Canada — Lawful Bases for Processing

Canada's federal private-sector privacy law—the Personal Information Protection and Electronic Documents Act (PIPEDA)—rests on a consent-first model fundamentally different from the six-lawful-bases hierarchy of the European Union's GDPR. Under PIPEDA, organizations collecting, using, or disclosing personal information in the course of commercial activity must, as a baseline rule, obtain the knowledge and consent of the individual (Clause 4.3, Schedule 1). This principle applies to private-sector organizations across Canada that collect personal information in commercial transactions, as well as to the employee personal information of federally regulated works, undertakings, or businesses (such as banks, airlines, and telecommunications carriers).

PIPEDA was enacted in 2000 and incorporates the ten Fair Information Principles developed by the Canadian Standards Association, codified in Schedule 1 of the Act. Principle 4.3 (Consent) states: "The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate." The consent must be meaningful—section 6.1, added by the Digital Privacy Act 2015, requires that consent is valid only if "it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting."

The form of consent varies with sensitivity and context. Clause 4.3.4 instructs organizations to "take into account the sensitivity of the information" when determining whether express or implied consent is appropriate. Medical records and financial data almost always require express consent; business contact information may permit implied consent where the purpose aligns with reasonable expectations. The Office of the Privacy Commissioner of Canada (OPC)—the independent federal oversight body—has consistently held that consent for sensitive uses such as behavioral advertising or biometric collection must be express, not implied.

## Section 7 statutory exceptions

PIPEDA does not offer organizations a menu of alternative lawful bases in the manner of GDPR Article 6. Instead, consent remains the default, and section 7 enumerates tightly circumscribed exceptions permitting collection, use, or disclosure without knowledge or consent when certain conditions are met.

Key exceptions under section 7 include:

• 7(1)(b): Collection is reasonable for investigating a breach of an agreement or contravention of Canadian or provincial law, and obtaining consent would compromise accuracy or access to the information.
• 7(1)(c): Collection where a reasonable person would consider it appropriate in an emergency threatening life, health, or security.
• 7(1)(d): Collection of publicly available information specified by regulation (telephone directories, professional directories, government registries, and quasi-judicial body records available to the public under the Regulations Specifying Publicly Available Information).
• 7(2)(c): Use for statistical, scholarly study, or research purposes where consent is impracticable, the use will ensure confidentiality, and the OPC is informed before use.
• 7(3)(c): Disclosure required by subpoena, warrant, or court order; or disclosure to a government institution for law enforcement, national security, or national defence.
• 7(3)(d.1) and (d.2): Disclosure to another organization for investigating breach of agreement or contravention of law, or for detecting, suppressing, or preventing fraud, where obtaining consent would compromise the investigation or the ability to prevent fraud (added by the Digital Privacy Act 2015).
• 7(3)(e): Disclosure in an emergency threatening life, health, or security, with written notice to the individual afterward if alive.
• 7(3)(f): Disclosure for statistical, scholarly study, or research purposes where consent is impracticable and the OPC is informed before disclosure.
• 7(3)(h.1): Disclosure of publicly available information specified by regulation, where the disclosure relates directly to the purpose for which it was made publicly available.

Section 7.1 forbids reliance on these exceptions for address harvesting or spyware-based collection. Section 7.2 (also added in 2015) permits use and disclosure without consent in the context of prospective or completed business transactions (mergers, acquisitions) if the parties enter a confidentiality agreement, the information is necessary for the transaction, and individuals are notified within a reasonable time after completion. Section 7.3 permits federally regulated employers to collect, use, and disclose employee personal information without consent to establish, manage, or terminate the employment relationship.

## Contrast with GDPR

Unlike GDPR, PIPEDA does not recognize "legitimate interests" balancing, "performance of a contract," or "legal obligation" as freestanding lawful bases. If an organization wishes to rely on an exception, it bears the burden of demonstrating that the specific conditions in the relevant section 7 paragraph are met. The OPC investigates complaints under PIPEDA and issues findings and recommendations; at the conclusion of an investigation, the complainant (or in some cases the OPC) may seek enforcement in Federal Court. Administrative monetary penalties for PIPEDA violations do not currently exist—remedies are primarily declaratory and injunctive—though legislative proposals to introduce fines have been under discussion for years.

PIPEDA applies to organizations with a real and substantial connection to Canada. Provinces with substantially similar legislation—Alberta (Personal Information Protection Act), British Columbia (Personal Information Protection Act), and Quebec (Act respecting the protection of personal information in the private sector, amended significantly by Law 25 in 2021)—are exempt from PIPEDA for intra-provincial activity, but organizations handling cross-border or inter-provincial personal information remain subject to PIPEDA for that portion of their operations.

The Minister of Innovation, Science and Economic Development is the responsible minister for PIPEDA; the OPC is the designated supervisory authority.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 Source: Digital Privacy Act, S.C. 2015, c. 32 Source: PIPEDA Fair Information Principles, Office of the Privacy Commissioner of Canada

Under PIPEDA, individuals retain the ongoing right to withdraw consent for the collection, use, or disclosure of their personal information, subject to three statutory limitations codified in Principle 4.3.8 of Schedule 1. This right is foundational to PIPEDA's consent-based model and distinguishes it from models that rely on immutable lawful bases (such as GDPR's legitimate interests or contract grounds, which cannot be withdrawn by unilateral individual action in the same manner).

## The Principle 4.3.8 rule

Principle 4.3.8 states: "An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal."

The right applies to all consent originally given under Principle 4.3—express or implied, for primary or secondary purposes—unless one of the three carve-outs applies. The Office of the Privacy Commissioner (OPC), Canada's independent federal oversight authority for PIPEDA, has consistently held that organizations bear the burden of demonstrating that a valid legal or contractual restriction applies if they refuse to honor a withdrawal request.

## Three statutory limitations

Organizations may refuse withdrawal or delay its effect only when:

1. Legal restrictions apply. A legal obligation to collect, use, or disclose the information—imposed by Canadian federal or provincial statute or by court order—may override an individual's withdrawal. For example, in OPC Case Summary #2003-211, a bank legitimately refused withdrawal of consent for sharing overdraft information with credit bureaus because such disclosure is legally required to maintain the integrity of the Canadian credit-granting system under applicable financial-services regulations. The Commissioner held that the bank satisfied the "legal restriction" test and was not in contravention of Principle 4.3.8.

2. Contractual restrictions are reasonable. Consent may not be withdrawn if the information is necessary to fulfill an existing contractual obligation between the individual and the organization. The most common example: an individual paying for a subscription service in installments cannot withdraw consent for the use of payment information until the contract term expires or is otherwise terminated. The Digital Privacy Act 2015, which added section 7.2, clarified that in business transactions (mergers, acquisitions), the acquiring organization must give effect to any withdrawal of consent made under Principle 4.3.8 except where the personal information is necessary for carrying on the business or activity that was the object of the transaction—reinforcing that contractual necessity is a valid limitation but must be narrowly construed.

