Canada: Can A Business Charge A Customer To Access Their Personal Information?

Typically, no. It's not recommended. If you do, contact us as soon as possible because you may get into some trouble with the law. Best Practice: give your customer access to their personal information for free unless the request is excessive or repetitive. You must also have this written down on a forward-facing policy.

How do you determine whether a request is excessive or repetitive? Consider this example: Say you're a small business, and a consumer has requested that you provide them with any Personal Information you have on him or her. You spend a couple of hours looking throughout your system, and you find nothing. You report back to the consumer and say that you have nothing. The next day, the consumer makes the exact same request. You spend a couple of hours looking again, but again, you find nothing. You report back to the consumer. Then, the next day, the consumer makes the same request again. Sounds excessive, right? It probably would be, and it would be safe to charge the consumer a reasonable fee (or perhaps reject it, depending on the law of the relevant jurisdiction).

Different rules for different jurisdictions

When considering whether you can charge for an information request, it's important to review the rules in your and the consumer's jurisdiction. The rules can vary, but the strictest laws are similar:

PIPEDA (Canada)

"Minimal or no cost" ¹

CCPA (California)

"Free of Charge" for the first two requests in a 12-month period. ²

CPDA (Virginia)

"Free of charge" for the first request in a 12-month period. ³

CPA (Colorado)

"Free of charge" for the first request in a 12-month period. ⁴

GDPR (EU)

"Free of charge" for the first copy. ⁵

At the minimum, provide the customer his or her personal information for his or her first request for free. After the first request, the rules slightly differ on whether you can charge the consumer. Importantly, in all these jurisdictions, there are special rules in place that permit the charging of fees. For example, in Virginia, if the consumer request is "manifestly unfounded, excessive, or repetitive," you-the business-may charge a reasonable fee to cover the administrative costs of complying with that request. Va. Code § 59.1-573.

Develop policies to protect customer's right to privacy

You should also adopt robust policies to ensure your customers receive the maximum privacy rights and protection. This could benefit you because you could advertise that you go above and beyond to protecting your customers' right to privacy.

Footnotes

1 PIPEDA, Schedule 1, s. 4.9.4.

2 CA Civ. § 1798.100

3 Va. Code § 59.1-573 – Effective 1/1/2023

4 Colo. Rev. Stat. § 6-1-1306 – Effective 7/1/2023

5 GDPR, Arts. 12 5, and 15 3.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.