Perusing the daily news could give anyone the idea that only the big players like Google and Facebook and the likes of Bell and Air Canada have to bother with privacy laws.

But thinking that way could be a serious mistake, because any business, small or large, has privacy obligations that they ignore at the risk of considerable liability, either by way of fines or lawsuits, possibly of the class action variety. And if  the Liberal government’s proposed introduction of a Digital Charter is any indication, it appears that privacy protection will become  even more stringent with the imposition of heftier fines and broader penalties.

So just what are your obligations?

Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), applies to the collection and handling of personal information in the course of any business activity.

To begin with, your business  must have a privacy policy and  must designate at least one individual who can explain, on demand, how the privacy policy conforms to PIPEDA.

Your privacy policy should:

  • identify the reason for the collection of personal information
  • explain how you will use the information
  • tell your users and customers how you will update them when your policy changes
  • inform them of just how long you will hang on to the information
  • ensure that your privacy policy is readily available to your users and customers

You will also need to implement procedures that demonstrate you have obtained meaningful consent for the collection of personal information. Whether the consent you have collected is considered “meaningful” will depend on whom you are collecting the information from. Special consideration should be given, for example, if information is being collected from youth.  Bear in mind, however, that you cannot require anyone to consent to the collection of information beyond what is necessary  to providing your goods and services.

If you do obtain consent to sell or share personal information  with third parties, you must ensure that the third parties provide a standard of protection that is equivalent to the safeguards found in your own privacy policy. At times, you may also be obligated to monitor the use of information you have provided to such third parties.

If you represent an organization that collects personal information from your consumers or users, contact a Blaney McMurtry lawyer to help prepare a compliant privacy policy. As well, if you are an organization looking to buy or sell a business that handles personal information, contact a Blaney McMurtry lawyer to ensure compliance with your obligations under PIPEDA.

Dena Givari is a member of Blaney McMurtry’s corporate/commercial and privacy practice groups. Dena’s practice focuses on advising a wide variety of businesses corporations, partnerships or joint ventures and their owners/operators in corporate and commercial law, blockchain and privacy matters. Dena is frequently called upon to manage Share/Asset Purchase and Sales transactions, negotiate complex business contracts and agreements, effect tax-driven corporate reorganizations, and to advise on shareholder disputes. Dena advises a growing number of public and private companies with respect to establishing and growing their Canadian business operations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be ought about your specific circumstances.