PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is a federal privacy law which applies to private sector organizations in Canada who collect, use or disclose personal information for commercial activity. PIPEDA law regulates how businesses collect, use and disclose personal information from their customers for use in a commercial activity. But […]
What does this all mean for you?
On this page
Let’s begin by defining personal data. Personal data is any information that enables the identity of a person. Examples of personal data are name, address, email address, mobile number and drivers license.
Collecting and Using Personal Data
Your Privacy statement needs to outline how you collect personal data from your users. You may do this in a variety of ways. For example, if you produce a weekly newsletter and you ask users to subscribe, you will collect their data through this process. Other examples of how you may collect personal data are if you are selling products and services, if you run a social media page or when customers interact with you by email, phone or in person.
Sharing Personal Data
Do you share any of your users personal data with a third party? This could include advertising services, social media, analytics services such as Google Analytics, web hosting companies or cloud storage.
A common security measure is HTTPS (Hypertext Transfer Protocol Secure), which is an internet communication protocol that encrypts data between your customers computers and your website.
You should also include a paragraph to let your users know how long you retain their personal data for.
The three main international laws you need to comply with are GDPR, CalOPPA and CPPA.
The GDPR or General Data Protection Regulation is a set of regulations designed to protect the rights and personal data of residents and citizens of the EU. It came into effect on the 25th May 2018.
There are seven key principles that outline how personal data is to be protected. These are:
- Lawfulness, fairness and transparency: processing personal data must be done in a lawful, fair and transparent way.
- Purpose limitation: personal data is only to be collected for explicit and legitimate purposes.
- Data minimisation: personal data must be relevant and limited to the purpose it is being processed for.
- Accuracy: personal data needs to be as accurate and relevant as possible.
- Storage limitation: personal data should be stored for the least amount of time as possible.
- Integrity and confidentiality (security): personal data needs to be processed in the way that safeguards it.
- Accountability: you need to be able to demonstrate accountability for the previous six points.
There are also rights of the individual that need to be explained to your users and included in your policy and these are:
- The right to be informed: provide your users with the information about how you use, secure and share their personal data.
- The right of access: your users must be able to access their personal data if they wish.
- The right to rectification: your users have the right to have any incorrect data corrected as soon as possible.
- The right to erase: this may also be known as the right to be forgotten. Users have the right to have their data erased under certain circumstances.
- The right to restrict processing: the individual has the right to have their personal data restricted under certain circumstances.
- The right to data portability: an individual has the right to obtain, use and move their personal data to another environment for reuse
- The right to object: in certain circumstances the individual has the right to object to their personal data processing.
- Rights to automated decision making and profiling: there must be a lawful basis to use an individuals personal data to carry out profiling or automated decision making.
Under the California Civil Code, residents of California are permitted to request information about the disclosure of their personal information to third parties for direct marketing purposes. Users of your site who are under the age of 18 years, have the right to have content or information they have posted publicly removed.
The Children’s Online Privacy Protection Act is a US Privacy Law which protects the rights of children under the age of 13. To be compliant with this law your website needs to make it evident whether they collect any personal information from children under 13 years of age.