Privacy and Data Collection for Canadian Startups

In an increasingly digital marketplace, even the smallest business in Canada can collect a surprising amount of personal information, ranging from customer names and addresses to patterns of online reviews and purchases. In managing personal information, businesses of all sectors and sizes must comply with Canada’s privacy laws. This guide will provide an overview of when privacy matters, and how Canadian small businesses can manage, store, and share data responsibly from the start.

1. When does Privacy Matter?

In Canada, privacy laws apply to any commercial activities which collect, use, or disclose personal information. Personal information includes:

• age, name, ID numbers, income, ethnic origin, or blood type;
• opinions, evaluations, comments, social status, or disciplinary actions; and
• employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)

The collection of personal information can occur at many steps of a business’s operations, including loyalty programs, apps, newsletters, and purchase history. Using personal information might look like analysing click rates or behavioural data, and disclosing personal information can be as simple as using a third party platform to manage data storage or payment processing.

The federal legal framework for privacy is the Personal Information Protection and Electronic Documents Act (PIPEDA). Alberta, British Columbia, and Quebec each have provincial privacy legislation, though they have been deemed substantially similar to the federal legislation. For instance, in Quebec, privacy laws are governed by the Act respecting the protection of personal information in the private sector. If a business operates exclusively in Alberta, British Columbia, or Quebec, provincial legislation applies. However, PIPEDA applies so long as personal information is transferred across provincial or Canadian borders.

There may be financial penalties if a business fails to comply with PIPEDA. Notably, contravening PIPEDA’s reporting, notification, and record-keeping requirements can result in fines.

2. Considerations for Data Management

According to PIPEDA, businesses must follow 10 fair information principles:

1. Accountability: A business must appoint someone to be responsible for personal information and ensure compliance with fair information principles.
2. Identifying purposes: Anytime personal information is collected, a business must identify the purpose(s) for doing so.
3. Consent: Personal information may only be collected and/or disclosed with the knowledge and consent of the individual.
4. Limiting collection: Only personal information that is needed for the purposes identified by the business should be collected.
5. Limiting use, disclosure and retention: Personal information can only be used for the reasons it was collected, and may only be retained for as long as it is needed to serve those purposes.
6. Accuracy: Personal information must be accurate, complete, and up-to-date.
7. Safeguards: Depending on the sensitivity of the information, appropriate security measures must be taken to protect collected personal information.
8. Transparency: A business’s data policies and practices must be publicly available.
9. Individual access: Individuals must be able to request information about the existence, use and disclosure of their personal information, and must be given access to it if they desire.
10. Challenging compliance: Individuals must be able to challenge a business’s compliance with privacy laws.
    

A. What do the fair information principles mean for data collection?

Consent is a key consideration when collecting personal information (PIPEDA Fair Information Principle 3). Under PIPEDA, businesses must obtain meaningful consent andindividuals must receive clear information explaining how their data will be used.

Noting that lengthy privacy policies are often not read or understood by consumers, the Office of the Privacy Commissioner (OPC) provided seven guiding principles for meaningful consent:

1. Emphasize key elements: Individuals must be able to quickly review what information is being collected, with whom it will be shared, what purpose the information is being collected for, and what risks may arise.
2. Allow individuals to control the level of detail they get and when: Information must be easily accessible and individuals must be able to get more or less details when they choose to. For example, having an accordion website design or highlights at the start of the page would be preferred over a complex, lengthy document.
3. Provide individuals with clear options to say “yes” or “no”: Individuals cannot be required to consent to more than is required to provide the product or service. For all data collections, individuals must be given a choice. If a person is not aware of the possibility to opt out, they have not provided informed consent (Englander v. Telus Communications Inc).
4. Be innovative and creative: Businesses are encouraged to use dynamic and varied communication strategies to explain their privacy practices. For example, asking for consent on a user’s location right before it is used, or employing visual or interactive tools would all be suggested strategies to ensure informed consent.
5. Consider the consumer’s perspective: Businesses are encouraged to adopt clear explanations, taking into account a suitable level of language and interface design for consumers.
6. Make consent a dynamic and ongoing process: Businesses adopting new privacy practices must notify consumers.
7. Be accountable: Businesses must be ready to demonstrate their compliance with consent guidelines.
   

