Your Privacy Policy Does Not Make You PIPEDA Compliant. Here's What Does.

The Most Common Compliance Mistake in Canadian Business

Ask a Canadian small business owner if they're PIPEDA compliant and the most common answer is: "Yes, we have a privacy policy on our website."

That answer is wrong in a specific and consequential way. Having a privacy policy satisfies one of PIPEDA's ten fair information principles — the openness principle, which requires organizations to make information about their privacy practices available to the public. It's the minimum visible requirement, which is probably why it gets confused for the whole thing.

The other nine principles don't show up on your website. They live in your operations, your contracts, your data handling practices, your staff training, your breach response capabilities, and your internal access controls. A privacy policy that says all the right things while none of those practices exist is a document describing a compliance program that doesn't exist.

The OPC has found against organizations with privacy policies. The policy wasn't the problem — the gap between the policy and reality was.

What a Privacy Policy Actually Is

Under PIPEDA's openness principle, organizations must make the following information available on request: the name of the designated privacy officer, the means by which complaints can be filed, the type of personal information held, and a general account of how it's used. Most privacy policies satisfy this — if they're accurate and current.

The accuracy problem is significant. Privacy policies are typically written once, often by a lawyer or from a template, and then posted and forgotten. The business adopts new tools, starts sharing data with new vendors, changes its marketing practices, adds new product lines — and the privacy policy describes a business that existed three years ago.

An inaccurate privacy policy doesn't just fail the openness principle. It creates a gap between stated and actual practices that becomes damaging evidence in an OPC investigation when a complaint is filed.

The Nine Things Beyond Your Privacy Policy

Accountability in practice. Someone specific is responsible for PIPEDA compliance — and that person actively does something about it. Not a title in an org chart. Actual work: reviewing data handling practices, managing vendor contracts, responding to access requests, training staff. If your designated privacy officer has never done any of these things, you have a title, not an accountability structure.

Consent mechanisms that work. How do you actually obtain consent when you collect personal information? The mechanism — the form, the checkbox, the verbal disclosure, the terms of service click — must be meaningful. Pre-checked boxes, bundled consent for multiple purposes, consent buried in paragraph 12 of a 4,000-word agreement: none of these satisfy PIPEDA's consent requirements for information collected with meaningful expectation of privacy.

A data inventory. You can't limit collection, use, and retention of personal information you don't know you have. A data inventory maps what personal information your organization holds, where it came from, what it's used for, where it's stored, who can access it, and when it gets deleted. Most organizations that have never done this discover personal information in places they didn't expect.

Third-party contracts. Every service provider that handles personal information on your behalf must be bound by contractual obligations to protect it. Your CRM, your payroll provider, your cloud backup service, your email marketing platform — all of them receive personal information that originated with you. PIPEDA holds you responsible for that information regardless of where it is.

A breach response plan. PIPEDA's breach notification regulations require organizations to report breaches creating a real risk of significant harm to the Privacy Commissioner and to notify affected individuals. The report to the OPC must be made as soon as feasible. An organization without a documented plan for identifying, assessing, and reporting a breach is not compliant — and discovers this at the worst possible moment.

Access request procedures. Individuals have the right to access their personal information. Requests must be responded to within 30 days. The response must be substantive. If someone emailed your company right now asking for all the personal information you hold about them, does your organization know what to do? Who handles it? Where is the information to retrieve? How long does it take?

Retention and deletion schedules. Personal information should be kept only as long as necessary for the purpose for which it was collected. "We keep everything forever" is not a retention policy — it's a growing liability. A documented retention schedule specifying how long different categories of personal information are kept, and a mechanism for actually deleting it, is what compliance looks like.

Staff training with records. Employees handle personal information. They need to know what PIPEDA requires of them specifically — not a one-time orientation mention that "we take privacy seriously." Written training, documented completion, and regular updates when practices change are what the OPC looks for when assessing whether a safeguards failure reflects an organizational breakdown.

Accurate documentation of actual practices. The gap between documented privacy practices and actual operations is where most PIPEDA enforcement risk lives. Compliance documentation that describes what your organization does, not what it aspired to do when the policy was written, is the foundation of a defensible position.

The Honest Assessment

A useful self-test: if the OPC received a complaint about your organization tomorrow and requested documentation of your privacy program, what would you send?

If the answer is "our privacy policy and maybe some emails," you have a document, not a program. The program lives in the nine areas above — and building it, even imperfectly, is what moves an organization from the category of "we have a policy" to the category of "we have a program."

The businesses that take that step before a complaint is filed are the ones that handle complaints without crisis. The ones that discover the gap during an investigation are the ones that spend the next six months in remediation.