As an entrepreneur, you must consider how privacy affects your business

Privacy Laws and your business

Privacy Laws and your business

Privacy laws: can I be more boring??? Before your eyes glaze over and you skip back to your Facebook page, bare with me. Ignoring privacy laws in our connected world can have consequences for business owners. The topic came to mind recently at a seminar I attended on Facebook Marketing.

While some may turn their nose at the idea, Facebook is at the forefront of advertising to people based on their specific circumstances.  It has the added feature of being affordable to small business: you can advertise for as little as $2\day.

The ability to develop a target audience based on your current client email list is one of the most interesting features.  You simply upload your email list to Facebook and the company develops an audience with similar attributes.

This does not offend CASL which states that unless you have consent, you cannot send commercial emails to your email list. (This is a big problem for businesses that built large email lists prior to CASL.) But you could potentially use those email addresses to develop a “look alike” audience in Facebook. You aren’t sending them emails. You are simply asking Facebook to develop an audience based on your current list’s attributes.

But how does that match up with your privacy policy and privacy laws?

Under the Personal Information Protection and Electronic Document Act (PIPEDA), all companies must comply with the 10 principles for the protection of personal information. The principles are outlined in detail in  Schedule I of the law (the full text is found here)

For the sake of brevity they are:

  1. Accountability:  An organization is responsible for the information it collects.
  2. Identifying purpose:  The reason for collecting personal information must be specified.
  3. Consent: You need it.
  4. Limiting Collection:  You cannot collect more information than needed.
  5. Limiting Use: You cannot use the information for any other purpose than those identified.
  6. Accuracy: No need to explain….
  7. Safeguards: You must protect collected information.
  8. Openness: Privacy policies must be readily available to anyone.
  9. Individual Access: Individuals must have access to the information you collect about them.
  10. Challenging Compliance: You must have procedures in place to deal with challenges.

In our example above, in order to use your email list to create a “look alike” audience in Facebook, you must have the individual’s consent (principle no. 3) to use their email address in developing the new audience (principle no. 2). Finally, your privacy policy (principle no. 8) must also state that you may use the information collected for the purpose of marketing your products or services.


Unlike CASL, obtaining consent is less rigorous under PEPIDA.  If the information collected is “sensitive”, then you must obtain express consent. However you can rely on implied consent, if the information collected is less sensitive.

While this may sound like you have more wiggle room to rely on implied consent, you should do so cautiously.  The Commissioner’s office states:

[A]lthough an email address may not at first blush be considered to be a sensitive piece of personal information, the existing or presumed social connections between people derived from the use of the e-mail address… could be considered sensitive in certain unique contexts

Practical considerations

Running a business is fraught with potential traps, obstacles, and challenges.  Trying to make sense of the myriad of federal and provincial laws that affect business owners and managers can make your head spin.

The best time to obtain consent seems to be when you record the personal information in question. If you do it online, you should have a checkbox that allows individuals the option to opt out. If you are collecting client information when they call, on delivery of service, or when they attend your place of business, you may wish to standardize the “on boarding” process with pre-printed form outlining your policy and giving them an opportunity to opt-out.  At the same time, you could obtain their consent under CASL.

Disclaimer – Legalese

I appreciate the irony of this disclaimer, but while I am critical of the rules, I must still play by them, so here goes….This article is presented for informational purposes only. The content does not constitute legal advice or solicitation and does not create a solicitor client relationship (this means that I am not your lawyer until we both agree that I am). If you are seeking advice on specific matters, please contact Philippe Richer at, or 204.925.1900. We cannot consider any unsolicited information sent to the author as solicitor-client privileged (this means confidential).

1 thought on “Privacy Laws and your business”

Leave a Reply

Your email address will not be published. Required fields are marked *