If you sell products or services online in Canada, you’re not alone. Canada is the ninth largest market for e-commerce, with an expected increase of over 19 per cent in 2023. Many business owners have opened online shops to expand their potential customer bases.
The collection of personal information is governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Some provinces have similar private-sector privacy laws, in which case the provincial privacy law would cover businesses in that province.
If your business is federally regulated, it will be governed by PIPEDA. Schools, universities, hospitals and municipalities are typically covered by provincial privacy laws, though PIPEDA may apply in certain situations.
PIPEDA applies to “private-sector organizations across Canada that collect, use, or disclose personal information in the course of a commercial activity.” It also applies to businesses that operate in Canada and collect personal information from across provincial or national borders.
How do businesses collect information?
You may know how you’re deliberately collecting personal information from your website visitors. For instance, you may have a form on your website that allows people to contact you, or you may have a downloadable item that people can access in exchange for providing their email addresses.
What is considered personal information?
Personal information protected under PIPEDA includes information like a website visitor’s name, age or date of birth, ID numbers, income, ethnicity, blood type, employee files, credit records, medical records and loan records.
Many people don’t realize it also goes beyond those specifics to protect other private information, such as opinions, evaluations, comments, social status, disciplinary actions, the existence of a dispute between a merchant and consumer, and intentions (such as purchasing goods or services or changing jobs).
Ideally, you protect any data that can be used to directly identify your website visitors and customers, as well as data points that could be used in combination to identify someone.
What types of information are excluded from privacy law?
Some types of information aren’t protected under these privacy laws because there’s an expectation that they are accessible to the public.
This would include business contact information, including an employee’s name, title, business address, telephone number and email address — provided it is only collected, used or disclosed for business communication purposes.
It also extends to personal information collected for personal use, such as contact information for a greeting card list and information gathered by an organization for journalistic, artistic or literary purposes. Information collected by not-for-profit organizations and charity groups, political parties and associations — provided they are not engaging in commercial activities — is also excluded.
What about anti-spam legislation?
Canada also has laws to help protect people from unsolicited business communications, called Canada’s anti-spam legislation (CASL). Originally, CASL was created to cut down on the amount of unsolicited email marketing consumers received and to help reduce incidences of identity theft, phishing and the spread of malicious software through email scams.
Your business should adhere to CASL to ensure you collect consent before sending marketing messages by email. These practices will help show customers you respect and protect their information by giving them control over how and when you can use their email addresses.
Pro tip: This is a good opportunity to explore what data you’re collecting and consider if you’re comfortable with how it’s being collected, stored and disclosed. If there are gaps, look for solutions to ensure you’re in compliance.
1. Use plain language
It should be easy for any consumer or website visitor to read and understand. Outline what data is being collected and why (to conduct your business, such as purchases, but also secondary uses like marketing).
2. Be transparent about disclosure
This includes mentioning the types of third-party companies you may deal with and where their data may be stored. Let customers know if their data may be stored outside Canada.
3. Outline how long you’ll keep their information
You should only keep it as long as is necessary for business purposes. If you need to keep it longer for tax or accounting purposes, say so.
4. Let people know how you safeguard data
Your customers want to know they can trust you to do what you can to protect them against fraud and identity theft. Familiarize yourself with e-business security, privacy, and legal requirements in Canada.
5. Include your contact information
Your website visitors and customers should be able to contact someone within your organization with their privacy concerns. Identify clearly who they can contact and how to reach them, and provide direct contact information.
7. Empower your customers by getting consent
Online customers should be able to consent to provide information, refuse to provide it, or change their minds and ask you to remove their data from your systems. They have the right to access that information and challenge its accuracy.