In 2000, Canada enacted its data protection act designed to protect consumers’ identifiable information. Since it was passed into law, the Personal Information Protection and Electronic Documents Act (PIPEDA) has expanded to cover most private-sector industries. This means if you want to continue doing business in Canada you need to know the top PIPEDA rules that apply to U.S. companies.
In this article, you will find information on PIPEDA’s ten principles and the rules that apply to your company. You’ll also find tips on how to implement the practices in your organization.
Do PIPEDA Rules Apply to Your Company
PIPEDA law applies to most companies, though there are a few exceptions. Non-profit organizations, political parties, schools, and hospitals are exempt if they do not participate in commercial activities. If these companies retain membership lists that are sold, leased, or traded, PIPEDA regulations then apply.
The easiest way to determine if Canada’s information protection act applies to you is to look at how the company manages consumer data. If your company uses, stores, or handles personally identifiable information (PII) and you conduct business in Canada, then the laws apply to you.
While the regulations apply to all private-sector commercial businesses, some federal organizations also fall under PIPEDA guidelines. These include financial, telecommunication, and banking institutions.
Something else U.S. companies need to be aware of; some Canadian provinces have enacted separate consumer information privacy laws. If the organization is located in one of these provinces, it is exempt from PIPEDA rules. It does not apply to businesses with mailing addresses in the United States. These companies do need to be PIPEDA compliant, but do not have to meet the separate guidelines set down by the individual provinces.
Schedule a Free Consultation
PIPEDA Rules That Apply to U.S. Companies
There are ten principles that U.S. companies must follow that are included in PIPEDA legislation. Many of these rules have a common theme that requires organizations to perform a specific action before consumer data is collected.
The goal of these rules is to give consumers more rights on how their personal information is used.
1. Accountability
Your company is responsible for meeting PIPEDA regulations. Since there are several principles included in the law, it can be challenging to keep up with all of the requirements. Having a specific employee or team focusing on these practices will help ensure that your organization is always in compliance.
Creating a concise privacy policy for all employees to follow will make it easier to implement the necessary changes. It is also recommended that companies new to PIPEDA perform a self-audit, so you know what type of privacy protocols the organization follows and which practices need to be added.
2. Identifying Purposes
Part of PIPEDA legislation states that consumers have the right to know why a company is collecting their information and how the data will be used. You must be able to.
- Inform individuals of the reason their data was collected.
- Be able to take steps to prevent using it for other purposes.
- Know when you need to get consent to use the data for other reasons.
Since the Personal Information Protection and Electronic Documents Act applies primarily to mid-size and large corporations, keeping track of all the data collected can be difficult. Maintaining records of why the information was gathered will make it easier to stay PIPEDA compliant.
3. Consent
One of the most essential PIPEDA rules U.S. companies need to follow is to always get consent from the individual before collecting their personal information. Without the individual explicit agreement, organizations cannot gather, store, or use the consumer’s data.
If this rule is violated, the company could be facing federal fines and penalties.
The rule has a second part that is just as important to follow. If a consumer declines to release their information to your company, the individual cannot be penalized. Goods and services cannot be withheld. Organizations also cannot charge higher prices. It is a direct violation of PIPEDA law.
4. Limit Data Collection
It can be tempting to think ahead to future projects where an individual’s information will be useful. According to Canada’s privacy guidelines, this is against regulations. Organizations can only collect data for the purpose disclosed during the consumer’s consent.
For example, if you only need the individual’s name and email address, do not ask for additional data that won’t be necessary. The additional data may make your job easier but unless the consumer agrees it might result in a PIPEDA violation.
5. Limit Data Use, Disclosure, and Retention
There should be policies and practices in place that ensure the organization only uses PII for the purposes the individual consented to. The policy should specify how long the data is stored, which should only be until its purpose has ended.
For example, an individual asks to be removed from an email list their data should immediately be deleted. To use it again, the company will need to get the consumer’s consent.
There is another part to this rule. Suppose the information is being used to make a decision about the individual, for example, an employee. In that case, the data must be saved until that person has the opportunity to review it for accuracy.
6. Accuracy
All information that your organization keeps must be accurate. It should also be as complete as needed for the purpose it is used.