3. Reasonable notice has not yet been provided. The organization may request reasonable time to process the withdrawal and implement it across systems. "Reasonable notice" has no fixed statutory timeline; the OPC assesses it contextually. In multiple early complaints involving banks (OPC Case Summaries #2003-248, #2003-249, #2003-116), the Commissioner found that individuals had provided reasonable notice—in some cases more than six months—and that the banks' failure to honor withdrawal (due to systems errors, inadequate call-center staffing, or failure to communicate the opt-out across affiliates) violated Principle 4.3.8. The OPC has made clear that organizations must design convenient withdrawal mechanisms—toll-free numbers, online forms, or simple email requests—and must ensure that the withdrawal is operationalized promptly once reasonable notice is given.

## Organizational obligations upon withdrawal

When an individual exercises withdrawal, the organization must inform the individual of the implications (Principle 4.3.8). Implications may include:

• Termination or degradation of service (e.g., a recommendation engine will stop functioning if consent for behavioral tracking is withdrawn).
• Inability to complete a transaction (e.g., withdrawal of consent for payment processing will prevent order fulfillment).
• Retention of information for legal or regulatory reasons (e.g., transaction records retained for tax or anti-money-laundering compliance under section 7 exceptions).

The duty to inform must occur before or at the time of withdrawal—not retroactively—so the individual can make an informed choice.

After honoring the withdrawal, the organization must cease collection, use, and disclosure of the personal information for the purposes to which the withdrawal applies. If consent was originally given for multiple distinct purposes, withdrawal may be granular: for example, an individual may withdraw consent for marketing use of an email address while retaining consent for transaction confirmations tied to the same service. The OPC has held that where secondary purposes (marketing, sharing with affiliates) exist alongside primary purposes (service delivery), organizations must provide an ongoing mechanism for withdrawing consent to the secondary purpose, and should ensure that the withdrawal takes effect with minimal delay (OPC Interpretation Bulletin on Form of Consent).

## Withdrawal vs. erasure

Withdrawal of consent under PIPEDA is not equivalent to a right to erasure (GDPR Art. 17). After an individual withdraws consent, PIPEDA does not mandate deletion of previously collected information if:

• A section 7 exception permits retention without consent (e.g., retention for compliance with a legal obligation, for detection of fraud under section 7(3)(d.1), or for statistical/research purposes under section 7(2)(c) if conditions are met).
• Retention is necessary to allow the individual to exhaust recourse under PIPEDA (section 8(8): an organization must retain information subject to an access request long enough for the individual to pursue complaint or Federal Court proceedings).

The OPC does not interpret Principle 4.3.8 as triggering automatic deletion; instead, the organization transitions from a consent basis to a section 7 exception basis (if available) or must delete if no exception applies.

## Cross-border note: PIPEDA withdrawal applies to data exported under business-transaction exceptions

Section 7.2(2)(a)(iii), added in 2015, requires that when personal information is transferred in a completed business transaction (merger, acquisition) without consent under the business-transaction exception, the acquiring organization must enter into an agreement to give effect to any withdrawal of consent made under Principle 4.3.8. This ensures that individuals' withdrawal rights travel with their data even when the data is disclosed to a new controller without their knowledge or consent under a statutory exception.

## Enforcement

PIPEDA does not currently provide for administrative monetary penalties. The OPC investigates complaints, issues findings, and may recommend corrective measures. If the organization does not comply voluntarily, the complainant (or, in limited circumstances, the OPC) may apply to Federal Court for a declaration, injunction, or damages. In practice, OPC findings of non-compliance with Principle 4.3.8—particularly where organizations erected unreasonable barriers to withdrawal or ignored repeated withdrawal requests—have resulted in enforceable Federal Court orders and significant reputational harm.

Organizations operating under provincial substantially similar legislation (Alberta PIPA, British Columbia PIPA, Quebec Law 25) should consult those statutes for parallel withdrawal-of-consent provisions; the right exists in all three provincial regimes but may be worded and enforced differently.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Schedule 1, Principle 4.3.8 Source: Digital Privacy Act, S.C. 2015, c. 32 Source: PIPEDA Fair Information Principle 3 – Consent, Office of the Privacy Commissioner of Canada Source: PIPEDA Interpretation Bulletin: Form of Consent, Office of the Privacy Commissioner of Canada Source: PIPEDA Case Summary #2003-211, Office of the Privacy Commissioner of Canada Source: PIPEDA Case Summary #2003-248, Office of the Privacy Commissioner of Canada

Under PIPEDA, consent is valid only if it meets the meaningfulness standard codified in section 6.1 and the sensitivity-based form requirement set out in Principles 4.3.4–4.3.6 of Schedule 1. These provisions—the former added by the Digital Privacy Act in 2015, the latter part of PIPEDA's original 2000 framework—impose a two-tier obligation: organizations must ensure individuals understand what they are consenting to (section 6.1), and they must obtain the appropriate form of consent (express or implied) based on the sensitivity of the information and the reasonable expectations of the individual (Principles 4.3.4–4.3.6).

## Section 6.1: The reasonableness standard for meaningful consent

Section 6.1 states: "For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting."

This is an objective reasonableness test from the perspective of the target audience—not what the organization believes it has disclosed, but what a reasonable member of the intended user base would actually comprehend. The Office of the Privacy Commissioner (OPC) issued comprehensive Guidelines for obtaining meaningful consent in May 2018 (effective January 1, 2019) that interpret section 6.1 as requiring organizations to explain:

• Nature: what personal information is being collected (email address, browsing history, geolocation, health data).
• Purpose: why the organization needs it (service delivery, fraud prevention, behavioral advertising, analytics).
• Consequences: risks of harm—particularly meaningful residual risks of significant harm that remain after mitigation measures. The OPC defines "significant harm" to include bodily harm, humiliation, damage to reputation, loss of employment, identity theft, and financial loss. Organizations must disclose these risks when they are more than minimal or theoretical but need not reach the balance-of-probabilities threshold.

The OPC has consistently held that lengthy, legalistic privacy policies buried in terms of service do not satisfy section 6.1. In multiple enforcement actions—including the 2020 Federal Court application against Facebook (T-190-20) for failures related to the "This is Your Digital Life" app data-sharing—the OPC found that organizations failed to obtain meaningful consent under section 6.1 when users could not reasonably understand that third-party apps would access and retain their friends' data. The Federal Court in Englander v. Telus Communications Inc. (2004 FCA 387) held that "a consent is not informed if the person allegedly giving it is not aware at the time of giving it that he or she had the possibility to opt out."

## Principles 4.3.4–4.3.6: Express consent vs. implied consent

Principle 4.3.4 provides: "The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information."

