of the commissioner in the performance of his or her duties or powers under the act; (d) knowingly making a false statement to the commissioner, or knowingly misleading or attempting to mislead the commissioner, in the course of the commissioner’s performance of his or her duties or powers under this act; (e) breach of employee protections against reprisals; and (f) failing to comply with an order made by the commissioner under this act. The Alberta statute also makes it an offense to (a) collect, use or disclose personal information in contravention of Part 2 of the act, or (b) gain or attempt to gain access to personal information in contravention of the act.

The Privacy Commissioner of Canada cannot issue orders against organizations, but the privacy regulators of British Columbia, Alberta and Quebec do have order-making powers. 

The Quebec Act has been amended to provide significant increases to monetary penalties, effective from September 2023. A failure to comply with the Quebec Act’s requirements for the collection, storage, communication or use of personal data may result in a fine of up to a maximum amount of CAD 50,000 in the case of a natural person and, in all other cases, the greater of CAD 10 million or the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.

As mentioned above, organizations that fail to comply with certain direct marketing provisions of CASL may be subject to administrative monetary penalties of up to CAD 10 million.