Privacy Policy Lawyer

A Privacy Policy is a legal document that provides information as to a company’s practices and procedures in collecting, processing, storing and transferring of individual’s personal data. It explains what personal information is being collected, how the data is stored, how the company will use the collected data, and who can access those records.  A Privacy Policy gives information on the security measures employed by the company to safeguard confidential personal data, and what rights individuals have with respect to their personal data. 

A privacy policy lawyer can prepare a robust Privacy Policy for your organization that is in compliance with all applicable domestic and international privacy laws, including the General Data Protection Regulation in the European Union.  

What is the difference between a Privacy Policy and a Terms of Service

It is important to note that a Privacy Policy is different from Terms of Service. A Terms of Service (TOS) agreement is a contract between a company and its customers that sets out the terms, conditions and requirements for both parties in using the company’s products or services. It typically sets out restrictions on the use of the company’s website or app, limitations on liability and a dispute resolution process. A TOS is intended to protect the company’s interests, whereas a Privacy Policy is typically required by privacy laws in order to protect clients’ data privacy rights.

Need more help? Call Us today at (647) 724-5179 or

contact us online to schedule a meeting with us.

Canada’s Privacy and Anti-Spam Laws

In Canada, privacy is governed by a collection of privacy laws from the public sector, private sector, and health sector, as well as by Canada’s Anti-Spam Legislation (CASL). The laws vary depending on the sector and may be in place at both the federal and provincial level, and may also take into account common law principles.


The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law that applies to private-sector organizations in Canada that collect, use, or disclose personal information as part of their commercial activities. This includes:

Alberta, British Columbia, and Quebec have provincial private sector privacy laws that are considered substantially similar to PIPEDA. As a result, organizations subject to these equivalent provincial privacy laws are usually exempt from PIPEDA regarding the handling of personal information within the relevant province. 

Federal organizations, including banks, airlines, telecommunications companies, inter-provincial or international transportation companies and radio and television broadcasters, are always subject to PIPEDA. The legislation also applies to their employees’ personal information. 

Any business that operates in Canada and deals with personal information as part of their commercial activities, regardless of their location within the country, including provinces with equivalent laws, must comply with PIPEDA if the information being handled crosses provincial or national borders.

Personal Information under PIPEDA

Under PIPEDA, personal information includes any information about an identifiable individual, including the following:

  • Age, name, ID numbers, income, ethnic origin, blood type;
  • Opinions, evaluations, comments, social status, disciplinary actions; and
  • Employee files, credit records, loan records, medical records.

Personal information under PIPEDA does not include business contact information, such as an employee’s name, title, work address, phone number, or email, for the sole purpose of communicating with them in regards to their job or profession. PIPEDA also does not apply to an organization’s collection, use, or disclosure of personal information solely for journalistic, artistic, or literary purposes.

Primary Responsibilities under PIPEDA

To comply with PIPEDA, organizations must fulfill several requirements. Organizations that are subject to PIPEDA are typically expected to obtain an individual’s consent before collecting, using, or disclosing their personal information. Individuals have the right to access their personal information that is held by an organization and have the ability to dispute its accuracy.

The use of personal information must be limited to the purposes for which it was collected. If an organization wishes to use the information for another purpose, they must secure additional consent. The personal information must also be secured with appropriate security measures.

Individuals should be able to challenge the organization’s compliance with PIPEDA principles and bring their challenge to the appropriate agency, such as the Privacy Commissioner of Canada. 

For a comprehensive understanding of the steps your organization needs to take to comply with PIPEDA, it is advisable to seek the guidance of a Privacy Lawyer.

PIPEDA Fair Information Principles 

The ten principles of PIPEDA, also known as the fair information principles, that organizations must follow when designing a Privacy Policy in Canada are:

  1. Accountability: Organizations must designate a person responsible for complying with PIPEDA and protecting personal information, even if it has been transferred to a third party.
  2. Identifying Purposes: Organizations must inform individuals of the purpose for collecting their personal information before or at the time of collection.
  3. Consent: Organizations must obtain meaningful consent for the collection, use, and disclosure of personal information and individuals must be able to withdraw consent.
  4. Limiting Collection: Organizations must collect personal information only for the purpose they have identified and only through lawful means.
  5. Limiting Use, Disclosure, and Retention: Organizations may only use or disclose personal information for the identified purpose and must keep it only as long as necessary.
  6. Accuracy: Personal information must be accurate and complete when disclosed to third parties.
  7. Safeguards: Personal information must be protected appropriately based on its sensitivity.
  8. Openness: Organizations must have clear and understandable privacy practices, free of complex legal terms.
  9. Individual Access: Individuals have the right to access their personal information and challenge its accuracy.
  10. Challenging Compliance: Individuals may challenge the organization’s compliance with PIPEDA and address their challenge to the designated person responsible for compliance. 

It’s advisable to consult a privacy policy lawyer to make sure your privacy policies abide by PIPEDA. and any other applicable national and international laws.

Basic Privacy Policy Requirements 

At a minimum, a privacy policy should address the following:

  • A clear explanation of the personal information that will be collected (such as name, address, credit records, ID numbers, etc.).
  • Information on the method of storage and processing of personal information.
  • Explanation of the intended use of personal information.
  • The legal basis for collecting personal information.
  • The purpose of the organization in collecting and using personal information.
  • Details on any third parties who may have access to personal information, and for what purpose.
  • The retention period for personal information.
  • The individual’s right to access their personal information and the ability to correct any inaccuracies.
  • Designate a contact person to address privacy concerns.

Contact a Privacy Policy Lawyer

For more information about privacy policies, and the privacy laws that may be applicable to your organization, contact our privacy policy lawyers today. Click here to schedule a consultation or call us at (647) 724-5179.