This blog post provides an overview of Canadian privacy law for website owners and e-commerce companies in Ontario.
If you need legal advice from an Ontario small business contract lawyer, book your legal consultation with Supply Law today.
*Disclaimer: this guide is for informational purposes only. It does not constitute legal advice nor create a solicitor-client relationship between the author and reader. As with all legal matters, a lawyer should be properly retained and consulted where legal advice may reasonably be considered necessary.
What Privacy Laws Apply to an E-Commerce Business in Ontario?
This blog post provides an overview of Canadian privacy law for website owners and e-commerce companies in Ontario including:
Ready? Here we go!
1. The statutory framework for privacy law in Canada
Privacy in Ontario’s private sector is primarily governed by Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is enforced by the Office of the Privacy Commissioner of Canada (IPC) which has the authority to investigate privacy related matters such as breach of privacy complaints or the unauthorized use of personal information.
PIPEDA applies to every organization (defined to include a person) that collects, uses, or discloses “personal information” in the course of “commercial activities.”
“Personal information” is broadly defined by PIPEDA to mean “any information about an identifiable individual.”
“Commercial activities” means “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
Because PIPEDA applies to personal information an organization collects in the course of commercial activities, the act can apply equally to non-profit organizations when their activities take on a commercial character.
Note: PIPEDA does not apply to “business contact information” when the collection, use, or disclosure of that information is only for the purpose of communicating or facilitating communication with an individual in relation to their employment, business, or profession. In that context, business contact information can include an individual’s name, position or title, work address, work telephone number, work fax number or work electronic address.
b) Provincial privacy law
The federal PIPEDA applies in all provinces that have not enacted their own substantially similar privacy legislation. The provinces that have enacted their own privacy legislation are:
- British Columbia
Having enacted their own privacy regimes, PIPEDA does not apply to commercial data collection in these provinces. If you are doing business in these provinces, you must also comply with the applicable privacy legislation in that jurisdiction.
c) International considerations
If you are doing business outside of Canada, your business may need to comply with international privacy regimes as well. Of note (but outside the scope of this Canadian centric blog post), is the European Union’s General Data Protection Regulation (GDPR) which came into force in 2018. The GDRP aims to update EU privacy laws to be in line with modern commercial data collection and use of personal information. The United States, unlike Canada and the EU, does not have a unifying privacy law regime, meaning compliance must currently be addressed on a state by state basis.
2. The purpose of PIPEDA
PIPEDA was enacted in Canada in response to the increasing need to recognize individuals’ rights to privacy in an era where technology increasingly facilitates the circulation and exchange of personal information. From looking at the wording of PIPEDA, e-commerce was at the forefront of the drafter’s minds when seeking to regulate the use of personal information collected by Canadian businesses.
d) Access to personal information
Subject to some exemptions, individuals have a right to be provided with access to the personal information that has been collected about them by for-profit entities. They also have the right to request that an organization correct any errors or omissions the individual may become aware of. Individuals can request to view their personal information by making a written request to the private organization that has collected their data.
e) Collection, use, and disclosure
When you collect personal information about your customers, you must provide them with notice that their information is being collected and the purpose it is being collected for. You cannot collect personal information without the implied or express consent of the person whose information you are collecting. For instance, if your customer enters their email and credit card information in a form on your website for payment processing, they have given either their implied or express consent for you to use their information for that purpose. The information you collect must be appropriately related to your collection purposes. So, without the express consent of your customer you could not use that same information obtained for payment processing for a retargeted ad campaign. You have a further obligation to ensure the accuracy of the personal information in your possession and to exercise a reasonable degree of protection over personal information you collect.
3. Websites and PIPEDA
f) Online marketing
Most businesses implement some form of data collection on their websites. The insights that can be gained from collecting information about your visitors is highly valuable for behavioral advertising and remarketing purposes. The IPC has made clear, if you are tracking website visitors by implementing tools like cookies or pixels, in nearly all cases you will be collecting personal information in the course of a commercial activity and PIPEDA applies.
g) Personal information you are collecting
The definition of personal information has been broadly interpreted in the context of the internet. Personal information has been held to include a customer’s IP address in the context of online advertising (Englander v. Telus Communications Inc.). A social networking site was found to have been engaged in a commercial activity when it used and disclosed personal information about its website users for the purpose of “enhancing its website’s user experience”. Similarly, a website owner who posted customer testimonials on their website did so in the course of a commercial activity.
h) Consent to tracking
In order to comply with the purpose and principles of PIPEDA, you must obtain consent from your website visitors before using their personal information for online marketing purposes. The users’ consent has to be “meaningful” and the only way to obtain that level of consent is through transparency.
i) Opt-in and opt-out consent
Consent can be achieved through opt-in or opt-out methods. Opt-in consent typically takes the form of a browser pop-up when the user arrives at a website’s homepage. The pop-up will ask the visitor if they consent to the collection of their personal information and how their information will be used if they agree. On the other hand, opt-out consent means the website will collect user information by default and place the onus on the consumer to turn off tracking.
The degree of consent you need from your users depends on the depth of the information you are collecting and the intended use of the information. For instance, are you using first or third-party cookies? Are you sharing the information with third parties? The more transparent you are, the less likely it is that your business will be the focus of a complaint. In terms of transparency and consent, opt-in consent is not always necessary but is almost always preferable.
j) Cloud Storage
Many private sector actors have chosen to outsource in-house file storage to third party cloud hosting providers. The question this raises is whether storing personal information on the cloud should raise privacy concerns for businesses, especially in regard to the permitted disclosure of personal information. The IPC has clearly stated that PIPEDA does not prevent Canadian businesses from storing personal information on a third-party cloud. However, the business will need to maintain control and custody over the data and the cloud provider must provide security, effective oversight, and monitoring over the information being stored. Following the theme of transparency, the IPC does recommend advising customers if their information will be stored with a third-party.
4. PIPEDA guiding principles
Legislative drafters will never be able to keep up with the technological developments being utilized by private sector actors to collect and make use of individuals’ personal information. To stay ahead of the curve, and to avoid negative publicity or an audit from the IPC, private sector actors should try to abide by PIPEDA’s guiding principles where the law is unclear:
- Accountability – appoint a privacy compliance officer and develop internal privacy compliance procedures.
- Identifying Purposes – identify your purpose for collecting information and inform your customers of that purpose.
- Consent – obtain meaningful consent from your customers before collecting their information.
- Limiting Collection – only collect the information your business needs to fulfill its goals.
- Limiting Use Disclosure, and Retention – keep customer information only for as long as necessary.
- Accuracy – where possible, review personal information to ensure it is complete and up to date.
- Safeguards – use physical or electronic means to prevent unauthorized disclosure.
- Individual Access – inform customers about how they can access the personal information you collect.
- Challenging Compliance – develop internal procedures to respond to privacy complaints.
If you need legal advice from an Ontario contract lawyer, book your free legal consultation with Supply Law today.