Express consent (opt-in) is required when:

• The personal information is sensitive (medical records, financial data, biometric identifiers, precise geolocation, sexual orientation, political opinions, ethnic or racial origin, genetic data, information about children).
• The collection, use, or disclosure is outside the reasonable expectations of the individual (sharing subscriber data with affiliates for marketing; third-party behavioral tracking; employee monitoring beyond what is necessary for the employment relationship).
• The processing creates a meaningful residual risk of significant harm (as defined in the OPC's May 2018 Guidelines).

Implied consent (opt-out) is acceptable only in strictly defined circumstances when:

• The personal information is demonstrably non-sensitive in nature and context (the OPC Interpretation Bulletin on Form of Consent gives examples: name and address for magazine subscription renewal; business contact information for directory listings where the individual posted it publicly for that purpose).
• The purpose is limited and well-defined and stated in a reasonably clear manner brought to the individual's attention.
• The use or disclosure aligns with the individual's reasonable expectations under Principle 4.3.5.
• The organization is otherwise in full compliance with all PIPEDA principles (accountability, safeguards, openness).

The Commissioner has stated plainly: "Express consent is the most appropriate and respectful form of consent to use in any circumstances; implied consent can be acceptable in strictly defined circumstances" (OPC Interpretation Bulletin on Form of Consent; PIPEDA Case Summary #2003-207).

## Context-dependent sensitivity: the Federal Court and OPC rulings

Principle 4.3.4 itself acknowledges: "Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context."

The Federal Court of Canada and the OPC have repeatedly held that sensitivity is contextual:

• In Randall v. Nubody's Fitness Centres (2010 FC 681), the Court found that information about how often an individual attends a gym is low-sensitivity and may support implied consent, but information about what they do at the gym, their training regimen, and fitness level is more sensitive and requires express consent.
• In PIPEDA Report of Findings #2012-002 (Facebook non-members' email addresses used to suggest friends), the OPC held: "Although an email address may not at first blush be considered to be a sensitive piece of personal information, the existing or presumed social connections between people derived from the use of the e-mail address … could be considered sensitive in certain unique contexts."
• In PIPEDA Report of Findings #2014-001 (Google health-search targeting), the OPC found that the use of sensitive health search queries for ad targeting requires meaningful and express consent, even when the organization does not store the underlying queries in identifiable form.
• In Townsend v. Sun Life Financial (2012 FC 550), the Federal Court held that medical information is "of the utmost sensitivity and should receive the highest degree of protection."

## Reasonable expectations under Principle 4.3.5

Principle 4.3.5 states: "In obtaining consent, the reasonable expectations of the individual are also relevant."

The OPC and courts assess reasonableness by examining:

• The pre-existing relationship between the individual and the organization (subscription, employment, financial services).
• Industry norms and statutory disclosure obligations (credit reporting by banks under financial-services regulations).
• Whether the individual actively initiated the disclosure or passively had information collected (compare a user posting business contact information on a professional website for networking purposes vs. a company scraping publicly available social-media profiles for a commercial mailing list).

In PIPEDA Case Summary #2003-244 (telecommunications company using customer data for secondary marketing), the Assistant Commissioner found that the company's opt-out consent mechanism violated Principle 4.3.5 because "the company's privacy practices do not meet the reasonable expectations of its customers"—the organization failed to draw new subscribers' attention to its privacy practices at the point of sale, burying the disclosures in an unindexed user manual.

In PIPEDA Case Summary #2019-006 (Grey House directory scraping), the OPC held that while the complainant had freely chosen to post his information publicly, he "could not have reasonably expected that his personal information would be collected by a third party publishing company and then inserted into a national print directory … Nor could the complainant have expected that his information would then be included in a distribution list sold to a federal government department." The OPC found that Grey House could not rely on implied consent and was in contravention of Principle 4.3.

## Children's consent: the OPC's under-13 bright-line rule

In the May 2018 Guidelines, the OPC takes the position that, in all but exceptional circumstances, anyone under the age of 13 is unable to provide meaningful consent themselves. Organizations must obtain consent from a parent or guardian. For youth aged 13 and older who can provide consent, the consent process must "reasonably consider their level of maturity"—simplified language, age-appropriate explanations, and just-in-time contextual notices. (The Alberta, British Columbia, and Quebec provincial regulators did not endorse a specific numerical age threshold and assess capacity contextually.)

## The OPC's May 2018 Guidelines: seven guiding principles (effective January 1, 2019)

The OPC's Guidelines for obtaining meaningful consent (jointly issued with the Alberta and British Columbia privacy commissioners on May 24, 2018, and applied by the OPC beginning January 1, 2019) set out seven guiding principles, including binding "must" requirements derived from section 6.1:

1. Emphasize key elements: Organizations must highlight (1) the types of personal information collected, (2) the purposes, (3) third parties with whom information will be shared (described in sufficient detail for the individual to understand), and (4) meaningful residual risks of significant harm.
2. Allow control of detail: Provide layered privacy notices—short-form key facts up front, with links to comprehensive policies for those who want them.
3. Provide just-in-time notices: Seek consent at the moment a feature that collects new data is activated, not buried in a lengthy initial sign-up flow.
4. Innovative, context-suitable mechanisms: Interactive walkthroughs, infographics, videos; mobile-optimized consent flows that respect the constraints of screen size and user attention.
5. Audit regularly: Periodically verify that privacy communications accurately reflect current data practices.
6. Stand ready to demonstrate compliance: When challenged, organizations must be able to show that their consent processes permit the target audience to provide valid, meaningful consent.
7. Provide ongoing withdrawal mechanisms: Consent to secondary purposes (marketing, analytics) must be granular and revocable with minimal delay (as discussed in the existing section on withdrawal of consent).

The Guidelines also note that consent does not waive an organization's other PIPEDA obligations, including the subsection 5(3) "appropriate purposes" test, accountability (Principle 4.1), and safeguards (Principle 4.7).

## Relationship to subsection 5(3): consent alone is not sufficient

Even when an organization obtains valid, meaningful consent under section 6.1 and Principles 4.3.4–4.3.6, the collection, use, or disclosure must still satisfy the independent "appropriate purposes" requirement in subsection 5(3) of PIPEDA, which states: "An organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances."

The OPC's Guidance on inappropriate data practices (May 2018, effective July 1, 2018) identifies five "no-go zones" that are offside subsection 5(3) even with consent: (1) collection, use, or disclosure that is otherwise unlawful; (2) profiling or categorization that leads to unfair, unethical, or discriminatory treatment contrary to human rights law; (3) collection, use, or disclosure for purposes that are known or likely to cause significant harm to the individual; (4) publishing personal information with the intended purpose of charging individuals for its removal (held to amount to blackmail in T (A) v. Globe24h.com, 2017 FC 114); (5) requiring social-media passwords from job applicants or employees for employment screening; and (6) surveillance through audio or video functionality of an individual's own device without full, ongoing control by the individual and no recording, use, disclosure, or retention except as expressly authorized.

