Perusing the daily news could give anyone the idea that only the big players like Google and Facebook and the likes of Bell and Air Canada have to bother with privacy laws.

But thinking that way could be a serious mistake, because any business, small or large, has privacy obligations that they ignore at the risk of considerable liability, either by way of fines or lawsuits, possibly of the class action variety. And if the Liberal government’s proposed introduction of a Digital Charter is any indication, it appears that privacy protection will become even more stringent with the imposition of heftier fines and broader penalties.

So just what are your obligations?

Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), applies to the collection and handling of personal information in the course of any business activity.

To begin with, your business must have a privacy policy and must designate at least one individual who can explain, on demand, how the privacy policy conforms to PIPEDA.

Your privacy policy should:

  • identify the reason for the collection of personal information
  • explain how you will use the information
  • tell your users and customers how you will update them when your policy changes
  • inform them of just how long you will hang on to the information
  • ensure that your privacy policy is readily available to your users and customers

You will also need to implement procedures that demonstrate you have obtained meaningful consent for the collection of personal information. Whether the consent you have collected is considered “meaningful” will depend on whom you are collecting the information from. Special consideration should be given, for example, if information is being collected from youth. Bear in mind, however, that you cannot require anyone to consent to the collection of information beyond what is necessary to providing your goods and services.

If you do obtain consent to sell or share personal information with third parties, you must ensure that the third parties provide a standard of protection that is equivalent to the safeguards found in your own privacy policy. At times, you may also be obligated to monitor the use of information you have provided to such third parties.