Data Privacy Law for Ontario Businesses
Ontario businesses that collect personal information from customers, employees, or website visitors must comply with federal PIPEDA (for commercial activities) and Ontario's PHIPA (for health information), while preparing for the forthcoming Consumer Privacy Protection Act. Key obligations include obtaining meaningful consent, protecting data, notifying affected individuals of breaches, and maintaining transparent privacy policies.
Contents+
Key Takeaways
- PIPEDA applies to all Ontario businesses that collect, use, or disclose personal information in the course of commercial activities — there is no minimum size threshold.
- The mandatory breach notification requirements under PIPEDA require reporting to the Privacy Commissioner of Canada and notifying affected individuals when a breach creates a real risk of significant harm.
- Ontario has no provincial private sector privacy statute (unlike BC and Alberta), so PIPEDA fills the gap. Health information is separately governed by PHIPA.
- The proposed Consumer Privacy Protection Act (CPPA) will raise the stakes significantly: penalties up to $25 million or 5% of global revenue, stronger individual rights, and mandatory privacy impact assessments.
- Employee personal information is generally not covered by PIPEDA for provincially regulated Ontario employers — common law and employment standards govern — but best practice is to apply PIPEDA-consistent standards regardless.
The Privacy Law Framework in Ontario
Privacy law in Ontario for businesses involves multiple overlapping statutes depending on the type of information and the nature of the organization:
Federal — PIPEDA: The Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA), is Canada's primary private sector privacy law. It applies to the collection, use, and disclosure of personal information in the course of 'commercial activities' by organizations subject to federal jurisdiction, as well as interprovincial and international transfers of personal information.
Federal — CPPA (proposed): The Consumer Privacy Protection Act (CPPA), proposed in Bill C-27, would replace PIPEDA with stronger, more modern privacy protections. The CPPA includes enhanced consent requirements, new rights (including a right to data portability and explanation of automated decisions), higher penalties (up to 5% of global revenue or $25 million), and a private right of action. Ontario businesses should monitor Bill C-27's progress and begin preparing for the transition.
Ontario — PHIPA: The Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A (PHIPA), governs the collection, use, and disclosure of personal health information (PHI) in Ontario. It applies to 'health information custodians' — doctors, hospitals, pharmacists, labs, and certain other health-related organizations. Software and technology companies that handle PHI on behalf of health information custodians are also subject to PHIPA.
Ontario has no general private sector privacy statute: Unlike British Columbia (PIPA) and Alberta (PIPA), Ontario has not enacted its own general private sector privacy statute. PIPEDA fills this gap for commercial activities in Ontario.
Public sector — FIPPA: The Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31 (FIPPA), governs provincial government institutions. Ontario's Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) applies to municipalities. These are not addressed in this entry, which focuses on private sector businesses.
PIPEDA: Key Obligations for Ontario Businesses
PIPEDA is built around 10 fair information principles (from Schedule 1). The most operationally important for Ontario businesses are:
1. Accountability (Principle 1): Organizations are responsible for personal information under their control. Designate a Privacy Officer (even informally for small businesses) to oversee PIPEDA compliance, handle access requests, and investigate complaints.
2. Identifying purposes (Principle 2): Before collecting personal information, identify and document why you are collecting it. You cannot collect information for undefined or open-ended purposes.
3. Consent (Principle 3): Obtain meaningful consent for the collection, use, or disclosure of personal information. Express consent (explicit opt-in) is required for sensitive information. Implied consent may be acceptable for less sensitive information where the purpose is reasonably obvious.
Critical exception: PIPEDA allows collection without consent in limited circumstances, including where it is reasonable for purposes related to investigating a breach of an agreement or law enforcement — but this is not a broad carve-out.
4. Limiting collection (Principle 4): Collect only the information necessary for the identified purpose — the 'data minimization' principle. Do not collect personal information speculatively.
5. Limiting use, disclosure, and retention (Principle 5): Use personal information only for the purpose for which it was collected, unless you obtain fresh consent. Do not retain personal information longer than necessary for the identified purpose — implement a data retention and deletion policy.
6. Accuracy (Principle 6): Personal information must be as accurate, complete, and up to date as necessary for the purposes for which it is to be used.
