Small Business and Consumer Privacy
By LawyerLinx,
August 24, 2015

For small business owners, customer information can be a helpful and necessary tool for growing their business. With that said, a comprehensive privacy policy is important for both the business and your customers to ensure a level of trust and confidence necessary for any successful organization.

The Law

In Canada, the Personal Information Protection and Electronic Documents Act [PIPEDA] requires organizations to take reasonable steps to safeguard the information of their customers and clients. The Act applies to Canadian private sector organizations of any size. It is important to consider that Canadian provinces have the right to enact privacy laws that are similar to PIPEDA. Further, certain business sectors may be governed by a sector specific Act. Being aware of the privacy laws that apply to you and your small business is vital.

What does this mean for small to mid sized business and what obligations do you have as a small business owner under PIPEDA?


Every business is unique and requires a unique set of safeguards in place to ensure the safety of its customer’s personal information. A few factors to consider when developing your safeguards are physical security, technical security, risk management, and human resources security. These elements should be clearly outlined in your organization’s privacy policy.

Privacy Policy

Every private sector organization is required to build a privacy policy that outlines how they collect, use and disclose their customers’ personal information. When creating your business’s privacy policy keep the following points in mind.

  • Your privacy policy should be clear and written in plain language. It should be easy to understand and free of confusing terminology.
  • Only collect information you need. If you don’t need it for your business, don’t collect it.
  • Disclose why you are collecting the information and what purpose it will be used for.
  • Let your customers know you are collecting their information and allow them the opportunity to consent. The law requires that you have either implied or expressed consent to the collection of personal information.
  • Are you planning to share the information with a third party such as a partner or affiliate? If so, you must disclose this generally in the policy.
  • Include how long the information will be kept for and outline how your business will safeguard the customer’s information.

A Privacy Policy is only as effective as the employees implementing it. It is important to educate your employees about your business’s privacy practices. Your employees should understand their role in implementing policies and be able to communicate them. Finally, provide contact information where customers can reach you with inquires or complaints. Dealing with these immediately and efficiently will help retain your customer base and may avoid further complications down the road.


PIPEDA defines “personal information” as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. Therefore, unless your business is federally regulated, the provisions guiding employee privacy do not necessarily apply the same way they would to customer’s personal information. However, private sector organizations covered by PIPEDA may wish to consider extending the same protections to their employee information as they do for their customers. The principles of the Act are widely accepted in Canada and account for smart business practice.

Know your Industry

How do you know if you have done enough? The reasonableness of a policy is evaluated based on a number of aspects. Is the nature of the information you are collecting highly sensitive? What are the foreseeable risks if the information was disclosed? What is the cost of securing the information? These are important questions to ask your self and your lawyer when developing a privacy policy. Looking to generally accepted practices in your specific industry is a good place to start when assessing the reasonableness of your privacy policy.

Being informed and in compliance with relevant privacy law is an essential component of running a thriving business in Canada. Establishing a set of complete privacy procedures can help protect your business from future privacy disputes as well as develop the customer trust and confidence needed to building lasting consumer relationship.


This article should not be relied upon as legal advice - the comments may not be applicable to you and may not be up to date. If you have any questions, you should contact a lawyer.