How should consent be obtained?

In general, express consent is the most appropriate and respectful form of consent (OPC). The form of consent may vary depending on the type of information and the context. Sensitive information would require more explicit consent, such as a checkbox or consent over the phone. There are several categories of information that are always considered sensitive: health and financial data, ethnic and racial origins, political opinions, genetic data, uniquely identifying biometric data, an individual’s sex life or sexual orientation, and religious or philosophical beliefs (OPC). However, context can also affect the sensitivity of the information. For example, the OPC considered Facebook's accessing non-users’ email address books to generate friend suggestions to be an inappropriate use of sensitive information (OPC). Information can also become sensitive when it is combined with other information. For instance, the Federal Court determined that information about how often an individual frequents a fitness centre in a week is not sensitive information and could even be subject to implied consent. However, information about the activities of the individual at the fitness centre, the length of their visits and their fitness level would be considered health information that should be treated as sensitive (Randall v. Nubodys Fitness Centres).

Canadian courts have also determined that the reasonable expectations of the consumer are relevant to the appropriate form of consent. For example, a non-user would not reasonably expect Facebook to use their email address to suggest friends to them. Reasonable expectations are also implicated in design choices of a product or service. For instance, a social media platform whose default profile setting is public would exceed the reasonable expectations of users, as it fails to make clear that a user must change their settings so that they are not accessible to the general public (OPC). A similar issue would arise if the ability to change one’s visibility was non-existent or generally inaccessible.

B. What do the fair information principles mean for data storage?

Individuals must be capable of withdrawing consent. A withdrawal of consent means that a business should delete the individual’s personal information.

A loss of personal information is considered a privacy breach if the breach presents a real risk of significant harm to an individual (Breaches of Security Safeguards, PIPEDA). Significant harm is defined by the OPC as including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” The risk of significant harm increases with the sensitivity of the information and the likelihood that it will be misused. As per PIPEDA, it is required that businesses record and report any privacy breaches to the OPC. Furthermore, businesses must directly notify individuals concerned of the circumstances of the breach, the extent of personal information subject to the breach, and steps to reduce the risk of harm.

C. What do the fair information principles mean for data sharing?

When consent is obtained, a business may only use, disclose and retain personal information for the identified purposes for which it was collected (PIPEDA Fair Information Principle 5). While individuals must be able to request or update their personal information, businesses are not required to delete data that is still being used for its intended purposes (OPC).

Businesses frequently share personal information with third parties—for instance, when outsourcing payment processing or using external online service providers. In doing so, they are responsible for taking reasonable measures to ensure that this information is not misused or improperly disclosed. This includes confirming that the third-party service providers maintain a “comparable level of protection,” with processes and policies that align with the standards required for secure data handling (Guidelines for processing personal data across borders, OPC). Businesses’ responsibility over personal information during third party processing applies regardless of whether the third party is domestic or international.

Conclusion

For Canadian startups, privacy compliance is a legal obligation governed primarily by the Personal Information Protection and Electronic Documents Act (PIPEDA) and, in some cases, applicable provincial statutes. From the moment personal information is collected, businesses are accountable for its proper handling, whether retained internally or transferred to third-party service providers. By embedding privacy compliance into their operational framework early on, startups can mitigate liability and ensure they are positioned for responsible growth within Canada’s evolving privacy landscape.

Sources

https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/online-privacy/deceptive-design/gd_dd-bus/

https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/

https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/guide_org/

This blog post is authored by students of McGill University’s Faculty of Law. The content of this blog post is provided for general informational purposes only and does not constitute legal advice. The authors are students and are not acting as lawyers or legal professionals. Reading this blog post, or contacting its authors, does not create a solicitor-client relationship. Laws and regulations vary by jurisdiction and may change over time, and the information provided in this blog post may not be current or applicable to your particular circumstances. You should not act or refrain from acting based on this content without seeking advice from a qualified legal professional regarding your specific situation.