How to Write a Privacy Policy for a Canadian Business

Why your privacy policy matters

A privacy policy is not a legal formality. It is the primary document through which individuals understand what your organization does with their personal information and what rights they have. Under PIPEDA Principle 8, your policy must be written in plain language, readily available, and accurate.

The OPC regularly finds in investigations that the organization's actual data practices do not match what the privacy policy says. That gap — between stated policy and actual practice — is itself a PIPEDA violation separate from whatever triggered the complaint. Writing a policy that accurately describes your practices is as important as having one at all.

---

What your privacy policy must cover

A PIPEDA-compliant privacy policy must address ten areas, corresponding to the ten fair information principles in Schedule 1. This section explains what each area requires and what to include.

---

Section 1 — Who is responsible for your privacy practices

Identify the individual or role responsible for privacy at your organization. Under PIPEDA Principle 1, every organization must designate a named individual as privacy officer. Your privacy policy must identify that person (or their role and contact information) as the point of contact for privacy questions and complaints.

What to include:

• Name or title of the designated privacy officer
• How to reach them (email address, mailing address, or phone)
• Statement that they are accountable for the organization's PIPEDA compliance

Example language: "[Organization name] has designated a Privacy Officer responsible for our compliance with this policy and applicable privacy laws. Our Privacy Officer can be reached at [email] or by mail at [address]."

---

Section 2 — What personal information you collect

List the categories of personal information your organization collects. Be specific — "various information" is not adequate. If you collect different categories from different groups (customers, employees, website visitors), address each group separately.

Common categories for SMBs:

• Contact information (name, address, phone, email)
• Financial information (payment card details, bank account information, billing history)
• Employment information (salary, SIN, banking details for direct deposit, performance records)
• Health information (if applicable to your sector)
• Identification information (date of birth, government-issued ID)
• Usage and technical data (IP address, browser type, cookies — if you operate a website)

What not to include: Do not list categories you do not actually collect. Do not describe future plans as current practices.

---

Section 3 — Why you collect it (identifying purposes)

For each category of personal information, state the purpose for which it is collected. Under PIPEDA Principle 2, purposes must be identified at or before the time of collection. Your privacy policy is where those purposes are documented publicly.

Purposes must be specific enough that an individual can understand what their information will be used for. "To improve our services" is not a specific purpose. "To process your order and send you a receipt" is.

Example purposes:

• To provide the services you have requested and process payment
• To contact you about your account or our services
• To comply with legal obligations (tax filing, employment standards)
• To send marketing communications, if you have consented

If you use personal information for a new purpose that was not identified when it was collected, you must either obtain fresh consent for that purpose or confirm that the new purpose would be obvious to a reasonable person in the context of the original collection.

---

Section 4 — How you obtain consent

Describe how consent is obtained for the collection, use, and disclosure of personal information. Under PIPEDA Principle 3, consent must be meaningful — individuals must understand what they are consenting to and have a genuine choice.

What to cover:

• Whether consent is express (opt-in) or implied (proceeding with a transaction) for each category
• That sensitive personal information (health data, SINs, financial information) requires express consent
• How individuals can withdraw consent and what happens when they do

Example language: "We obtain your consent before collecting personal information, except where the law permits collection without consent. For sensitive information such as your Social Insurance Number, we obtain your express written consent. You may withdraw consent at any time by contacting our Privacy Officer, subject to legal or contractual restrictions."

---

Section 5 — How personal information is used and disclosed

Describe what you do with personal information once you have it. Distinguish between internal use (by your organization) and disclosure to third parties.

Internal use: What do your staff do with the information? Who within your organization has access to what categories?

Disclosure to third parties: List the categories of third parties to whom you disclose personal information, and for what purpose. Common third parties for SMBs:

• Payment processors (to process transactions)
• Payroll providers (to administer employee compensation)
• Cloud software vendors (whose platforms store your data)
• Accounting and bookkeeping services
• IT managed service providers
• Government and regulators (as required by law)

You do not need to list every vendor by name, but you must describe the categories of third parties and the purposes of disclosure. If you sell or share personal information for marketing purposes, this must be explicitly disclosed.

---

Section 6 — How you protect personal information

Describe the safeguards you use to protect personal information against unauthorized access, loss, and disclosure. Under PIPEDA Principle 7, safeguards must be appropriate to the sensitivity of the information.

You do not need to disclose specific technical configurations (which would help attackers). Describe the category and nature of your safeguards:

Example language: "We protect personal information using physical, organizational, and technological safeguards appropriate to its sensitivity. These include restricted staff access, encrypted storage for sensitive records, password protection on devices that hold personal information, and contractual requirements on vendors who process personal information on our behalf."

Also describe what happens in the event of a breach — that you notify the applicable privacy commissioner and affected individuals if a breach poses a real risk of significant harm.

---

Section 7 — How long you keep personal information

Describe your retention practices. Refer to your retention schedule or summarize your retention periods by category. State that personal information is destroyed securely when it is no longer needed.