7. Safeguards (Principle 7): Protect personal information with security safeguards appropriate to its sensitivity. The safeguards must protect against loss, theft, unauthorized access, disclosure, copying, use, or modification. This requires a combination of physical security, organizational policies, and technical measures (encryption, access controls, vulnerability management).
8. Openness (Principle 8): Make your privacy practices available to individuals. A transparent, accurate Privacy Policy is required.
9. Individual access (Principle 9): Individuals have the right to access their personal information held by your organization and to correct inaccuracies. You must respond to access requests within 30 days (with limited extensions).
10. Challenging compliance (Principle 10): Individuals may challenge your compliance with PIPEDA and you must respond. Under PIPEDA, complaints can be filed with the Privacy Commissioner of Canada, who can investigate and (in serious cases) seek Federal Court orders.
Privacy Policies for Ontario Businesses
A Privacy Policy is the primary public-facing mechanism for complying with PIPEDA's openness principle. For Ontario businesses, a compliant Privacy Policy should:
Identify the organization: Full legal name, contact information for the Privacy Officer, and a mailing address.
Describe the information collected: List the categories of personal information collected (name, email, payment information, usage data, device information, etc.) and how it is collected (directly from users, automatically via cookies, from third parties).
State the purposes: Explain clearly why each category of information is collected and used — do not use vague language like 'to improve our services' without specifics.
Describe disclosure to third parties: If you share personal information with service providers (cloud hosting, email platforms, analytics), advertising networks, or business partners, disclose this and identify any cross-border transfers.
Explain consent: Describe how consent is obtained and how individuals can withdraw consent.
Describe safeguards: State at a high level the security measures used to protect personal information.
Data retention: State how long personal information is kept and how it is destroyed.
Individual rights: Explain how individuals can access, correct, or request deletion of their personal information, and how to contact the Privacy Officer.
Cookie policy: If your website uses cookies (tracking, analytics, advertising), include a cookie policy or section explaining what cookies are used, why, and how users can opt out.
Practical note: Privacy Policies must accurately reflect actual practices. A policy that describes sound privacy practices but is not implemented is evidence of PIPEDA non-compliance, not a shield against it.
Data Breach Notification
PIPEDA's mandatory breach notification obligations have been in force since November 1, 2018, under the Security Breach of Personal Information Regulations (SOR/2018-64).
Reporting to the Privacy Commissioner: Organizations must report to the Privacy Commissioner of Canada any breach of security safeguards involving personal information if it is reasonable in the circumstances to believe that the breach creates a 'real risk of significant harm' to individuals. Significant harm includes bodily harm, humiliation, financial loss, identity theft, damage to reputation, and loss of employment.
Notifying affected individuals: Organizations must also notify affected individuals of breaches that create a real risk of significant harm — directly and as soon as feasible. The notification must be conspicuous and must contain sufficient information to allow the individual to take steps to mitigate harm.
Record-keeping: Organizations must keep records of ALL breaches involving personal information (not just those meeting the real risk threshold) for 24 months. The Privacy Commissioner can request access to these records.
Penalties for breach notification failures: Knowingly failing to report a breach, notify affected individuals, or maintain records can result in fines of up to $100,000 per violation.
Incident response planning: Ontario businesses should have a written data breach incident response plan that identifies: who within the organization is responsible for breach response, the steps to contain and assess a breach, the process for notifying the Privacy Commissioner and affected individuals, and how communications will be managed.
PHIPA breach notification: Under PHIPA, health information custodians must notify affected individuals, and in some cases report to the Information and Privacy Commissioner of Ontario, when a 'privacy breach' involving personal health information occurs.
Employee Privacy vs. Customer Privacy
Ontario businesses must distinguish between their privacy obligations with respect to employee data and customer data.
Customer data — PIPEDA: PIPEDA applies to customer personal information collected in the course of commercial activities. The full regime (consent, purpose limitation, safeguards, access rights, breach notification) applies.
Employee data — PIPEDA's limited application to employees: PIPEDA's application to employee information varies: - For provincially regulated employers in Ontario (the vast majority), PIPEDA does NOT apply to employee information collected in the context of the employment relationship. Employee privacy in Ontario's private sector is governed by common law and the Employment Standards Act, 2000, with no comprehensive statute. - For federally regulated employers (banks, airlines, telecommunications companies, interprovincial transportation), PIPEDA applies to employee personal information.
