Understanding PIPEDA and CASL
Summary of Privacy Laws in Canada
In Canada, there are 28 federal, provincial and territorial privacy statutes that govern the protection of personal information in private, public and health sectors. Enforcement of these requirements is usually handled by a government or provincial agency, of which responsibility is usually divided through several factors:
- Are these private sector organizations or government entities? If it is a government entity does it fall within federal, provincial or national jurisdiction?
- Is it engaged in commercial activity?
- Is the business operating within a federally regulated industry?
- What kind of information is being transmitted?
- Does information cross provincial or national borders?
Federal Privacy Laws
Canadian organizations must adhere to two main privacy laws:
The Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA‘s main goal is to lay the ground rules for how private sector organizations use and disclose personal information while undertaking for profit activities in Canada.
It lays out 10 fair information principles which are as follows:
- Accountability: There should be a qualified person who is responsible for ensuring that the organization is able to stay compliant
- Identifying Purposes: Organization must define the purpose for collecting personal information
- Consent: Organizations must inform the user of the collection use and disclosure of personal information
- Limiting Collection: Organization’s must only collect data that is necessary
- Limiting use, Disclosure and Retention: Organization must only use or disclose personal information for the express purpose that it was collected for
- Accuracy: Personal information must keep stored information accurate
- Safeguards: Organizations must make resonable effort to protect personal information from data breach and identity theft
- Individual Access: Users have a right to access the personal information an organization has stored about them
- Resource: Organization must be accessible for complaints
Provincial privacy laws
PIPEDA generally applies to personal information held by private sector organizations in the following areas:
- New Brunswick
- Newfoundland and Labrador
- Northwest Territories
- Nova Scotia
- Prince Edward Island
About Canada’s Anti-Spam Legislation (CASL)
In contrast with PIPEDA, which is primarily focused on an organization’s activities storing personal information, the Canadian Anti Spam Law (CASL) focuses on the requirements for sending electronic messages for commercial purposes and the requirements regarding express consent for them.
First coming into force July 1, 2014, CASL is one of the most prescriptive and punitive anti-spam laws in the world. With steep fines up to $10 million, it is definitely worth paying attention:
What’s covered under CASL
As stated above, CASL is primarily focused on the issue of spam and related threats, with which it imposes two main goals.
- CASL prohibits the sending of unsolicited commercial electronic messages. In other words, organizations must have the implied or express consent of the receiver before undertaking in such a commercial activity.
- If consent is given, the organization must provide notice and an unsubscribe mechanism
What are commercial electronic messages (CEMs)?
In CASL documentation, there are many references to “commercial electronic messages”, but what are they exactly?
A CEM is defined as any message sent to an “electronic address” that has is intended to encourage in the participation of commercial activity. This includes messages that:
- Offer to purchase or sell goods
- Offer to provide a business or investment opportunity
- Contain advertisements for any of the above
- Promotes a person
Implied vs. Express Consent
Perhaps the most important part of CASL is the guidelines it lays out around consent and its definition.
Under CASL, there are two principal types of consent:
CASL defines express consent as the clear and informed indication on that the receiver is consenting to receive the messages. In other words, the user must clearly opt-in to the message, and the person must be aware that they are going to receive promotional emails. You’ve likely already seen these before in the form of checkboxes or a confirmation button on a form or web app.
Once consent is obtained, the sender is then authorized to send commercial messages until the recipient decides to withdraw consent.
CASL states that implied consent may exist where the sender of the CEM have an existing business relationship. This occurs when:
- There has been a purchase of a product, good, service, land or investment interest within the previous two years
- If the recipient has accepted a business or gaming opportunity within the previous two years
- If there is a written contract that currently exists between the recipient and the sender
- If there was an inquiry or application made by the recipient
It should be noticed however, that even in the case of implied consent, the organization sending CEM’s must do so within 10 business days.
Unsure about Data Compliance & Security?
We understand that complying with privacy laws and legislation can be a tough task. At Stratejm, we’ve been securing complex data environments for Canada’s top enterprises for over 7 years.
Contact us today