Privacy & Data Protection

On January 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force across Canada governing all commercial transactions in the country except intra-provincial commercial activities of organizations in a province where the province has enacted substantially similar legislation to the Federal Act. On June 18, 2015, the Digital Privacy Act became law, amending PIPEDA to include a business transaction exemption, mandatory breach notification requirements, enhanced powers for the Privacy Commissioner, and various other updates. The breach notification regulations come into force November 1, 2018.

Like the privacy provisions in Section J of the CMA Code of Ethics and Standards of Practice, the federal law addresses major themes – the collection, use and disclosure of personal information – and is structured according to these basic principles.

Many other jurisdictions around the world have enacted privacy legislation. It's incumbent upon an organiztion to familiarize themselves with the laws of any country where they conduct their business. Most recently, the European Union has passed a new law, entitled the General Data Protection Directive (GDPR). When it goes into force in May 2018, the GDPR will impact not only EU-based organizations, but many others from around the world (including Canada). Organizations found to be non-compliant could run the risk of heavy fines of up to 4% of their global revenue.

Latest News

PIPEDA & Compliance

In 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force across Canada. PIPEDA governs all commercial transactions in the country except intra-provincial commercial activities of organizations in a province where the province has enacted substantially similar legislation to the Federal Act. Amendments to PIPEDA were introduced in 2015 by the Digital Privacy Act.

As of November 1, 2018, organizations across Canada subject to the PIPEDA will be required to provide notice of certain privacy breaches.

EU Privacy Law (GDPR)

The General Data Protection Regulation (GDPR) is a regulation by which the European Union (EU) intends to strengthen and unify data protection for all individuals within the EU It also addresses the export of personal data outside the EU. This regulation comes into effect in 2018 and will have an impact on many businesses around the world.

Technology & Law: Internet of Things (Connected Devices,
Autonomous Vehicles), Blockchain, Artifical Intelligence, etc.

The future is here! The Internet of Things and Connected devices, including smartphones, tablets, connected TVs, appliances and many more, have arrived. Connected machines and objects in factories offer the potential for a 'fourth industrial revolution', and experts predict more than half of new businesses will run on the IoT by 2020.

CMA Privacy & Data Advisory Committee Projects

Canadians want user-friendly information about privacy policies

Jan. 25, 2018: In a study commissioned and guided by the Canadian Marketing Association (CMA)’s Privacy and Data Advisory Committee, it was found that consumers want to read privacy policies, but they have to be user-friendly. The survey identified that while most Canadians say they read parts of privacy policies, one quarter admit they don’t read policies at all, mainly because they find privacy policies are too long and difficult to understand.

Read More
Media Release
Additional Information & Analysis
CMA Blog & Analysis
Report & Finding

Federal & Provincial Government Institutions

Regulatory Information, Guidelines & Other Useful Information

International Links