## Provincial regimes: substantially similar requirements

The **Alberta Personal Information Protection Act (PIPA), British Columbia PIPA, and Quebec Act respecting the protection of personal information in the private sector** (as amended by Law 25, which came into force in stages between September 2022 and September 2024) each contain parallel meaningful-consent and sensitivity-based form requirements. Organizations operating under those substantially similar provincial statutes should consult the relevant provincial commissioner's guidance; the May 2018 OPC Guidelines were issued jointly with Alberta and BC (Quebec CAI was not a signatory but Law 25 codifies similar express-consent triggers for sensitive information).

Organizations handling cross-border or inter-provincial personal information remain subject to PIPEDA for that portion of their operations, even when they are otherwise subject to provincial law for intra-provincial activity.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, section 6.1 Source: Personal Information Protection and Electronic Documents Act, Schedule 1, Principles 4.3.4–4.3.6 Source: Guidelines for obtaining meaningful consent, Office of the Privacy Commissioner of Canada (May 2018) Source: PIPEDA Interpretation Bulletin: Form of Consent, Office of the Privacy Commissioner of Canada Source: PIPEDA Fair Information Principle 3 – Consent, Office of the Privacy Commissioner of Canada

Section 4.01 of PIPEDA, added by the Digital Privacy Act in 2015, carves business contact information entirely out of the scope of Part 1 of the Act when an organization collects, uses, or discloses such information "solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession." When section 4.01 applies, the organization does not need consent and is not bound by the ten Fair Information Principles in Schedule 1 for that information. This carve-out enables routine B2B networking, cold outreach, and professional correspondence without triggering PIPEDA's consent framework—but the Office of the Privacy Commissioner (OPC) has made clear that the "solely for the purpose" requirement is narrow and strictly enforced.

## Statutory definition of business contact information

Section 2(1) of PIPEDA defines "business contact information" as "any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession such as the individual's name, position name or title, work address, work telephone number, work fax number or work electronic address."

The definition is illustrative, not exhaustive—the lead-in phrase "such as" signals that other types of information may qualify if they meet the functional test: used for professional communication. However, business contact information remains personal information under section 2(1) (information about an identifiable individual); section 4.01 simply exempts it from the application of PIPEDA when the conditions are met. If the organization uses business contact information for any purpose beyond professional communication—marketing consumer products to the individual, profiling the individual's interests, or reselling the information—section 4.01 does not apply and the organization must comply with PIPEDA, including the consent requirement under Principle 4.3.

## The "solely for the purpose" gateway: OPC enforcement positions

The OPC's Interpretation Bulletin on Personal Information states plainly: "PIPEDA does not apply to an organization in respect of the business contact information of an individual that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession." The Commissioner has interpreted "solely" to mean exclusively and narrowly: if the organization's purpose includes any secondary use that is unrelated to the individual's professional role, section 4.01 fails and PIPEDA applies in full.

*PIPEDA Report of Findings #2016-003* (*Compu-Finder*): address-harvested B2B email lists

In Compu-Finder (3510395 Canada Inc.), the OPC investigated a B2B marketing company that used address-harvesting software to scrape approximately 170,000 work email addresses from publicly accessible websites between 2012 and 2014. Compu-Finder sold access to this database to third-party marketers and used it to send unsolicited commercial email. The organization argued that section 4.01 exempted its activity because it was sending "entirely business-to-business" messages and the email addresses were business contact information.

The Commissioner rejected that defence. The OPC found:

• Many of the commercial emails Compu-Finder sent "are not relevant to the employment, business or profession of the e-mail recipients"—for example, marketing consumer electronics or unrelated services to individuals whose job titles did not suggest a business need for those products.
• Compu-Finder's database did not record an individual's position or title, making it impossible for the organization to determine whether a given message would be "relevant" to the recipient's professional role—a red flag that the use was not "solely" for professional communication but rather for indiscriminate mass marketing.
• The OPC held that section 4.01's carve-out applies only when the organization can demonstrate that each use or disclosure is limited to professional communication tied to the individual's employment, business, or profession. Bulk email marketing to harvested lists failed that test.

The finding establishes that relevance matters: even if the information collected is business contact information, the organization must ensure that every use aligns with the purpose of facilitating professional communication. An organization that repurposes business email addresses for consumer marketing, affiliate sales, or secondary advertising loses the section 4.01 exemption and must obtain consent under Principle 4.3.

*PIPEDA Findings #2020-002* (*RateMDs*): health-practitioner rating website

In RateMDs, a physician rating website published the names and practice contact details of health practitioners (sourced from publicly available professional directories maintained by provincial colleges) alongside patient-submitted reviews and ratings. The complainant, a physician, argued that the website was using her business contact information without consent. RateMDs invoked section 4.01, asserting that it displayed business contact information solely to facilitate communication with the physician in her professional capacity.

The OPC found that section 4.01 did not apply. The Commissioner held: "RateMDs collection, use and disclosure of the Complainant's business contact information is therefore not exempt from PIPEDA pursuant to section 4.01 in the circumstances" because the information was not being used solely for the purpose of facilitating communication with the physician in relation to her profession. Instead, the website's primary purpose was to publish reviews and ratings—a reputational and informational function distinct from enabling direct professional communication. The OPC noted that while the website displayed the contact details alongside the reviews, the dominant purpose was public rating and review, not professional correspondence.

The Commissioner went on to hold that the business contact information was publicly available within the meaning of the Regulations Specifying Publicly Available Information (professional directories maintained by regulatory bodies under statutory authority), permitting collection, use, and disclosure without consent under sections 7(1)(d), 7(2)(c.1), and 7(3)(h.1)—an entirely different consent exception outside section 4.01. This illustrates that section 4.01 is narrower than the publicly-available-information exception: even when an organization may lawfully use business contact information under a section 7 exception, it does not necessarily satisfy the "solely for the purpose of professional communication" test in section 4.01.

## What qualifies: permitted uses under section 4.01

When section 4.01 does apply, organizations are free to collect, use, and disclose business contact information without consent. Typical permitted activities include:

• B2B cold outreach (an IT vendor emailing a CTO to offer enterprise software; a law firm sending a capabilities brochure to an in-house legal director).
• Professional networking (collecting business cards at a conference and adding contacts to a professional CRM).
• Vendor communications (a supplier emailing a purchasing manager about product updates, invoices, or delivery schedules tied to the business relationship).
• Recruiting (a headhunter contacting a marketing manager at her work email to discuss a senior marketing role at another company).
• Professional directory listings (a business association publishing a member directory with names, titles, and work contact details to facilitate member-to-member networking).

In each scenario, the collection, use, or disclosure is tightly tied to the individual's professional role and the purpose is solely to communicate about matters related to employment, business, or profession.

