Privacy Protection
What Marketers Need to Know
Good privacy and data protection practices help lay the foundation for consumer loyalty and trust. On this page, you can learn what marketers need to know to comply with privacy laws and demonstrate best practices to regulators and customers.
Most Canadian organizations are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), which sets the rules for the collection, use and disclosure of personal information by organizations in the course of commercial activities.
PIPEDA is based on 10 principles for the protection of personal information. These principles are also reflected in the privacy provisions in Section J of the Canadian Marketing Code of Ethics & Standards.
The federal government intends to reform PIPEDA through the proposed Consumer Privacy Protection Act (CPPA) in Bill C-27, which is undergoing study by the House of Commons INDU Committee. In the meantime, PIPEDA continues to be fully in effect.
For more information on privacy law reform and the CMA’s advocacy efforts, please see our Privacy Law Reform webpage.
On January 1, 2001, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect across Canada, setting the rules for the collection, use and disclosure of personal information by Canadian organizations in the course of commercial activities.
In June 2015, the Digital Privacy Act became law, amending PIPEDA to include new exemptions for consent, enhanced powers for the Privacy Commissioner, and more.
Organizations are also subject to new Breach of Security Safeguards Regulations that came into effect in November 2018, and new Guidelines for Obtaining Meaningful Consent that came into effect in January 2019.Provincial Privacy Laws
PIPEDA applies to most private sector organizations across Canada in the course of commercial activities except in Quebec, British Columbia and Alberta. These provinces have their own private sector laws that are deemed "substantially similar" to PIPEDA.
PIPEDA also applies to federally regulated businesses operating in Canada and their employee information, including in Quebec, British Columbia, and Alberta. In addition, all businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of which province or territory they are based in.
Does PIPEDA apply to not-for-profits?
Non-profit status does not automatically exempt an organization from PIPEDA. Non-profit, charitable and membership-based organizations can still be engaged in commercial activity that triggers PIPEDA, such as the selling, bartering, or leasing of donor, membership or other fundraising lists.
Extraterritorial Application
PIPEDA has extraterritorial application (to organizations outside of Canada) if there is a 'real and substantial' connection between Canada and the activity undertaken in a foreign jurisdiction.
To find out which Canadian privacy law applies to your organization and its specific activities, see the Office of the Privacy Commissioner of Canada's website. Other privacy laws may apply to your organization instead or in addition to PIPEDA, for example, if your organization is a federal government institution it is subject to the Privacy Act.
CMA Guides
- CMA Guide: Application of Quebec Law 25 to Marketing Activities (EN/FR) (Member only)
- Privacy Compliance (Members only)
- Expert insights into Canada’s changing privacy and AI rules
- EU GDPR and ePrivacy Regulation
- Transparency for Consumers
CMA Event
- CASL and Privacy Essentials Workshop (November 21, 2023)
CMA Blogs
- Navigating Law 25: A Guide for Marketers
- Marketing within the rules: Wrapping up 2021
- Quebec adopts new privacy law
- Privacy Refresh: 5 Key Privacy Tips for Marketers
- Privacy Update - Provincial privacy law reform, final CCPA regulations and more
- GDPR Update - Cookies, new consent guidance and what's on the horizon
- Your Privacy and Security Responsibilities during the Pandemic
- What Marketers Need to know about California's Consumer Privacy Act - Part 1 and Part 2
- How is "publicly available information" like a cassette tape deck?
- Mandatory Breach Regulations - Are You Ready?
- OPC's new consent guidelines and what they mean for your business
- Canadians want user-friendly information about privacy policies
For information and resources on proposed privacy laws, including Canada’s Bill C-27, click here.
AdChoices is a self-regulatory program set up by the marketing and advertising community in Canada to help organizations comply with PIPEDA by enabling consumers to more easily opt out of interest-based ads.
The program is designed to help organizations deliver relevant advertising to consumers in a manner consistent with applicable Canadian privacy laws.
AdChoices features a blue triangle icon that is inserted in the ads of participating companies and organizations. When consumers see the blue triangular icon in ads or on websites and apps, it informs them that interest-based advertising data is being collected or used on that device, and they have the ability to opt out.
Companies that join AdChoices agree to a set of principles and are monitored for compliance.
AdChoices is run by the Digital Advertising Alliance of Canada (DAAC). The CMA sits on the Board of DAAC. Ad Standards is responsible for the accountability component of the AdChoices program in Canada.
For more information or to participate in the AdChoices program, click here.
Canadian organizations must familiarize themselves with the privacy laws of any country where they conduct business. Here is information about the two laws that might be most significant to Canadian organizations.
GDPR
The General Data Protection Regulation (GDPR) is a regulation by which the European Union (EU) intends to strengthen and unify data protection for all individuals within the EU. It also addresses the export of personal data outside the EU. This regulation came into effect in 2018, and applies to Canadian organizations if they:
- have an establishment or physical presence in the EU, or
- offer goods or services to EU residents (even at no charge), or
- intentionally monitor or profile behaviours of individuals in the EU.
There are also implications if you are a third-party processor of EU personal data.
Organizations found to be non-compliant could run the risk of heavy fines of up to 4% of their global revenue. For more information, see our GDPR page.
CCPA
The California Consumer Protection Act (CCPA) establishes the rights of California consumers with respect to the collection, use, and disclosure of their personal information. It came into effect January 2020.
The CCPA applies to Canadian for-profit businesses that collect, use, and disclose the personal information of California consumers, even if the businesses are not physically located or have employees in California, and meet or exceed one of the following criteria:
- have annual gross revenue more than $25 million, or
- buy, receive, sell, or share the personal information of more than 50,000 California consumers, or
- derive at least 50% of annual revenue from selling California consumers' personal information.
For more information, see Part 1 and Part 2 of the CMA's blog series on what marketers need to know about California's Consumer Privacy Act.