What is PIPEDA?

The primary federal privacy law for the private sector in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). It provides people control over their personal data and establishes guidelines for how companies gather, utilize, and disclose personal information while conducting business.

Ten fair information principles form the foundation of PIPEDA, which was passed in 2000. Meaningful consent is crucial for clickwrap agreements because users must be able to comprehend what they are consenting to when their personal data is gathered or utilized.

Who does PIPEDA apply to?

Private sector companies that gather, use, or disclose personal data while conducting business in Canada are subject to PIPEDA. In particular, it addresses:

  • All organizations engaged in commercial activity in provinces that have not enacted substantially similar provincial legislation.
  • All organizations engaged in interprovincial or international commercial activity, regardless of which province they operate in.
  • All federally regulated organizations (banks, telecommunications companies, and airlines).

Alberta, British Columbia, and Quebec have private-sector privacy laws deemed substantially similar to PIPEDA, so those laws apply instead of PIPEDA to intra-provincial commercial activities. PIPEDA still applies to cross-border data flows and federally regulated industries.

PIPEDA and Clickwrap Agreements

The 10 fair information principles contained in Schedule 1 constitute the foundation of PIPEDA's consent structure, with Principle 4.3 (Consent) at the heart of each clickwrap compliance question. In 2018, the Office of the Privacy Commissioner (OPC) published Guidelines for Obtaining Meaningful Consent, which mandated that consent be assessed from the perspective of a reasonable person. This standard states that permission for clickwrap interfaces is now a major disclosure requirement rather than just a checkbox.

How PIPEDA Affects Clickwrap Design

According to the OPC’s meaningful consent guidelines, four things have to be clear to the individual: what personal information is being collected, who is collecting it, why it is being collected, and what risks of harm or other consequences may follow. A clickwrap flow that covers the first three but does not clearly explain the risks will not meet the meaningful consent standard.

The type of consent must reflect the sensitivity of the information. Principle 4.3.4 uses a sliding scale: implied consent may be enough for less sensitive information where the purpose is obvious to a reasonable person, while express consent is required for sensitive information such as health data, financial information, and precise location. A clickwrap design that treats all data collection the same way does not meet this standard. Sensitive data should be tied to a separate opt-in action that is distinct from general acceptance of terms.

Principle 4.3.3 also prohibits organizations from requiring consent to collection, use, or disclosure beyond what is necessary for the expressly identified and legitimate purposes. Consent cannot be made a condition of service unless it is required to provide the service. OPC findings have repeatedly criticized organizations that bundle optional practices together with mandatory terms. A compliant clickwrap flow should clearly separate essential data collection from optional uses such as marketing, analytics, or third-party sharing, so users can refuse the optional uses without losing access to the core service.

Pre-checked consent mechanisms are generally not valid. In PIPEDA Case Summary #2019-001 and later guidance, the OPC made clear that meaningful consent requires a deliberate, affirmative action by the user, especially where the practice is not obvious or the information is sensitive. In a clickwrap flow, consent should therefore be based on an active choice, not a pre-ticked box.

What Must Be Shown Under PIPEDA

Organizations must make information about their privacy policies and practices easily accessible in a way that is commonly understood in accordance with Principle 4.8. Key information should be highlighted at the moment of assent, according to the OPC's meaningful consent advice; more specific information may be found in the privacy policy.

Before the individual takes the consent action, the interface should clearly explain:

  • The personal information is being collected.
  • The purposes for which the information is being collected, used, or disclosed.
  • The third parties, or categories of third parties, that may receive the information.
  • Any meaningful risks of harm or other significant consequences.
  • The individual’s ability to withdraw consent is subject to legal or contractual limits and reasonable notice.

Principle 4.2 also requires organizations to identify their purposes at or before the time of collection. If information will later be used for a new purpose, that purpose must be identified before the new use occurs. Broad or vague purpose statements are not enough if they do not let the individual understand what the processing actually involves.

