Privacy & Data Protection

Good privacy and data protection practices help lay the foundation for consumer loyalty and trust. On this page, you can find out what marketers need to know to comply with privacy laws and demonstrate best practices to regulators and customers.

Most Canadian organizations are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), which sets the rules for the collection, use and disclosure of personal information by organizations in the course of commercial activities.

Like the privacy provisions in Section J of the Canadian Marketing Code of Ethics & Standards, PIPEDA is based on 10 principles for the protection of personal information.

Latest CMA privacy resources and initiatives


On January 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect across Canada, setting the rules for the collection, use and disclosure of personal information by Canadian organizations in the course of commercial activities.

Organizations are also subject to new Breach of Security Safeguards Regulations that came into effect in November 218, and new Guidelines for Obtaining Meaningful Consent that came into effect in January 2019.

Does the law apply to you?

PIPEDA applies to most private sector organizations across Canada in the course of commercial activities except in Quebec, British Columbia and Alberta. These provinces have their own private sector laws that are deemed "substantially similar" to PIPEDA. PIPEDA also applies to federally-regulated businesses operating in Canada and their employee information, including in Quebec, British Columbia, and Alberta. In addition, all businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of which province or territory they are based in.

Please note that non-profit status does not automatically exempt an organization from PIPEDA. Non-profit, charitable and membership-based organizations can still be engaged in commercial activity that triggers PIPEDA, such as the selling, bartering, or leasing of donor, membership or other fundraising lists. The court has upheld that PIPEDA has extraterritorial application (to organizations outside of Canada) if there is a 'real and substantial' connection between Canada and the activity undertaken in a foreign jurisdiction.

To find out which Canadian privacy law applies to your organization and its specific activities, see the Office of the Privacy Commissioner of Canada's website website. Other privacy laws may apply to your organization instead or in addition to PIPEDA, for example, if your organization is a federal government institution it is subject to the Privacy Act.

PIPEDA reform

In June 2015, the Digital Privacy Act became law, amending PIPEDA to include new exemptions for consent, enhanced powers for the Privacy Commissioner, and more.

In May 2019, the Government of Canada initiated an open consultation on a set of reform proposals to modernize PIPEDA, which followed the release of Canada's Digital Charter earlier that year. See the CMA's response here

In November 2020, a new Bill was introduced in the House of Commons entitled “An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts”.

International laws

Many other jurisdictions around the world have enacted privacy legislation. Organizations must familiarize themselves with the laws of any country where they conduct their business. This includes the European Union's General Data Protection Regulation (GDPR), and California's Consumer Privacy Act (CCPA,) as outlined below.

The General Data Protection Regulation (GDPR) is a regulation by which the European Union (EU) intends to strengthen and unify data protection for all individuals within the EU. It also addresses the export of personal data outside the EU. This regulation came into effect in 2018 , and applies to Canadian organizations if they:

  • have an establishment or physical presence in the EU, or
  • offer goods or services to EU residents (even at no charge), or
  • intentionally monitor or profile behaviours of individuals in the EU.

There are also implications if you are a third-party processor of EU personal data.

Organizations found to be non-compliant could run the risk of heavy fines of up to 4% of their global revenue.

The California Consumer Protection Act (CCPA) establishes the rights of California consumers with respect to the collection, use, and disclosure of their personal information. It came into effect January 2020.

The CCPA applies to Canadian for-profit businesses that collect, use, and disclose the personal information of California consumers, even if the businesses are not physically located or have employees in California, and meet or exceed one of the following criteria:

  • have annual gross revenue more than $25 million, or
  • buy, receive, sell, or share the personal information of more than 50,000 California consumers, or
  • derive at least 50% of annual revenue from selling California consumers' personal information.

For more information, see Part 1 and Part 2 of the CMA's blog series on what marketers need to know about California's Consumer Privacy Act.

Tags: privacy, cybersecurity, code of ethics, PIPEDA, Breach, GDPR