Depending on the amount of data collected, ensuring that all consumer information is up-to-date can be difficult. If the data is inaccurate, the business could be found to be non-compliant with PIPEDA.
Some organizations have found that sending emails to consumers asking them to update their information is helpful. Others routinely ask individuals to check their data for accuracy when they’re paying for their goods or services.
7. Safeguards
An organization that collects, uses, and handles identifiable information must have appropriate safeguards in place to protect the data from.
- Theft
- Unauthorized access
- Altering or copying
The data must also be protected when it is being destroyed. The type of safeguards that you implement will depend on the data’s sensitivity. Some types of information will require stronger cybersecurity measures than others.
To keep data safe from cybersecurity breaches, companies can limit access by requiring passwords and encrypt the information. Organizations can also use NIST guidelines when they are implementing their security practices.
8. Openness
Second in importance to gaining consumer consent to collect their data, is being open about your company’s methods. Individuals, under PIPEDA, have the right to know how the information is collected, handled, and stored.
If you do not have a privacy policy included with consumer data consent, it is something that your business should consider adding on. You can also have a separate policy devoted to explaining these details.
Your privacy policy should include contact information for the person in charge of meeting PIPEDA requirements, along with details on how individuals can request access to their gathered PII.
9. Individual Access
PIPEDA legislation gives individuals the right to access their data a company has collected on them. Once the request is made, organizations have 30 days to respond.
Your response will let the individual know whether the company is holding their data and what it is, along with how the information was used, and shared with a third-party.
The rule also allows individuals to inform you if their data is incomplete or inaccurate. If it is appropriate for the intended use of the information it must be updated within a reasonable amount of time, typically within 4 weeks.
10. Compliance Challenges
A primary difference between Canada’s Personal Information Protection and Electronic Documents Act and some other privacy laws is that it gives consumers the right to contest a company’s compliance for PIPEDA.
If an individual believes that an organization is not adhering to the stated rules, they can file a formal complaint with the Office of the Privacy Commissioner (OPC).
To avoid an OPC complaint, companies must have practices implemented that receive, evaluate, and respond to consumer complaints within the allotted time frame – usually 30 days from the time the initial complaint was received.
In your response to the individual, you will need to disclose any steps you have taken to resolve the complaint. If no action was taken, this will need to be explained in your response.
PIPEDA Law If a Data Breach Occurs
In November 2018, the Personal Information Protection and Electronic Documents Act was expanded to include a mandatory requirement for all businesses governed by PIPEDA regulations.
It states that the Privacy Commissioner of Canada must be informed if an organization becomes aware of any data breaches that could affect consumers. The company must also inform any individuals that might be affected by the breach.
The Canadian privacy law goes on to require that all organizations that experience a data breach must keep records of the safeguards that were in place at the time of the incident, along with any new protocols that were implemented to prevent future problems.
After the data breach, you will have to create guidelines that assess the risk to affected individuals. If an organization cannot show through records that new protocols were implemented or if the company has ignored PIPEDA rules, the business could be fined up to CAD$100,000.
There are three specific data breach offensives that are viewed as criminal under PIPEDA law.
- Intentionally destroying or altering consumer information after it was requested by the individual.
- Obstruction OPC auditors from making a full investigation into the complaint. It can include not meeting the OPC officer, destroying, altering, or hiding records, to denying the official access to collected consumer data.
- Retaliating against the individual or employee that made the initial non-compliance report. No action can be taken against the person that made the complaint, even if it was a company employee.
The goal of PIPEDA is to protect personal data, along with any individual that reports a breach or misuse of consumer information.
Conclusion
Canada is proactive when it comes to keeping consumers’ personal information safe, and if international entities want to do business in the country, it would be wise to follow the PIPEDA rules that apply to U.S. companies.
The cybersecurity protocols your company has already implemented will help prevent data breaches. However, you still have to meet the requirements that protect consumers’ rights.
At RSI Security, we are familiar with PIPEDA legislation and what U.S. companies need to do to meet compliance standards. Whether you have a question or need assistance implementing new protocols, our professionals are here to help.
Speak with a PIPEDA compliance expert today – Schedule a Free Consultation