On September 13, 2013, Manitoba’s Personal Information and Identity Theft Prevention Act (PIITP) received royal assent. Under the authority of the Manitoba Ombudsman’s Office, this legislation, once in force, will govern the collection, use and disclosure of personal information, including that of employees, by all organizations, including franchisors and franchisees.

While the new legislation will not significantly affect the privacy obligations of franchisors and franchisees who are already subject to Canada’s federal private sector legislation, of particular significance are obligations regarding privacy breaches (not currently addressed in the federal legislation); the handling of employees’ personal information; the collection, use and disclosure of business contact information; the use of electronic consents; the collection of personal information from third parties or sources; and consent by minors.

Failure to comply with PIITP may result in fines of up to $100,000. Consumers may also commence a private right of action against an organization for failing to protect personal information in its custody or control, or for a failure to provide notice of a security breach, as required under PIITP. Contrast this with the absence of any fines or private right of action in the federal legislation.

How It Affects Your Business

As a result of the passage of PIITP, franchisors with a national presence in Canada, and particularly those with franchises, employees or customers in Manitoba, should undertake a detailed review of their privacy policies and practices to ensure compliance with PIITP before it comes into force. Franchisors and franchisees should consider:

  • implementing a notification protocol for data breaches that meets the requirements of PIITP
  • reviewing existing consent practices to ensure that electronic consents remain valid
  • reviewing existing practices relating to the exchange of personal information within the franchise system (i.e., between franchisor and franchisees)
  • reviewing and revising internal policies on the collection, use and disclosure of personal information of employees
  • amending privacy policies and practices to address collections from third parties or sources and to provide consumers with a reasonable opportunity to opt out