416-549-5922 info@wireslaw.ca

Why Have a Privacy Policy?

Learning how to create a privacy policy, and properly implementing it, will reduce the risk of a lawsuit or government sanctions in Canada. Privacy policies are required by law for companies collecting user data in the course of business.

If you do not have a privacy policy the Privacy Commissioner may pursue you and impose sanctions under the relevant legislation. If you do have a privacy policy which is not implemented properly (i.e. you collect client or user data without their consent, or use it for a purpose they have not consented to), you also risk being sued by the client or user. Take for example the attacks on Facebook in both the United States and Canada.

A proposed class action was commenced in the Supreme Court of British Columbia alleging that Facebook used members’ names or portraits as endorsements of third-party advertisers, without those members’ consent, contrary to the provisions of the Privacy Act.  A copy of the Notice of Civil Claim filed in the Supreme Court of British Columbia is available here.

With consumers becoming more knowledgeable and concerned about their online privacy rights, Canadian companies, particularly those collecting information online, should create an accurate privacy policy which is properly implemented within their organization.

Canadian Legislation

There is privacy legislation at both the federal and provincial levels in Canada. The main legislation at the federal level is the Personal Information Protection and Electronic Documents Act (PIPEDA)

Does PIPEDA Apply to your Business?

The answer is likely – Yes.

PIPEDA applies to all organizations including associations, partnerships, individuals, corporations, trade unions, non-profits and charities which collect, use, or disclose personal information: (a) in the course of commercial activities; or (b) in connection with the operation of a federal work, undertaking or business; or (c) which is disclosed to a third-party or in some cases within the same company across a provincial or national boundary.

How to Create A Privacy Policy

Key Consideration in Creating a Privacy Policy

To create your privacy policy you will need to consider the 10 privacy principles under PIPEDA to define what information you are collecting, why you are collecting it and how your customers or users will consent to the use of their personal information. The principles are:

(1) Accountability; (2) Identifying Purposes; (3) Consent; (4) Limiting Collection; (5) Limiting Use, Disclosure and Retention; (6) Accuracy; (7) Safeguards; (8) Openness; (9) Individual Access; and (10) Challenging Compliance.


The accountability principle is to the effect that organization is responsible for personal information under its control and shall designate an individual who is accountable for the organization’s compliance with the principles, the legislation and customer or users rights.


However, the consent principle is really the key consideration for any privacy policy. That is, an organization must obtain the consent of the relevant individual before collecting any personal information.

The Privacy Commissioner is tasked with ensuring that organizations do not use or disclose personal information for any purpose other than that for which it was collected except with the individual’s consent or as required by law.

Retention of Data

The retention principle states that personal information collected shall only be retained for as long as necessary in order to fulfil the purpose it was collected for.

Transferring or selling personal information

When organizations transfer personal information to a third-party for processing they must use “contractual or other means” to ensure that the third-party will provide a level of protection that is comparable to the protection offered by PIPEDA

If the organization elects to use contractual means, the organization should enter into an agreement with the third-party which ensures they will comply with PIPEDA.

Wires Law also has online legal services for generating fixed price corporate privacy policies.

The following two tabs change content below.
John Wires is the founder of Wires Law, a law firm serving corporate, technology and e-commerce clients across Canada. John comes from a corporate litigation background. He has appeared in the Ontario Superior Court, the Ontario Court of Appeal and private arbitrations. He graduated from law school with first class honours specializing in both international trade and corporate commercial law.