The Personal Information Protection and Electronic Documents Act (PIPEDA) can apply to not-for-profits.1 PIPEDA applies to organizations that collect, use or disclose personal information in the course of commercial activities.2 While commercial activities may seem to be a blanket statement indicating that PIPEDA  applies only to for-profit corporations, the relevant authorities suggest otherwise.

Commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership or other fundraising lists. This definition in itself implies that PIPEDA may apply to not-for-profits.

The case law also indicates that commercial activity can be defined in many ways and applies to not-for-profits. It specifies:

  • “Whether an organization is a non-profit business for purposes of taxation is not determinative of whether its collection, use or disclosure of personal information is carried out in the course of commercial activity.”4
  • “[N]on-profit or charitable organizations that engage in limited commercial activities that are ancillary to their primary functions would nevertheless be subject to [PIPEDA] to the extent that those commercial transactions involve the collection, use or disclosure of personal information.”5
  • “The primary characterization of the activity or conduct in issue is thus the dominant factor in assessing the commercial character of that activity or conduct under PIPEDA.”6

The above is only a sample of the many cases defining commercial activity. Given the lack of a concrete definition, not-for-profits should seek legal advice as to whether any of their activities could be considered commercial activities. If their activities are characterized as commercial activities, they should retain an Information Technology firm that specializes in ensuring organizations are compliant with the relevant privacy laws and authorities.

If you suspect a privacy breach occurred in your organization, it is important to seek advice as soon as possible. The fines for not correctly reporting a privacy breach are very significant being up to $100,000.7


1 Personal Information Protection and Electronic Documents Act (2000, c. 5) [PIPEDA].

2 Ibid  at s. 4(1).

3 Ibid  at s. 2(1).

4 Rodgers v. Calvert, 2004 ON SC (CanLII) at para. 50.

5 Canadian Skin Cancer Foundation, Re 2008 CarswellAlta 2569 at para. 39.

6 State Farm Mutual Automobile Insurance Co v Canada (Privacy Commissioner), 2010 FC 736 at para 106.

7 PIPEDA  at s. 28.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.