1. PIPEDA in one paragraph
The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector Canadian organizations collect, use, and disclose personal information in the course of commercial activities. It's the federal floor; Alberta, BC, and Québec have substantially similar provincial regimes that take precedence inside their borders. PIPEDA covers personal information — not business information. That distinction is the whole game for trade contractors using permit data.
2. Personal vs. business: the line you have to draw
PIPEDA defines personal information as information about an identifiable individual. Crucially, the Act has a business contact information exemption: an employee's name, business title, business address, business phone, and business email are exempt from most PIPEDA obligations when collected for the purpose of communicating with that person in their business role.
Permit data sits in three buckets:
| Field | Type | PIPEDA status |
|---|---|---|
| Permit address | Property/business | Not personal info |
| Applicant company name | Business | Not personal info |
| Contractor company name | Business | Not personal info |
| Project value | Business | Not personal info |
| Named individual + business email | Business contact info | Exempt from most obligations |
| Named individual + personal phone/email | Personal info | Full PIPEDA applies |
For 95%+ of permit data, you're in row 1-5. The only case where you'd brush PIPEDA in a serious way is if you enrich a contact and end up with someone's home phone or personal email — which is rare for B2B work and a sign you should re-check your enrichment process.
3. The 10 PIPEDA fair-information principles
PIPEDA's structure is built on 10 principles. Here's how they apply to permit-based outreach:
- Accountability — designate someone responsible for PIPEDA compliance. For a small contractor: the owner.
- Identifying purposes — be clear about why you're collecting. "B2B sales outreach about your construction project" is fine.
- Consent — get it before collecting personal info, where required. Business contact info is exempt.
- Limiting collection — only collect what you need. Don't enrich beyond business contact unless you have a reason.
- Limiting use — use only for the stated purpose. Don't resell.
- Accuracy — keep your CRM accurate; correct or delete on request.
- Safeguards — encrypt your data at rest and in transit. Lock down access.
- Openness — publish a privacy policy. Yours, on your website.
- Individual access — if someone asks "what do you have on me?", give them a copy within 30 days.
- Challenging compliance — provide a way to file complaints with you and with the OPC.
4. Provincial overrides: Alberta PIPA, BC PIPA, Québec Law 25
Inside Alberta, BC, and Québec, the substantially-similar provincial Act takes precedence over PIPEDA for activity that's wholly intra-provincial. The differences are mostly procedural — same fair-information principles, slightly different timelines and complaint mechanisms.
Québec's Law 25 is the strictest. Since September 2023, it requires:
- Privacy impact assessments for new tech
- Designated privacy officer
- Mandatory breach reporting to the Commission d'accès à l'information (CAI)
- Customers' right to data portability
- Right of refusal of automated decisions
If you're selling into Québec and storing customer data, take Law 25 seriously. The CAI has fining authority of up to 4% of worldwide revenue.
5. What you must publish
At minimum, your business needs:
- A privacy policy on your website — see Shovel Radar's at /privacy.html as a template structure.
- A designated contact for privacy inquiries (named person + email).
- A process for responding to access and correction requests within 30 days.
- A process for responding to breach notifications. PIPEDA requires you to notify affected individuals AND the OPC of any breach of safeguards involving personal info where there's a real risk of significant harm.
6. Where contractors actually run into trouble
The honest version: most trade contractors will never have a PIPEDA complaint filed against them. The OPC handles fewer than 600 complaints per year, and the bulk are against telecoms and large data holders. The realistic risks for a working contractor are:
- Storing customer info insecurely — laptops without disk encryption, CRMs with shared passwords. Easy fix: encrypt everything, use unique passwords.
- Selling or sharing customer lists — outside the original collection purpose. Don't.
- Ignoring a deletion request — if someone asks you to delete their info, do it within 30 days unless you have a legal hold reason.
- Failing to report a breach — if your CRM gets hacked and customer info leaks, you have to notify.
7. PIPEDA + CASL together
The two laws layer. PIPEDA governs the data; CASL governs the message. A permit-sourced outreach has to satisfy both:
- PIPEDA: data sourced from public records (business info exempt) → no consent needed for collection
- CASL: message sent to business address (business-contact-info exemption) → no opt-in needed
- Both: include identification, working unsubscribe, accurate sender info
- Both: honour deletion / unsubscribe requests promptly
8. Further reading
- Office of the Privacy Commissioner of Canada — definitive PIPEDA guidance
- Commission d'accès à l'information du Québec — Law 25 guidance
- Our companion guide: CASL Compliance for Canadian Trade Contractors
Use the playbook
Shovel Radar gives you the trade-routed permit feed this guide describes.
Weekly Excel. 382 Canadian cities. Same playbook, scaled.
Get a 5-row sample · no credit card