## What fails: impermissible secondary purposes

Section 4.01 does not exempt:

• Consumer marketing to work email addresses (targeting employees for personal purchases—car insurance, vacation packages, home renovation services—using harvested work emails).
• Profiling or analytics beyond the narrow professional communication (building behavioral profiles, cross-referencing business contact information with consumer data sets for ad targeting).
• Reselling or licensing business contact lists to third parties for broad marketing purposes unrelated to the individuals' professional roles (the Compu-Finder scenario).
• Reputational or informational publication (rating websites, employer-review platforms, public complaint boards—where the primary purpose is to publish about the individual, not to communicate with the individual in a professional capacity, per RateMDs).

In all these scenarios, the use is not solely for professional communication, and PIPEDA applies in full—requiring consent under Principle 4.3, compliance with the subsection 5(3) appropriate-purposes test, and adherence to the safeguards and accountability obligations in Schedule 1.

## Section 4.01 is a complete carve-out, not a consent exception

Unlike the section 7 exceptions (which permit collection, use, or disclosure without consent but still bind the organization to all other PIPEDA principles), section 4.01 removes business contact information entirely from the scope of Part 1 when its conditions are met. The organization is not required to:

• Obtain consent (Principle 4.3).
• Limit collection to identified purposes (Principle 4.4).
• Provide access on request (Principle 4.9).
• Maintain records of use or disclosure (Principle 4.8).
• Implement safeguards proportionate to sensitivity (Principle 4.7).
• Comply with the breach-notification regime under sections 10.1–10.3 (because the information is outside Part 1 entirely).

This makes section 4.01 far more permissive than a section 7 exception—but only if the organization stays within the narrow "solely for the purpose" lane. Organizations that attempt to stretch section 4.01 to cover secondary marketing, profiling, or resale activities lose the carve-out entirely and face potential OPC findings of non-compliance with Principle 4.3 and subsection 5(3).

## Interaction with the publicly-available-information exception and CASL

Business contact information is frequently also publicly available (published in professional directories, corporate websites, LinkedIn profiles). When business contact information is both (a) carved out under section 4.01 and (b) publicly available within the meaning of the Regulations Specifying Publicly Available Information, organizations have two independent bases to collect, use, or disclose without consent:

1. Section 4.01 (if the use is solely for professional communication).
2. Sections 7(1)(d), 7(2)(c.1), 7(3)(h.1) (if the information is specified by regulation and the collection, use, or disclosure relates directly to the purpose for which it was made publicly available).

In RateMDs, the OPC held that the physician's business contact information—though not exempt under section 4.01—was publicly available under the regulations, permitting the website to publish it without consent under the publicly-available-information exception. Organizations may fall back on the section 7 publicly-available exception even when section 4.01 does not apply, but they remain bound by all other PIPEDA principles (safeguards, accountability, appropriate purposes under subsection 5(3)) and must ensure that the use "relates directly to the purpose for which the information appears" in the public source (paragraph 1(b) of the regulations).

Separately, Canada's Anti-Spam Legislation (CASL) regulates the sending of commercial electronic messages (CEMs). PIPEDA governs collection, use, and disclosure of personal information; CASL governs the transmission of CEMs. The two regimes overlap but are not coextensive. Even if an organization's use of a work email address is exempt from PIPEDA under section 4.01, the organization must still comply with CASL's consent, identification, and unsubscribe requirements when sending a CEM, unless a CASL exception applies (such as the business-to-business exception in section 10(9) of CASL for messages sent to a business email address when the message concerns the recipient's business activities). Organizations must analyze PIPEDA and CASL independently; section 4.01 does not create a blanket CASL exemption.

## Provincial regimes: Alberta, BC, and Quebec

**Alberta PIPA and British Columbia PIPA do not contain a section 4.01 equivalent. Instead, both statutes define "personal information" to exclude "business contact information" altogether—business contact information is simply not personal information under those Acts. Quebec's Law 25** (amending the Act respecting the protection of personal information in the private sector) does not exclude business contact information from the definition of personal information, and Quebec organizations must comply with Law 25's consent and transparency requirements even when handling business contact information. Organizations operating under provincial substantially similar legislation should not rely on section 4.01; they must consult the applicable provincial statute and guidance from the provincial commissioner.

Organizations handling cross-border or inter-provincial personal information remain subject to PIPEDA for that portion of their operations (section 4(1)(a)), even when they are otherwise subject to provincial law for intra-provincial activity. For such organizations, section 4.01 applies to the federal-PIPEDA-covered portion of their business contact information processing.

## Practical compliance takeaways

• Document the purpose. When relying on section 4.01, maintain records showing that each use is solely for professional communication—tie email campaigns to job titles, business functions, or stated professional interests; avoid consumer marketing to work addresses.
• Segregate business and consumer contact. Do not commingle business contact information collected under section 4.01 with consumer marketing lists or cross-reference with personal social-media profiles.
• Test the "solely" requirement. Ask: is every message or disclosure relevant to the recipient's professional role? If a message is consumer-oriented (vacation deals, retail promotions, personal finance products), section 4.01 fails and you need consent.
• Fall back on section 7 exceptions when needed. If the business contact information is publicly available under the regulations, you may still collect, use, or disclose without consent under sections 7(1)(d)/(2)(c.1)/(3)(h.1)—but remain bound by all other PIPEDA principles.
• Do not conflate PIPEDA and CASL. Section 4.01 does not exempt you from CASL. Analyze both regimes independently.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, section 4.01 Source: Personal Information Protection and Electronic Documents Act, section 2(1), definition of "business contact information" Source: PIPEDA Interpretation Bulletin: Personal Information, Office of the Privacy Commissioner of Canada Source: PIPEDA Report of Findings #2016-003 (Compu-Finder), Office of the Privacy Commissioner of Canada Source: PIPEDA Findings #2020-002 (RateMDs), Office of the Privacy Commissioner of Canada

Under PIPEDA, sensitivity is a contextual concept that drives two distinct compliance obligations: the form of consent an organization must obtain (express or implied, governed by Principles 4.3.4–4.3.6 of Schedule 1) and the level of safeguards required to protect the information (Principle 4.7 and section 10.1(8) of the Act). Unlike the European Union's GDPR, which enumerates nine "special categories" of personal data in Article 9 that trigger an outright processing prohibition subject to enumerated exceptions, PIPEDA does not define a closed list of sensitive categories. Instead, Principle 4.3.4 states: "Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context."

This contextual approach requires organizations to assess sensitivity on a fact-specific basis, examining both the inherent nature of the information and the purpose, risk environment, and reasonable expectations surrounding its collection, use, or disclosure. The Office of the Privacy Commissioner of Canada (OPC)—the independent federal oversight authority for PIPEDA—has interpreted Principle 4.3.4 as requiring organizations to evaluate sensitivity in light of the risk of harm to the individual, broadly understood to include material harm, reputational harm, restrictions on autonomy, identity theft, humiliation, and damage to employment or social relationships.