What Records You Must Keep Under PIPEDA

According to Principle 4.1, an organization must assign someone to be accountable for compliance and be liable for any personal information under its control. This means that the business must be able to demonstrate the validity of its consent procedure and provide an explanation for its privacy policies if they are contested.

PIPEDA does not prescribe a fixed format for consent records, but businesses should be ready to produce:

  • Evidence of the consent transaction - The mechanism used, such as a checkbox, button, or click-through, along with the individual’s identity and the time of the consent event
  • The exact terms presented - The version of the privacy policy, terms, or consent notice shown when the individual agreed
  • The purposes consented to - The purposes for collection, use, or disclosure that were identified to the individual
  • Proof the consent was meaningful - Evidence that the information was presented in a way the individual could reasonably understand; layered notice can help, but it is guidance rather than a statutory requirement

Section 10.3 requires organizations to keep records of every breach of security safeguards involving personal information under their control, whether or not the breach meets the reporting threshold. That duty is about security breaches, not every consent mistake. A consent-related issue would only fall under section 10.3 if it also involved a breach of security safeguards.

The OPC’s enforcement model is complaint-driven and investigative. The OPC can investigate, publish findings, and enter into compliance agreements, but it does not directly levy administrative fines under PIPEDA.

PIPEDA and Clickwrap Agreements

Key Provisions of PIPEDA

Personal Information
Information regarding an identifiable person is referred to as personal information. When collected, used, or revealed only for the purpose of communicating with an individual in connection with their employment, business, or profession, business contact information is excluded (Section 2(1); Section 4.01).
Meaningful Consent
Individuals must be able to comprehend the intent and implications of the collection, use, or disclosure of their data for consent to be acquired. Beyond what is necessary to achieve clearly stated and justifiable goals, consent cannot be made a condition of service (Principle 4.3).
Appropriate Purposes
According to Section 5(3) and Principle 4.2, personal information may only be gathered, used, or disclosed for reasons that a reasonable person would deem appropriate under the circumstances. These purposes must be specified at the time of collection.
Limiting Collection
Only what is required for the specified reasons is collected. Information must be gathered fairly and legally; indiscriminate gathering is prohibited (Principle 4.4).
Individual Access
Individuals must be made aware of the existence, usage, and dissemination of their personal information and granted access to it upon request. They may contest its completeness and accuracy and request any necessary revisions (Principle 4.9).
Accountability
Organizations must appoint an accountable person for any personal information under their control. This obligation persists when data is sent to a third party for processing, and similar safeguards must be offered (Principle 4.1).
Openness
According to Principle 4.8, organizations are required to provide clear information about their privacy policies and procedures in an easily comprehensible style.

Penalties for PIPEDA Non-Compliance

Breach notification offences Up to CAD 100,000 per offence
Failing to report a qualifying breach, notify affected individuals, or keep required breach records is an offence punishable by a fine of up to $100,000.
Federal Court orders and damages Damages; no fixed statutory cap
The Federal Court may order an organization to correct its practices and may award damages to the complainant, including damages for humiliation, but the Act does not set a fixed dollar cap for those damages.
OPC findings and compliance agreements No direct fines
The OPC can investigate complaints, publish findings, and enter into compliance agreements, but these are not direct monetary penalties under the Act.

Frequently Asked Questions

Yes. It can apply to organizations outside Canada when their commercial activities have a real and substantial connection to Canada. If your clickwrap is presented to Canadian users, you should assess whether that connection exists.
Express consent requires an affirmative indication of agreement and is generally appropriate for sensitive information. Implied consent may be appropriate for less sensitive information where the purpose is reasonably obvious and consistent with the individual’s expectations.
Generally, no for meaningful consent. The OPC’s guidance emphasizes active, informed choice, especially for sensitive information; opt-out approaches may be acceptable only in limited cases involving less sensitive information.

Related Regulations

GDPR
General Data Protection Regulation
EU-wide · Active 2018
CCPA / CPRA
California Consumer Privacy Act & Privacy Rights Act
California · Updated 2020
LGPD
General Data Protection Law - Brazil
Brazil · Active 2020
This entry is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your situation.