Skip to content

Data Privacy Legislation and Payments in Canada

Data Privacy Trends in Canada

2022 promises to be a packed year for data privacy legislation in Canada. In the year up to March 2021, the federal privacy commissioner had received 782 breach reports, affecting around nine million Canadian accounts. Meanwhile, the Canadian Center for Cyber Security reported 235 incidents of ransomware attacks against businesses.

Sensitive consumer data is more exposed than ever as people are more reliant on digital services due to the impact of COVID-19. According to one study, 50% of Canadians report making online purchases for items that they would typically have bought in-store.

Privacy Concerns around Digital Payments

Electronic and digital payment methods generally involve transmitting personal information electronically to other organizations, such as financial institutions and payment processing companies. While most organizations go to great lengths to ensure the security of these types of digital transactions, errors or breaches in security can occur.

Typically, electronic and digital payments involve a more complex exchange of purchase and other personal information from consumers to the retail business. For example, purchases can be associated with other information, such as consumer purchasing habits and location, thus increasing privacy concerns.

Personal information in electronic and digital payments should only be shared, traded or sold, in accordance with applicable privacy legislation.

Applicable Data Privacy Legislation in Canada

The Personal Information Protection and Electronic Documents Act, or PIPEDA, sets out ground rules for the management of personal information in the private sector.

PIPEDA applies across Canada to organizations that collect, use, or disclose personal information in the course of commercial activities unless provincial privacy legislation deemed substantially similar to PIPEDA applies. Quebec, Alberta and British Columbia each have substantially similar legislation privacy covering the private sector.

In all provinces, including provinces with substantially similar laws, PIPEDA continues to apply to companies engaged in interprovincial or international transactions and to all federally regulated organizations (such as banking and telecommunications).

In addition to privacy legislation, there are other rules and standards in place to promote the protection of your information when performing payments. This includes PCI DSS v4.0, a set of standards set by the payment card industry (Payment Card Industry Data Security Standard).

Download our infographic on the state of legislation around data privacy and payments in Canada to learn more.

Download Infographic