## The statutory framework: Principle 4.3.4 and Principle 4.7

Principle 4.3.4 provides: "The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive."

The Principle illustrates the contextual test with a concrete example: the same data element (name and address) shifts from non-sensitive to sensitive when the context (the special-interest magazine's subject matter) changes the risk of harm or the reasonable expectations of the subscriber. A subscriber list for a general newsmagazine carries minimal sensitivity because disclosure would not ordinarily lead to harm; a subscriber list for a magazine addressing sexual health, political activism, or religious practice is sensitive because disclosure could cause embarrassment, discrimination, or reputational harm.

Principle 4.7 binds organizations to protect personal information with "security safeguards appropriate to the sensitivity of the information." Principle 4.7.2 elaborates: "The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4."

Sensitivity thus operates as a two-way lever: high-sensitivity information triggers both a requirement for express (opt-in) consent under Principle 4.3.4 and a requirement for heightened safeguards (encryption, access controls, physical security, organizational measures) under Principle 4.7. The OPC's Interpretation Bulletin on Safeguards states plainly: "Organizations must put in place security safeguards that are commensurate with the level of sensitivity of the personal information involved."

## Categories of information generally considered sensitive

In August 2021, the OPC updated its guidance to "reaffirm some of the types of personal information generally considered sensitive in the context of PIPEDA." The OPC's Interpretation Bulletin: Sensitive Information (as updated) and its enforcement decisions have identified the following categories as generally sensitive, meaning that organizations should presume sensitivity unless the specific context clearly demonstrates otherwise:

1. Medical and health information. The Federal Court held in Townsend v. Sun Life Financial (2012 FC 550) that "medical information is of the utmost sensitivity and should receive the highest degree of protection." The OPC has consistently required express consent for collection, use, or disclosure of medical diagnoses, treatment records, prescription histories, genetic information, mental health records, and disability status. In PIPEDA Report of Findings #2014-001 (Google health-search targeting), the OPC found that an individual's online activities and viewing history of health-related websites—even when the information was not stored in identifiable form by the organization—constituted sensitive personal health information requiring express consent for behavioral advertising. The Commissioner held that implied consent was "not appropriate" for the use of sensitive health search queries for ad targeting.

2. Financial information. In multiple Federal Court and OPC decisions, financial information—including annual income, credit history, account balances, transaction records, credit scores, and debt status—has been held to be "generally extremely sensitive." The Federal Court observed in Ristimaki v. Cooper (2013 FC 1099) that "financial information is one of the types of private information that falls at the heart of a person's 'biographical core,'" citing the Supreme Court of Canada's analysis in R. v. Cole (2012 SCC 53). The OPC has held that organizations may not rely on opt-out (implied) consent to disclose "sensitive financial information such as annual income and credit history" for secondary marketing purposes (PIPEDA Interpretation Bulletin on Form of Consent, citing PIPEDA Case Summary #2003-192). However, the OPC and courts have recognized that the degree of sensitivity of specific financial information is contextual: for example, the current balance of a mortgage may be less sensitive when related financial information is already in the public domain (such as the purchase price and mortgage principal recorded in a land registry).

3. Biometric identifiers. Fingerprints, facial recognition templates, iris scans, voice prints, palm-vein scans, DNA profiles, and gait recognition data are generally sensitive because they are unique, permanent, and non-revocable—an individual cannot change a compromised biometric the way they change a password. The OPC has required express consent for biometric collection even when the raw biometric image is immediately converted to an encrypted, non-reversible template and is stored separately from other personal information (PIPEDA Case Summary #2011-012, palm-vein scanning for GMAT test authentication). In PIPEDA Report of Findings #2021-001 (Clearview AI), a joint investigation by the OPC and three provincial commissioners, the regulators found that "facial images collected and used for the purpose of biometric facial recognition" are inherently sensitive and require express consent.

4. Information about children. The OPC takes the position—set out in its May 2018 Guidelines for obtaining meaningful consent and reiterated in its public guidance on Principle 4.3 (Consent)—that anyone under the age of 13 is, in all but exceptional circumstances, unable to provide meaningful consent themselves. Organizations must obtain consent from a parent or guardian. For youth aged 13 and older who can provide consent, the consent process must "reasonably consider their level of maturity"—simplified language, age-appropriate explanations, and just-in-time contextual notices. Information about children (educational records, browsing history, geolocation, social connections) is generally sensitive because children face heightened risks of exploitation, predatory contact, and long-term reputational harm.

5. Geolocation data (context-dependent). Precise real-time geolocation tracking—particularly when continuous or when it reveals patterns of movement (home address, workplace, places of worship, medical facilities, political rallies)—is generally sensitive because it can expose an individual's habits, associations, health conditions, political affiliations, and vulnerabilities. The OPC has found that GPS tracking of employees requires express consent when the tracking extends beyond what is necessary for the employment relationship and when the information collected is location data that could reveal sensitive patterns (PIPEDA Case Summary #2009-011, transit driver objecting to GPS on work vehicle—Commissioner found the geolocation in that case was not sensitive because it was limited to work hours, necessary for service delivery, and did not track off-duty movements; contrast with cases involving continuous consumer location tracking for behavioral advertising, where express consent is required).

6. Information revealing sexual orientation, political opinions, religious or philosophical beliefs, racial or ethnic origin, trade union membership. While PIPEDA does not codify these as "special categories" in the manner of GDPR Article 9, the OPC has consistently held that information revealing these attributes is contextually sensitive because disclosure can lead to discrimination, harassment, or social stigma. The sensitivity arises not only from the data element itself but from inferences that can be drawn: for example, a subscriber list for a magazine addressing LGBTQ+ issues, a membership roster for a political advocacy group, or attendance records for a religious institution.

7. Payroll and employee compensation information. The OPC has held that "payroll information is considered highly sensitive personal information in need of stronger protection and must be protected from all but a few authorized personnel in order to be adequately safeguarded" (PIPEDA Case Summary #2003-190, bank opens former employee's mail; PIPEDA Case Summary #2003-242, individual objects to temporarily assigned workers handling payroll). Express consent is required before disclosing employee compensation to third parties unless a section 7 exception applies (such as section 7(3)(c) for court orders or section 7.3 for necessary employment-relationship purposes).

8. Profiles created by combining data elements. The OPC has held that profiles created by aggregating multiple data elements—even when each individual element is low-sensitivity—can acquire sensitivity when combined, particularly in a high-risk environment. In PIPEDA Report of Findings #2020-003 (Dell), the Commissioner found: "Profiles created by combining several data elements (i.e. customer names, contact details, interactions with an organization) can have a certain degree of sensitivity which can be further heightened by the known risk environment (in this case, the proliferation of targeted tech support scams) and the potential resulting harms from a breach." The OPC held that "data elements, when combined, can be exploited by malicious individuals to steal the identities of the persons concerned. The safeguards used to protect the information should therefore be commensurately high" (PIPEDA Report of Findings #2020-005, Desjardins breach involving 2.7 million individuals).

