Privacy by Design for Small Business

A practical guide for Canadian small businesses to comply with PIPEDA, provincial private-sector laws, and CASL.

TL;DR

Build privacy into your business from day one: identify a privacy officer, publish a clear policy, minimize collection, obtain consent, secure data, and prepare for breaches. This is especially important if you collect health, financial, or biometric data or operate in BC, Alberta, or Quebec.

Key obligations

Every Canadian business should:

Designate a privacy officer (the person accountable for compliance).
Publish a clear privacy policy describing what you collect, why, with whom you share it.
Obtain meaningful consent, especially for sensitive or unexpected uses.
Limit collection to what is necessary for stated purposes.
Implement reasonable security safeguards, including encryption at rest and in transit.
Have a breach response plan with 24/7 contacts and templates.

Province-specific extras

If you operate in:

BC: BC PIPA applies. Follow OIPC BC guidance on employee information.
Alberta: Alberta PIPA applies. Breach notification is mandatory and Alberta was the first province to require it.
Quebec: Law 25 applies. Conduct a PIA for every new system. Register biometric systems with the CAI.

CASL basics

If you send commercial electronic messages, you must:

Obtain express or implied consent.
Include sender identification and contact information.
Provide a working unsubscribe mechanism for 60 days.
Process unsubscribe requests within 10 business days.

Resources

The OPC publishes a free Privacy Toolkit for Business. Provincial commissioners publish industry-specific guidance.

Sources & References

Personal Information Protection and Electronic Documents Act (PIPEDA)—Federal private-sector privacy law governing the collection, use, and disclosure of personal information.Justice Laws Website
Quebec Law 25 (Act respecting the protection of personal information in the private sector)—Quebec's modernized privacy regime introducing mandatory breach notification, privacy impact assessments, data portability, right to be forgotten, and automated decision-making transparency.Publications du Québec
Personal Information Protection Act (PIPA British Columbia)—BC's private-sector privacy law governing the collection, use, and disclosure of personal information by organizations operating in British Columbia.BC Laws
Personal Information Protection Act (PIPA Alberta)—Alberta's private-sector privacy law governing how organizations handle personal information including employee personal information.King's Printer of Alberta
Canada's Anti-Spam Legislation (CASL)—Federal statute regulating commercial electronic messages, consent requirements, address harvesting, and spyware installation.Justice Laws Website

All sources link directly to official government websites. This page provides legal information, not legal advice. Consult a qualified professional before acting on any information presented here.