Employee monitoring: Ontario employers have significant latitude to monitor employees (email, computer use, GPS, video surveillance) but must be able to justify monitoring as reasonable and necessary for legitimate business purposes. The common law recognizes a limited reasonable expectation of privacy in the workplace. The proposed Working for Workers Act amendments and ongoing legislative developments may impose new employee monitoring disclosure obligations.
Practical guidance for Ontario employers: Even where PIPEDA does not strictly apply to employee data, best practice is to implement PIPEDA-consistent practices for employee personal information: collect only what is necessary, use it only for employment purposes, secure it appropriately, and inform employees of monitoring practices.
Privacy Impact Assessments and Privacy by Design
Privacy Impact Assessments (PIAs): A PIA is a structured process for assessing the privacy risks of a new initiative, system, or process involving personal information. While not legally mandatory for most Ontario private sector businesses under PIPEDA, PIAs are increasingly considered a best practice and may be required under PHIPA for certain health information initiatives.
A PIA for a new business process or technology typically involves: 1. Mapping the personal information flows (what is collected, where it goes, who has access) 2. Assessing whether collection is authorized and proportionate 3. Identifying privacy risks and designing mitigations 4. Documenting the analysis for accountability purposes
Privacy by Design (PbD): Privacy by Design is the principle of building privacy protections into systems and processes from the outset, rather than adding them as an afterthought. PbD principles include: proactive not reactive, privacy as the default setting, privacy embedded into design, full functionality, end-to-end security, visibility and transparency, and respect for user privacy.
The CPPA, when enacted, will explicitly require that organizations implement privacy by design principles and conduct privacy impact assessments for systems involving sensitive personal information or automated decision-making.
The Bottom Line
Ontario businesses that handle personal information — virtually every business with a website, customer database, or employee roster — have binding privacy law obligations. PIPEDA is the current framework; the forthcoming CPPA will strengthen it significantly with higher penalties and new individual rights.
The key compliance steps for most Ontario businesses are: draft an accurate Privacy Policy, implement meaningful consent mechanisms, establish a data retention and deletion schedule, implement appropriate security safeguards, create a data breach response plan, and designate someone responsible for privacy compliance. Businesses in the health sector also need PHIPA compliance.
Frequently Asked Questions
Does PIPEDA apply to my small Ontario business?+
Yes, if your business collects, uses, or discloses personal information in the course of commercial activities, PIPEDA applies regardless of size. There is no small business exemption. However, the Office of the Privacy Commissioner of Canada (OPC) takes a risk-proportionate approach to enforcement, and smaller businesses generally face lower risk of formal investigation for routine practices.
What must I include in my Privacy Policy in Ontario?+
A PIPEDA-compliant Privacy Policy must identify the organization, describe the personal information collected and the purposes, explain how consent is obtained, describe third-party disclosures (including cross-border transfers), describe security safeguards, explain data retention practices, and explain how individuals can access and correct their data or file complaints.
When must I notify customers of a data breach?+
Under PIPEDA (as amended), you must notify affected individuals and report to the Privacy Commissioner of Canada as soon as feasible when a breach creates a 'real risk of significant harm' to individuals. Significant harm includes financial loss, identity theft, reputational damage, and bodily harm. You must also maintain records of all breaches for 24 months.
Can I monitor my employees' emails and computer use in Ontario?+
Yes, with limitations. Ontario employers can monitor employee communications and computer use for legitimate business purposes, but monitoring must be proportionate and employees should be informed. Best practice is to have a clear, written Acceptable Use Policy that employees acknowledge. Covert monitoring without legitimate justification risks common law privacy claims.
What is the difference between PIPEDA and PHIPA?+
PIPEDA is Canada's general private sector privacy law covering commercial activities. PHIPA is Ontario's health information privacy law, which governs the collection, use, and disclosure of personal health information by health information custodians (doctors, hospitals, pharmacies, etc.) and their agents. A health-related business may need to comply with both.
Lamba Law
Need help with data privacy law for ontario businesses?
Our team offers free initial consultations. Speak with a lawyer about your specific situation — no obligation.