9. Neural data. In its August 2021 update, the OPC added "neural data" to the list of personal information that will generally be considered sensitive and require a higher degree of protection. Neural data—information about brain activity collected via EEG, fMRI, brain–computer interfaces, or other neurotechnology—can reveal cognitive states, emotional responses, mental health conditions, and neurological disorders, and is considered highly sensitive because of the profound privacy implications and the potential for discriminatory use.

## The contextual factors: how to assess sensitivity

When an organization cannot rely on the "generally sensitive" categories above, it must assess sensitivity contextually by examining:

1. The inherent nature of the information. Some data types—medical diagnoses, genetic test results, financial account balances, biometric templates—carry inherent sensitivity because disclosure would ordinarily cause harm regardless of context.

2. The purpose for which the information is collected, used, or disclosed. The same information may be low-sensitivity for one purpose and high-sensitivity for another. The OPC has held: "In light of the purpose of PIPEDA, and the underlying balance it seeks to achieve between protecting personal information and allowing organizations to use personal information for reasonably appropriate purposes, the Act favours a contextual approach in assessing whether personal information is sensitive for the purpose of determining the appropriate form of consent an organization should seek" (PIPEDA Report of Findings #2012-002, Facebook email addresses used to suggest friends). An email address collected for transaction confirmation is low-sensitivity; the same email address mined to infer social connections or used to build a behavioral advertising profile is contextually sensitive.

3. The reasonable expectations of the individual. Principle 4.3.5 provides: "In obtaining consent, the reasonable expectations of the individual are also relevant." The OPC assesses reasonable expectations by examining the pre-existing relationship, industry norms, the manner in which the individual disclosed the information (actively vs. passively), and whether the use aligns with the stated purpose. In PIPEDA Case Summary #2019-006 (Grey House directory scraping), the OPC found that while the complainant had freely posted his business contact information publicly, he "could not have reasonably expected that his personal information would be collected by a third party publishing company and then inserted into a national print directory … Nor could the complainant have expected that his information would then be included in a distribution list sold to a federal government department." The contextual shift from professional networking to commercial resale made the use more sensitive than the individual's original disclosure.

4. The risk environment and potential harms. The OPC's May 2018 Guidelines for obtaining meaningful consent state: "Underlying the contextual analysis of both sensitivity and reasonable expectations is risk of harm to the individual. Harm should be understood broadly, including material and reputational impacts, restrictions on autonomy, and other factors." The OPC takes the position that when there is a meaningful residual risk of significant harm (risks that remain after mitigation measures), the information is sensitive and requires express consent. "Significant harm" is defined to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property. The known risk environment—such as the proliferation of targeted scams, data breaches in the sector, or the targeting of vulnerable populations—heightens sensitivity.

5. The amount, distribution, and format of the information. Large-scale data sets, widely distributed information, and information in easily searchable or linkable formats are more sensitive than isolated, siloed records. Principle 4.7.2 requires organizations to consider "the amount, distribution, and format of the information" when designing safeguards. A single employee's home address stored in a locked HR file is less sensitive than a database of 10,000 employees' addresses accessible to call-center staff across multiple countries.

## The dual compliance impact: express consent and heightened safeguards

When information is determined to be sensitive (either because it falls into a "generally sensitive" category or because contextual analysis reveals sensitivity), the organization faces two independent obligations:

1. Express (opt-in) consent is required. Principle 4.3.6 states: "An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive." The OPC has held: "Express consent is the most appropriate and respectful form of consent to use in any circumstances; implied consent can be acceptable in strictly defined circumstances" (PIPEDA Interpretation Bulletin on Form of Consent). For sensitive information, those "strictly defined circumstances" essentially do not exist—organizations must obtain affirmative, unambiguous consent. The section 6.1 meaningful-consent standard (added by the Digital Privacy Act 2015) requires that the individual understand the consequences of consenting, including the meaningful residual risks of significant harm. For sensitive information, organizations must highlight those risks in the consent flow.

2. Security safeguards must be commensurate with sensitivity. Principle 4.7 and Principle 4.7.2 require that "more sensitive information should be safeguarded by a higher level of protection." The OPC's Interpretation Bulletin on Safeguards provides concrete examples: medical information "must be protected by strict safeguards" (PIPEDA Case Summary #2003-226); payroll information "must be protected from all but a few authorized personnel" (PIPEDA Case Summary #2003-242); financial transaction records must be encrypted in transit and at rest, with role-based access controls. When a breach of security safeguards occurs, section 10.1(8) of PIPEDA requires organizations to assess whether the breach creates a real risk of significant harm (RROSH) by examining, among other factors, "(a) the sensitivity of the personal information involved in the breach; (b) the probability that the personal information has been, is being or will be misused." If RROSH exists, the organization must notify affected individuals (subsection 10.1(3)) and the OPC (subsection 10.1(1)). Sensitivity is thus the first statutory factor in the breach-notification trigger.

## Examples from OPC enforcement: sensitivity in practice

Medical context. In PIPEDA Report of Findings #2014-001 (Google), advertisements for CPAP machines (used to treat sleep apnea) followed a user across unrelated websites after the user visited health sites about sleep disorders. The OPC held that the user's "online activities and viewing history of health related websites" constituted sensitive personal health information. The Commissioner found: "Therefore, implied consent for the collection or use of the complainant's sensitive personal health information for the purpose of delivering ads based on the complainant's online behaviour is not appropriate, and express consent is required. Since Google did not seek express consent in the circumstances, we are of the view that in this context, Google has contravened Principles 4.3 and 4.3.6 of the Act."

Financial context. In PIPEDA Case Summary #2003-192, a bank used opt-out consent clauses to disclose customer financial information (including annual income and credit history) to affiliates for secondary marketing purposes. The OPC found that "while it may be reasonable for an organization to rely on opt-out consent to disclose customer contact information for secondary marketing purposes, it cannot do so if it intends to disclose sensitive financial information such as annual income and credit history." The bank was held in contravention of Principle 4.3.4.

Biometric context. In PIPEDA Case Summary #2011-012, the Graduate Management Admission Council (GMAC) introduced palm-vein scanning to authenticate GMAT test-takers and prevent impersonation. The complainant objected, arguing that biometric data is inherently sensitive. The OPC found that while palm-vein scans are generally sensitive, the contextual factors—immediate conversion to an encrypted, non-reversible template; no retention of raw images; storage separate from other personal information; use of a "non-trace" biometric that does not leave latent images—reduced the sensitivity such that the informed consent obtained (with clear explanation of the technology, purpose, and safeguards) was acceptable. The decision illustrates that mitigation measures and transparency can affect the contextual sensitivity analysis, but organizations bear the burden of demonstrating that the measures are effective.

