August 13, 2024
What Is PIPEDA? Understanding Canada’s Privacy Law
Canada's comprehensive privacy law has been on the books and regularly enforced for over 20 years. Learn more about its requirements for businesses.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is more comprehensive than many people realize. While the Canadian privacy law often speaks in broad principles, those principles are still enforceable, and Canadian regulators have been forceful in interpreting them.
PIPEDA does not contain the words “opt-out” or “targeted advertising” (it was first drafted in 2000, after all), but the Office of the Privacy Commissioner (OPC) has clearly stated that Canadians do nonetheless have the right to opt out of targeted advertising.
We’ll explain how that works.
Virtually all processing of personal information that falls under PIPEDA requires the individual’s informed consent. At first glance, this would appear to create problems for businesses and consumers alike, as it would result in an avalanche of consent requests for every online interaction.
However, the Canadian law makes it clear that, in many cases, implied consent is acceptable. If a business is transparent about its data privacy practices and makes that information easily available, consumers will be deemed to have impliedly consented to those practices by continuing to use the business’s services. This is also called “opt-out” consent.
Express (opt-in) consent is still required in some situations, such as when the personal information is sensitive or if the processing falls outside of the reasonable expectations of the individual. It is a fuzzy line, and figuring out when express or implied consent is required is one of the trickier aspects of PIPEDA compliance.
Luckily, the OPC has already grappled with the question of whether targeted advertising requires opt-in or opt-out consent. Noting that “advertising plays a key role in providing free content on the Internet,” the Privacy Commissioner determined that the opt-out consent is acceptable in the context of targeted advertising, provided that certain conditions are met.
These conditions are:
This approach is somewhere in between that of U.S. privacy laws and European laws. U.S. laws such as the CCPA require a privacy-policy disclosure of targeted advertising and an opt-out link at the bottom of the page. Europe’s ePrivacy Directive requires opt-in consent for all non-essential cookies (and presumably tracking pixels as well).
PIPEDA allows for opt-out consent, BUT the OPC is also saying that businesses can’t rely on disclosures buried deep in their privacy policies. This would seem to require something along the lines of a pop-up banner that makes website visitors aware of the business’s use of targeted advertising, along with information about how to opt out.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
