Canadian Privacy Compliance: PIPEDA for Dealers

Canadian privacy laws are among the strictest in North America, with penalties reaching $10 million for CASL violations and $100,000 for PIPEDA breaches. A 2024 Office of the Privacy Commissioner (OPC) report found 34% of Canadian businesses failed basic privacy compliance audits. For car dealers, the complexity multiplies: federal PIPEDA requirements, provincial privacy laws (Alberta, BC, Quebec), CASL anti-spam rules, and lender data-sharing obligations create a regulatory maze.

This guide provides comprehensive coverage of Canadian privacy compliance for auto dealers, including PIPEDA principles, consent requirements, CASL email/SMS rules, data retention periods, provincial law differences, and practical compliance checklists.

PIPEDA Overview (Federal Privacy Law)

Full Name: Personal Information Protection and Electronic Documents Act

Applicability: Federally-regulated businesses + private-sector businesses in provinces without substantially similar provincial laws. For car dealers: Applies in all provinces EXCEPT Alberta, BC, Quebec (which have provincial equivalents).

Regulator: Office of the Privacy Commissioner of Canada (OPC)

PIPEDA's 10 Fair Information Principles

Personal Information Dealers Collect

Categories of Personal Information

SIN Collection Rules (PIPEDA - Strict):

• Collect SIN ONLY if required by law (tax reporting, credit bureau submission for financing)
• Cannot refuse service if customer declines to provide SIN (unless legally required)
• Must explain why SIN is needed ("Lenders require SIN for credit check and CRA tax reporting")
• Encrypt SIN in storage, restrict access to finance staff only
• Penalty for misuse: $10,000-$100,000 + OPC investigation

Consent Requirements

Types of Consent

Implied Consent (Permitted for Routine Transactions):

• Customer provides contact info to complete vehicle purchase
• Customer provides license info for test drive (insurance verification)
• Customer provides address for vehicle registration
• Limitation: Implied consent does NOT extend to marketing, data sharing with third parties (beyond necessary lenders), or sensitive data (credit checks, SIN)

Express Consent (Required for Sensitive/Non-Routine Uses):

• Credit checks / bureau submissions
• Sharing data with lenders for financing
• Marketing emails/texts (see CASL section)
• Selling/sharing customer list with third parties
• Using purchase data for analytics/profiling beyond operational needs

Consent Form Best Practices

What to Include in Dealer Consent Form:

1. Purpose Statement: "We collect your personal information to: process vehicle sale, conduct credit checks, submit financing applications, register vehicle with provincial authorities."
2. Data Collected: List types of info (name, address, SIN, credit info, employment, etc.)
3. Third-Party Sharing: "We share your info with: lenders for financing, credit bureaus for credit checks, provincial DMV for registration, service providers (email, CRM software)."
4. Marketing Opt-In: Separate checkbox: "I consent to receive promotional emails/texts about future offers. I understand I can unsubscribe anytime."
5. Revocation Right: "You can withdraw consent anytime by contacting our privacy officer. Note: Withdrawing consent may prevent us from completing services (e.g., financing)."
6. Signature + Date: Customer signs and dates form.

CASL (Canada's Anti-Spam Law)

What is CASL?

Full Name: Canada's Anti-Spam Legislation (Fighting Internet and Wireless Spam Act)

Purpose: Regulate commercial electronic messages (CEMs) - emails, texts, social media DMs sent for commercial purpose.

Enforced By: Canadian Radio-television and Telecommunications Commission (CRTC)

Penalties: Up to $1 million per violation (individuals) or $10 million per violation (businesses)

CASL Requirements for Dealers

Express Consent Required Before Sending Marketing Emails/Texts:

• Customer must opt-in (cannot pre-check box - must be unchecked by default)
• Consent request must clearly state: who is asking (dealer name), why (promotional emails about vehicles/service), how to unsubscribe
• Consent valid indefinitely until customer unsubscribes OR 2 years of inactivity (no engagement with emails)

Existing Business Relationship (EBR) Exception:

• Can send marketing messages without express consent if customer purchased/leased vehicle within past 2 years
• EBR also applies if customer made inquiry within past 6 months
• Critical: EBR expires 2 years after last purchase/6 months after inquiry. After expiry, MUST have express consent or stop sending.

