If your business handles any personal information (including anyone’s name or email address), you should be thinking about your privacy responsibilities now.
Privacy laws in Canada are not all the same: some apply to all organizations that engage in commercial activities (including charities and not for profits when they sell, barter, or lease membership lists, for example), while others do not have a commercial requirement to be applicable, and some are limited to just one type of personal information (such as personal health information).
In this blog, we focus on how privacy laws apply to businesses, and specifically, to businesses that collect, use or disclose personal information in the course of a commercial activity.
It does not matter what size your business is. What matters instead is: whether or not you handle personal information, and if you do, whether you are handling it in accordance with privacy laws.
1) Back to Basics: Why do we have privacy laws?
Privacy laws give Canadians the rights to:
- know why your business is collecting their personal information;
- see (or access) the personal information you have of theirs; and
- in most cases, require your business to stop using their personal information. That means they can withdraw their consent for your business to use it, and you may have to remove it from your records as well.
We say privacy “laws” because there are different ones to help protect individuals in different ways. The most well-known one is Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act). Some provinces have their own private sector privacy laws while some are industry-specific (e.g., health information).
2) What is a personal information anyway?
Personal information is basically any information which relates to a person and that could identify that person. Some examples of personal information could be:
- Employees: their names, email addresses, home addresses, social insurance numbers, how many children they have, if they are married, their ages, etc.
- Customers or potential customers: their names, email addresses, cell phone numbers, their ages, etc.
- If you are in the medical or health field: a person’s health information of any kind.
3) I am just starting out with my business. Is it too early for me to worry about privacy laws?
It is not too early! Firstly, if your business breaches privacy law, the age, size or revenue of your business will not necessarily be a valid defense in the eyes of the law. Secondly, the earlier you start, the better you can do “privacy by design.”
4) Isn’t privacy an issue for bigger businesses than mine?
Not necessarily – whether your business is a store with 1 employee or whether you are the owner of a large multinational business with thousands of employees, you are required to comply with privacy laws if your business handles personal information – even if your business makes zero revenues!
5) If my business does not “handle personal information”, do privacy laws still apply to me?
They may not apply to you now but it should still be something to keep in mind as you plan future business lines, products or offerings.
For example, you may be a cash only business now, but you may be planning to offer a a credit card payment option soon. Or you might be considering offering customers a free service on their birthdays to show customer appreciation. Or once you figure out how to comply with Canada’s Anti-Spam Legislation (“CASL”), you may plan to create a mailing list of potential customers, and email them your monthly updates.
If your business does not currently handle personal information at all, you do not need to worry about privacy issues now. However, if your business plans to sell a product or service that will collect, share, use and/or store personal information, privacy is certainly a concern and should be taken seriously. The best time to do so is in the planning stages.
6) How do I know if my business handles personal information?
Privacy laws regulate how businesses of all sizes collect, use, disclose, protect, store or otherwise handle personal information.
How do you know if your business handles personal information? In addition to the examples in 5) above, here are 3 examples:
Selling B2C: if your business sells goods or services to individuals.
If you sell fashion or beauty products to customers from your website, home or a storefront, you could be handling personal information each time you obtain a customer’s email address, address, credit card number or name. You probably cannot do your business without some of this personal information, so it’s ok to collect it. But you need to have appropriate controls and protections in place in order to:
- obtain proper consent from the individual whose personal information it is, and (before or at the time of collection) tell them what you will do with it (e.g. “Would you like to give us your birthdate for our records? Then we can call each year to remind you to book your next annual eye appointment”);
- respect an individual’s withdrawal of consent to your business having it and ensure that the individual is informed of the implications of the withdrawal;
- (if the customer asks) show the customer what personal information you have of theirs; and
- destroy, erase or anonymize personal information from your business databases and records that your business no longer needs.
Selling B2B: if your business sells goods or services to other businesses.
Maybe your company manufactures specialty foods and only ships to large box stores. In this example, your business likely does not collect (i.e., handle) the personal information of its customers since its customers are not natural people. However, your business would still need to protect your employees’ personal information as well as the personal information other businesses may share with your business (such as their employees’ or their customers’ personal information).
Selling B2B: Selling mailing lists.
Your company is a marketing company, and one service that you offer is to sell mailing lists. In this case, you have a lot of personal information.
Each business is unique.
You must do an assessment of your own business and business practices to see whether or not you handle personal information. If you determine that you do, you need to assess what kinds of controls you need to implement to protect that personal information.
This is part 1 of a 2 part-blog post on Privacy Law for small businesses. Part two will be posted on June 8, 2021.
Amee Sandhu has been a business lawyer in Ontario for 20 years. She created Lex Integra Professional Corporation in 2019 and focuses exclusively on business law and corporate ethics.
The purpose and contents of this blog is to provide information only, and it does not constitute legal advice. Reading this blog does not create a solicitor-client relationship between the reader and Amee Sandhu, Lex Integra, or any of the guest lawyers who co-write these blogs.
It is recommended to engage (hire) a lawyer if you require or are interested in legal advice.
Connect with Amee