Privacy issues are an inevitable fact of conducting business in 2025. There are myriad ways that privacy problems can arise in private organizations. They can happen at any stage, whether you’re buying or selling a business or you’re in the midst of commercial litigation.
Say you own an online retail business. Black Friday is coming up, so send your customers a promotional email to notify them of the products that will be on sale. But instead of entering your customers’ emails in the “To” field, you accidentally use “Bcc.” You inadvertently revealed every customer’s email address to every other customer on the list, breaching their privacy rights. As a result of this incident, you could be sued for improper disclosure of personal information.
Or say you’re a lawyer who specializes in divorce law. After ten years at a law firm, you’ve decided to start your own family law firm as a sole proprietorship. But your brand-new website, while comprehensive, does not include a privacy policy. You could be sued for lack of transparency.
These are but two examples of the many ways you might be legally liable for failing to abide by privacy laws.
Read on to learn about the key privacy legislation that applies to private sector organizations in British Columbia so that you can avoid unfortunate incidents.
The Personal Information Protection and Electronic Documents Act
In Canada, all private organizations are subject to privacy laws derived from common law and statutes. At the federal level, the main act that governs private organizations is called the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies throughout the country except in those provinces that have their own private sector privacy laws. British Columbia is one of the provinces, along with Quebec and Alberta, with its own act: the Personal Information Protection Act (PIPA).
The Personal Information Protection Act
PIPA was enacted in 2003. The act lays out how private sector organizations in BC must handle the personal information of their employees and of the public. PIPA governs the collection, use, and disclosure of personal information.
What Kinds of Organizations Does PIPA Cover?
PIPA applies to all private organizations in BC, including:
- Corporations
- Partnerships
- Charities
- Religious institutions
- Trusts
- Co-operative associations
PIPA does not cover “public bodies.” These fall under a separate provincial law, the Freedom of Information and Protection of Privacy Act (FIPPA), and include:
- Government ministries
- Colleges and universities
- Hospitals
What is Personal Information?
PIPA specifically deals with personal information. Personal information is any information that can identify an individual, such as:
- Name
- Email address
- Home address
- Social insurance number
- Date of birth
What is the Collection, Use, and Disclosure of Personal Information?
Collection of Personal Information
Personal information is data that can be used to identify an individual. According to PIPA, an organization can only collect personal information for reasonable purposes.
Purposes for collecting personal information include:
- Marketing or advertising
- Providing services or products
- Conducting research or analytics
We’ll soon review what constitutes a reasonable purpose.
Under PIPA, using personal information typically involves using it internally, i.e., within the organization.
Private organizations might use personal information to:
- Create user accounts
- Conduct email marketing
- Process job applications
Disclosure of Personal Information
Disclosing personal information means showing or sending the personal information in question to another organization, government, or individual.
Organizations might disclose personal information in order to:
- Comply with laws, e.g., a warrant
- Share data with third-party services, e.g., payment processors
- Perform audits or other financial reports
What are the Three Key Principles in PIPA?
Now that we’ve explained the concepts of personal information and collection, use, and disclosure, let’s explore the three key principles that PIPA contains: accountability, consent, and reasonable purpose.
Accountability
The principle of accountability is outlined in section 4(2) of PIPA. It states that private organizations are responsible for the personal information that is under their control.
Organizations must have procedures in place to deal with complaints or questions about their policies and practices for collecting, using, and disclosing personal information (section 5). They are also required to designate a privacy officer who is tasked with ensuring that the organization complies with PIPA.
Consent
Part three of PIPA deals with the critical issue of consent. The principle of consent requires that organizations obtain informed consent to collect, use, or disclose personal information.
PIPA refers to three categories of consent. These are:
In express consent, the consenting individual knows what personal information is being collected and why. Moreover, they agree to the organization’s collection, use, and disclosure of the information.
Express consent may be verbal or in writing.
In deemed consent, an individual voluntarily provides their personal information to an organization and is therefore considered to have consented to collecting, using, and disclosing that information.
In opt-out consent, if the individual does not clearly decline consent, consent is granted.
Reasonable Purpose
The third principle that’s underscored in PIPA is reasonable purpose. Reasonable purpose states that personal information can only be collected, used, and disclosed for purposes that a reasonable person would consider appropriate.
What is reasonable in a given situation depends on various factors, including the information collected, how it will be used, and to whom it will be disclosed.
How is PIPA Enforced?
PIPA is enforced by the Information and Privacy Commissioner for British Columbia, which is independent from the government. If any individual suspects that a private organization has improperly handled the collection, use, or disclosure of their personal information or otherwise violated PIPA, they can file a complaint with the Commissioner. The Commissioner has the power to investigate the complaint and to issue recommendations or legally binding orders.
Final Thoughts on Privacy Laws for Private Organizations in BC
There is no shortage of issues for private organizations in British Columbia. From building an online presence, navigating HR issues, managing financial pressures, and staying innovative, the most successful organizations must be nimble and resilient.
But business owners are advised to make time to learn about the privacy laws that apply in BC. Legal issues stemming from privacy breaches can be serious and disruptive. Fortunately, with the right knowledge and a commitment to staying informed, many of these problems can be avoided or quickly resolved.
Contact CM Lawyers for Guidance on Privacy Law in Vernon & Salmon Arm
At CM Lawyers, our knowledgeable business lawyers are experienced in dealing with a wide range of privacy law issues that businesses might confront. We understand the intricacies of the Personal Information and Protection Act and will work diligently to ensure that your organization complies with the relevant law. Whether you have an established business or are launching a new one, our skilled lawyers will be there to assist you and answer all your questions every step of the way.
With convenient office locations in Vernon and Salmon Arm, CM Lawyers proudly serves clients throughout the surrounding communities, including Northern Okanagan and Shuswap. To discuss your business law matter with our team, please contact us online or call our Vernon office at (250) 308-0338 or our Salmon Arm office at (250) 803-9171.