Required Elements in Marketing Emails/Texts

Unsubscribe Requirements:

• Process unsubscribe request within 10 business days
• Cannot charge fee for unsubscribing
• Cannot require login or complex process (one-click unsubscribe preferred)
• Keep unsubscribe list permanently - NEVER re-add without new express consent

Provincial Privacy Laws (Alberta, BC, Quebec)

Alberta: Personal Information Protection Act (PIPA)

Scope: Applies to all Alberta private-sector businesses (replaces federal PIPEDA in Alberta)

Key Differences from PIPEDA:

• Breach Notification: PIPA requires notification to affected individuals + Privacy Commissioner if breach creates "real risk of significant harm"
• Consent: Similar to PIPEDA (implied for routine, express for sensitive)
• Data Retention: Must destroy data when no longer needed for stated purpose

British Columbia: Personal Information Protection Act (PIPA-BC)

Scope: Applies to BC private-sector businesses

Key Differences from PIPEDA:

• Breach Notification: Required if breach creates "real risk of significant harm"
• Employee Data: PIPA-BC covers employee personal information (PIPEDA does not)
• Consent: Similar principles to PIPEDA

Quebec: Law 25 (Modernized Privacy Law)

Scope: Quebec's updated privacy law (in force since September 2023) is Canada's STRICTEST

Key Requirements (Stricter than PIPEDA):

• Privacy Impact Assessments: Required for high-risk data processing
• Consent: Must be "free, informed, specific" - cannot bundle consents
• Breach Notification: Mandatory notification to privacy commissioner + affected individuals if breach creates "risk of serious injury"
• Data Minimization: Collect ONLY data strictly necessary
• Right to De-Indexing: Customers can request de-indexing from search engines
• Penalties: Up to $10M or 2% of global revenue (whichever higher)

Data Security and Breach Notification

PIPEDA Security Requirements

Security Level Must Match Sensitivity:

Breach Notification (Federal PIPEDA 2024+ Rules)

When Notification Required: Data breach creating "real risk of significant harm" (identity theft, fraud, financial loss, reputational damage)

Process:

1. Notify Privacy Commissioner: Report breach to OPC as soon as feasible
2. Notify Affected Individuals: Direct notification (email, phone, mail) to all affected customers
3. Notify Other Organizations: If breach could mitigate harm to individuals (e.g., notify credit bureaus if SIN stolen)
4. Keep Records: Document breach details, notification sent, mitigation steps (retain 2+ years)

Penalty for Failure to Notify: $10,000-$100,000 + OPC investigation + potential class-action lawsuit

Data Retention and Disposal

How Long to Keep Customer Data

Secure Disposal Requirements:

• Paper Records: Shred or incinerate (cross-cut shredder minimum)
• Electronic Records: Secure deletion (overwrite data, not just delete file)
• Hard Drives: Physical destruction or DOD 5220.22-M standard wipe (7-pass overwrite)
• Backup Tapes: Degauss (magnetic erasure) or physical destruction

Customer Rights Under PIPEDA

Access Request (Most Common)

Customer Rights: Request copy of all personal information you hold about them

Dealer Obligations:

• Respond within 30 days (can extend 30 more days if complex, must notify customer)
• Provide data in understandable format (printout, PDF, spreadsheet)
• Explain any codes/abbreviations used
• Can charge reasonable fee (typically $0-$50) if extensive retrieval required

Correction Request

Customer Rights: Correct inaccurate or incomplete data

Dealer Obligations:

• Investigate and correct if error confirmed
• If dispute (customer claims error but dealer disagrees), annotate record with customer's claim
• Notify third parties who received incorrect data (e.g., lenders)

Deletion Request

Customer Rights: Request deletion of their data

Dealer Obligations:

• Delete if no legal/contractual reason to keep (e.g., past customer, no ongoing obligations)
• Can refuse if legal obligation requires retention (e.g., 7-year tax record retention)
• Explain refusal reason to customer

Compliance Checklist for Dealers

Privacy Policy (Post on Website)

• [ ] List what personal info collected (contact, financial, government ID)
• [ ] Explain purposes (sales, financing, registration, marketing)
• [ ] Identify third parties who receive data (lenders, credit bureaus, DMV)
• [ ] Describe security measures
• [ ] Explain customer rights (access, correction, deletion)
• [ ] Provide privacy officer contact info

Consent Forms

• [ ] Written consent for credit checks (signed before pulling credit)
• [ ] Opt-in for marketing emails/texts (CASL compliance)
• [ ] Separate consent for each purpose (cannot bundle)
• [ ] Clear language (no legalese)

Data Security

• [ ] Encrypt sensitive data (credit reports, SIN, bank info)
• [ ] Role-based access controls (finance staff only for credit data)
• [ ] Audit logs for data access/changes
• [ ] Secure disposal process (shred paper, wipe hard drives)

CASL Email Marketing

• [ ] Opt-in consent obtained (unchecked checkbox by default)
• [ ] Sender ID clear in every email
• [ ] Functional unsubscribe link in every email
• [ ] Process unsubscribes within 10 business days
• [ ] Track consent date + source for audit defense

Frequently Asked Questions

Canadian privacy compliance made automatic.

DealerOneView includes built-in PIPEDA/CASL compliance: consent management, marketing opt-in tracking, data access request workflows, secure data retention, CASL unsubscribe automation, and breach notification templates.

See Privacy Automation →