Example language: "We retain personal information only as long as necessary for the purposes for which it was collected, or as required by law. Customer records are typically retained for [X] years after the end of the relationship. Employee records are retained for the period required under applicable employment standards and tax legislation. When personal information is no longer required, it is destroyed using secure methods."

For a more detailed treatment, link to a separate retention policy or your publicly available retention schedule.

---

Section 8 — How individuals can access their information

Explain how individuals can request access to their personal information and how you respond. Under PIPEDA Principle 9, individuals have the right to access their personal information and to request corrections.

What to include:

• How to submit an access request (email, mail, or other written method)
• Your response timeline (30 days under PIPEDA, 45 under Alberta PIPA)
• That individuals may request corrections to inaccurate information
• Any fee that may apply and how it is calculated

Example language: "You have the right to request access to the personal information we hold about you and to request corrections to any information that is inaccurate or incomplete. To make a request, contact our Privacy Officer in writing at [email]. We will respond within 30 days. We may charge a reasonable fee for providing access; if so, we will notify you of the estimated fee before proceeding."

---

Section 9 — How to make a privacy complaint

Explain how individuals can raise a concern about your privacy practices and what happens next. Under PIPEDA Principle 10 and equivalent provincial provisions, individuals must have access to a complaints process.

What to include:

• How to submit a complaint to your organization (in writing to the privacy officer)
• That the individual may also file a complaint with the applicable privacy commissioner if they are not satisfied with your response
• The privacy commissioner contact for each applicable statute

Example language: "If you have a concern about our privacy practices, contact our Privacy Officer in writing. We will investigate and respond in writing. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca. If you are an Alberta resident, you may also contact the OIPC Alberta at oipc.ab.ca. If you are a BC resident, you may contact the OIPC BC at oipc.bc.ca."

---

Section 10 — How to contact you and how the policy is updated

Provide your complete contact information and state how individuals will be notified of changes to the policy.

What to include:

• Organization name and mailing address
• Privacy officer email and phone
• Date the policy was last updated
• How the organization will notify individuals of material changes (website posting, email notice, or other method)

---

Formatting and accessibility requirements

Plain language: Write for a reader who is not a lawyer. Use short sentences, active voice, and plain vocabulary. If a term requires definition (like "personal information" or "RROSH"), define it where it first appears. Do not bury key information in footnotes or dense paragraphs.

Length: A complete, compliant privacy policy for an SMB is typically 1,000–2,500 words. Shorter policies that omit required content are not compliant. Longer policies that repeat and over-explain are harder for individuals to use. Aim for completeness at a length a reader can work through in under 10 minutes.

Format: Use section headings so individuals can navigate directly to the information they need. A single unbroken block of text fails the "readily understandable" standard.

---

Where to post your privacy policy

Website: Your privacy policy must be accessible from every page of your website — typically linked in the footer. It must also appear at any point where personal information is collected (checkout page, contact form, job application form). A link in the page footer is the minimum; a link at the point of collection is required.

Physical locations: If you collect personal information at a physical location (a retail counter, a clinic reception), your privacy policy must be available on request. Post a notice of its availability and ensure staff know where copies are.

On request: Any individual who asks for your privacy policy must be able to receive it. This includes individuals who do not use your website.

---

What to avoid

Copying a competitor's policy. Another organization's privacy policy describes their practices. If their practices differ from yours — even slightly — copying their policy creates a mismatch between your stated practices and your actual ones.

Using a GDPR template for a Canadian business. GDPR (European) and Canadian privacy law share principles but differ in requirements, terminology, and legal bases for processing. A GDPR-formatted policy may omit Canadian-specific requirements (PIPEDA Principles, OIPC contacts) or include European concepts (right to erasure, data portability) that have no equivalent in PIPEDA.

Describing practices you do not follow. If your policy says you do not share personal information with third parties but you use a cloud CRM, payroll provider, and IT support company, your policy is inaccurate. Accurate description of third-party sharing is more important than a clean-looking policy.

Using "we take your privacy seriously" as a substitute for substance. Statements of commitment without specific, accurate descriptions of practices do not satisfy PIPEDA Principle 8.

---

After you publish — keeping the policy current

Post the policy with an effective date. Set a calendar reminder to review it annually. When you review, check each section against your current actual practices — not what you intended to do when you wrote it, but what you actually do today.

Material changes — a new vendor that receives personal information, a new use of existing data, a change in your breach notification practices — require updating the policy before the change takes effect, not after.

---

Related guides

• PIPEDA Compliance Requirements for Canadian Organizations
• PIPEDA Compliance Checklist — Principles 8 and 10 cover openness and complaints
• Do I Need a Designated Privacy Officer?
• Responding to Individual Access Requests Under Canadian Privacy Law
• Sample Privacy Complaint Handling Procedure

---

This guide covers privacy policy requirements under PIPEDA, Alberta PIPA, and BC PIPA for private-sector organizations. Quebec's Act respecting the protection of personal information in the private sector (Law 25) imposes additional requirements — including a mandatory privacy policy for technological products — not covered here. Organizations in regulated sectors (financial services, health, telecom) may face additional policy requirements under sector-specific legislation.