The Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use, and disclosure of personal data in a commercial context in Canada.  The law defines personal information as “information about an identifiable individual.”1  This includes information such as name, identification numbers, age, income, ethnicity, employee records, credit reports, banking information, and medical records.

Broadly, PIPEDA imposes several requirements on covered organizations:

  • to obtain an individual’s consent to use, collect, or disclose personal information;
  • to only use personal data for the purpose it was originally obtained, and to obtain a new consent if that purpose changes;
  • to provide individuals a right to access and challenge any personal information the organization holds; and
  • to protect that information through appropriate safeguards.2

The law applies to “any work, undertaking or business that is under the legislative authority of parliament” and carries force in every province that does not have its own substantially similar law.  The Office of the Privacy Commissioner of Canada has explained that this largely captures any company subject to any part of the Canada Labour Code.  PIPEDA specifically identifies businesses like airlines, banks, telecommunications providers, broadcasters, and offshore drilling operations, but this list is not exhaustive.

Canada’s Anti-Spam Legislation (CASL), the Fighting Internet and Wireless Spam Act, seeks to prevent unsolicited commercial messages.  CASL applies not only to emails, but to any commercial electronic message (CEM), including text messages and messages through social networking sites that are sent to, from, or within Canada (though not those messages simply routed through Canadian servers).  Sending a CEM subject to CASL requires that:

  • the recipients expressly consent to the CEM, either orally or in writing, or imply consent in the case of pre-existing business relationships;
  • the CEM include the identity of the sender; and
  • the CEM contain a mechanism by which the recipient can unsubscribe from further messages.

Though CASL is concerned primarily with unsolicited CEMs, the law also prohibits such activities as collecting electronic addresses via computer programs, using false or misleading online ads, and removing personal information from a computer or device one has illegally accessed.3

Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (Can.).


Anti-Spam Legislation, S.C. 2010, c. 23 (Can.).

More topics in this series