- Personal information is broadly defined: any information about an identifiable individual.
- PIPEDA is structured around ten principles derived from the Canadian Standards Association model code.
- The law recognizes two kinds: Express consent is explicit — a checked box, a signed form, a verbal agreement on a recorded call.
If your Ontario business collects so much as a customer's email address, Canada's federal privacy law applies to you. The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out rules for how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. Ignoring PIPEDA is not a low-risk option — regulators can investigate, and customers can complain to the Privacy Commissioner of Canada.
This guide explains what PIPEDA requires, what "personal information" really means, and the practical steps your business should take right now.
What Is Personal Information Under PIPEDA?
Personal information is broadly defined: any information about an identifiable individual. That includes obvious items like names, addresses, and SINs, but also less obvious ones — purchase history, IP addresses, device identifiers, photos, and even an employee's opinion of a customer if that opinion is linked to the customer's file.
The key test is identifiability. If you can reasonably link a piece of data to a specific person, PIPEDA treats it as personal information.
What PIPEDA Does Not Cover
PIPEDA does not apply to:
- Purely personal or non-commercial activity (someone's personal address book)
- Federal or provincial government institutions (covered by separate access-to-information laws)
- Employees of federally regulated businesses in some provinces (though employee information in Ontario is generally still within scope)
The Ten Fair Information Principles
PIPEDA is structured around ten principles derived from the Canadian Standards Association model code. Every Ontario small business should understand them:
- Accountability — Designate someone (even yourself, in a small shop) responsible for privacy compliance.
- Identifying purposes — Before or at the time of collection, identify why you need the information.
- Consent — Obtain meaningful consent for collection, use, or disclosure.
- Limiting collection — Collect only what you actually need.
- Limiting use, disclosure, and retention — Use information only for the stated purpose; don't keep it longer than necessary.
- Accuracy — Keep personal information accurate, complete, and up to date.
- Safeguards — Protect personal information with appropriate security measures.
- Openness — Be transparent about your policies and practices.
- Individual access — Let customers access their own information and correct errors.
- Challenging compliance — Have a process to handle privacy complaints.
Consent: The Core of PIPEDA Compliance
Consent is the centrepiece of PIPEDA. The law recognizes two kinds:
Express consent is explicit — a checked box, a signed form, a verbal agreement on a recorded call. Use it for sensitive information (health data, financial details, anything unexpected).
Implied consent may work for routine, obvious purposes — collecting a shipping address to ship an order. But implied consent has limits. If a customer would be surprised to learn you're using their data a certain way, implied consent probably doesn't cover it.
Key Consent Rules
- Consent must be informed: explain what you're collecting, why, and who sees it.
- Consent must be voluntary: you generally cannot withhold a product or service as a condition of collecting data beyond what's needed to provide it.
- Customers can withdraw consent at any time (subject to legal and contractual constraints), and you must honour that request.
Privacy Breach Reporting: A Hard Deadline
Since 2018, PIPEDA has required organizations to report "breaches of security safeguards" that create a real risk of significant harm to individuals. The obligations are:
- Report to the Privacy Commissioner as soon as feasible after you determine a reportable breach has occurred.
- Notify affected individuals as soon as feasible.
- Keep records of every breach (even ones you determine are not reportable) for at least two years, available to the Commissioner on request.
"Significant harm" includes bodily harm, financial loss, damage to reputation, identity theft, and loss of employment. If your customer list is leaked, assume it is reportable and get legal advice fast.
What Your Business Needs to Do Now
Write a Privacy Policy
Your policy must explain what you collect, why, how long you keep it, who you share it with, and how customers can access their data or withdraw consent. Plain language is not optional — PIPEDA requires that people actually understand it.
Review Your Data Map
Know where personal information lives in your business: your CRM, your email list, your payment processor, your cloud storage. You cannot protect what you cannot find.
Audit Your Third-Party Vendors
When you share personal information with a third party (a newsletter platform, an accounting software provider, a courier), you remain accountable under PIPEDA. Use contracts that bind vendors to your privacy standards.
Train Your Team
A staff member who mishandles a customer file is a compliance gap. Brief everyone who touches personal information on your policies.
Have a Breach Response Plan
Write down the steps you will take if you discover a breach — who to call, how to assess harm, when to notify. A plan drafted in advance is far better than one improvised at 2 a.m.
Frequently asked questions
Does PIPEDA apply to my tiny home-based business?
Yes. PIPEDA applies to any private-sector organization that collects, uses, or discloses personal information in the course of commercial activity, regardless of size. Even a sole proprietor with fifty customers has obligations.
Is a privacy policy legally required under PIPEDA?
PIPEDA's "openness" principle requires you to make your privacy policies and practices readily available. In practice, a written privacy policy on your website is the clearest way to satisfy this — and courts and regulators will expect one.
What if a customer asks to see their data?
You must respond within 30 days (as of writing — verify the current timeline). You must provide the individual with access to their personal information and an account of how it has been used and to whom it has been disclosed.
Can I be fined for violating PIPEDA?
As of writing, PIPEDA penalties for most violations are limited. However, proposed federal privacy legislation (Bill C-27) would dramatically increase enforcement teeth if passed. Stay current. More importantly, Privacy Commissioner investigations are public, and reputational harm can be severe.
This is a corporate question
Start a file online — flat, published fees, reviewed by a licensed Ontario lawyer before a dollar is owed.