Special-interest subscriber lists. Principle 4.3.4's own example—subscribers to "some special-interest magazines"—has been applied by the OPC to hold that any information revealing membership in a group or interest that could lead to stigma, discrimination, or harm is contextually sensitive. The names and addresses of subscribers to a health magazine addressing HIV/AIDS, a political advocacy newsletter, or a religious publication are sensitive because of the inferences third parties could draw.

## Interaction with subsection 5(3): consent does not cure inappropriate purposes

Even when an organization obtains valid express consent for the collection, use, or disclosure of sensitive personal information, the processing must still satisfy the independent "appropriate purposes" requirement in subsection 5(3) of PIPEDA, which states: "An organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances." The OPC's May 2018 Guidance on inappropriate data practices identifies a five-factor balancing test that incorporates sensitivity as the first factor: "(1) The degree of sensitivity of the personal information at issue; (2) Whether the organization's purpose represents a legitimate need / bona fide business interest; (3) Whether the collection, use and disclosure would be effective in meeting the organization's need; (4) Whether there are less invasive means of achieving the same ends at comparable cost and with comparable benefits; and (5) Whether the loss of privacy is proportional to the benefits."

The Guidance identifies purposes that are offside subsection 5(3) even with consent, including: collection, use, or disclosure that is otherwise unlawful; profiling or categorization that leads to unfair, unethical, or discriminatory treatment contrary to human rights law; and collection, use, or disclosure for purposes that are known or likely to cause significant harm to the individual. Highly sensitive information combined with a high-harm purpose can fail the subsection 5(3) test regardless of consent.

## Provincial regimes: sensitivity under Alberta PIPA, BC PIPA, and Quebec Law 25

**Alberta Personal Information Protection Act (PIPA) and British Columbia PIPA** each contain parallel sensitivity-based consent requirements. Both statutes require organizations to determine the form of consent based on the sensitivity of the information and the reasonable expectations of the individual. The Alberta and British Columbia privacy commissioners were signatories to the May 2018 joint Guidelines for obtaining meaningful consent and apply substantially the same contextual test as the OPC.

**Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25 (which came into force in stages between September 2022 and September 2024), codifies the concept of "sensitive personal information" and imposes heightened obligations. Article 12 of the Quebec Act (as amended) defines sensitive information as "personal information which, due to its nature, particularly its medical, biometric or otherwise intimate nature, or due to the context of its use or communication, entails a high expectation of privacy." Law 25 requires express consent for collection, use, or disclosure of sensitive information (subject to statutory exceptions) and mandates privacy impact assessments (PIAs) for "any acquisition, development or overhaul of an information system or electronic service delivery system involving the collection, use, release, keeping or destruction of personal information" when sensitive information** is involved or when the processing presents a risk of serious injury (Article 3.3). Quebec organizations must consult the Commission d'accès à l'information (CAI) for interpretation and enforcement.

Organizations handling cross-border or inter-provincial personal information remain subject to PIPEDA for that portion of their operations (section 4(1)(a)), even when they are otherwise subject to provincial law for intra-provincial activity. For such organizations, the PIPEDA contextual sensitivity test applies to the federal-PIPEDA-covered portion of their processing.

## Practical compliance takeaways

• Start with the "generally sensitive" categories. If the information falls into one of the OPC's identified categories (medical, financial, biometric, children, geolocation, revealing sexual orientation / political opinions / religious beliefs / ethnic origin, payroll, neural data, aggregated profiles in high-risk environments), presume sensitivity and require express consent and heightened safeguards unless you can demonstrate that the specific context clearly negates sensitivity.

• Conduct a contextual analysis for all other information. Ask: (1) What is the inherent nature? (2) What is the purpose? (3) What are the reasonable expectations of the individuals? (4) What are the residual risks of harm after mitigation? (5) What is the risk environment (data breaches in the sector, targeting of vulnerable populations, potential for discriminatory use)?

• Document your sensitivity assessment. Accountability under Principle 4.1 requires organizations to be able to demonstrate compliance. Maintain records showing why you determined information to be sensitive or non-sensitive, including the contextual factors you weighed.

• Design safeguards proportionate to sensitivity. Medical and financial information demand encryption, role-based access, audit logging, and physical security. Low-sensitivity business contact information may require only basic access controls. Principle 4.7.2 requires the safeguards to be "commensurate with the level of sensitivity."

• Highlight residual risks when seeking consent for sensitive information. Section 6.1 and the May 2018 Guidelines require that individuals understand the consequences of consenting, including meaningful residual risks of significant harm. For sensitive information, the consent flow must explain what could go wrong even after mitigation measures.

• Remember that sensitivity is dynamic. Information that is low-sensitivity when collected for one purpose can become sensitive when repurposed, combined with other data, or disclosed in a different context. Each new use or disclosure requires a fresh sensitivity assessment.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Schedule 1, Principle 4.3.4 Source: Personal Information Protection and Electronic Documents Act, Schedule 1, Principle 4.7 Source: PIPEDA Interpretation Bulletin: Sensitive Information, Office of the Privacy Commissioner of Canada Source: PIPEDA Interpretation Bulletin: Safeguards, Office of the Privacy Commissioner of Canada Source: Guidelines for obtaining meaningful consent, Office of the Privacy Commissioner of Canada (May 2018) Source: Announcement: OPC updates guidance regarding sensitive information (August 2021), Office of the Privacy Commissioner of Canada

Sections 7(1)(b), 7(3)(d.1), and 7(3)(d.2) of PIPEDA permit organizations to collect, use, and disclose personal information without the knowledge or consent of the individual when investigating breaches of agreements, contraventions of law, or fraud—but only when obtaining consent "would compromise" the investigation or the ability to detect, suppress, or prevent fraud. These exceptions, added or substantially amended by the Digital Privacy Act in 2015, are critical for financial institutions, e-commerce platforms, insurers, and employers responding to fraud, theft, account takeovers, and cybersecurity incidents. The Office of the Privacy Commissioner (OPC) has made clear that the "would compromise" threshold is narrowly construed and that section 7.1 prohibits reliance on these exceptions for address-harvested or spyware-collected information, even when the underlying purpose (fraud detection) would otherwise qualify.

## Section 7(1)(b): Collection for breach or contravention investigations

Section 7(1)(b) states that an organization may collect personal information without the knowledge or consent of the individual when "it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province."

This exception permits collection (the initial gathering of personal information) without consent when two conditions are met:

1. The collection is reasonable for investigating a breach of an agreement or a contravention of law. The investigation must relate to a specific suspected breach or contravention—not generalized compliance monitoring or speculative data mining. A "breach of an agreement" includes employee misconduct violating an employment contract, vendor fraud breaching a supply agreement, or a customer dispute involving alleged contract violations. A "contravention of the laws of Canada or a province" includes suspected violations of the Criminal Code (fraud, theft, identity theft), provincial consumer-protection statutes, or federal financial-services regulations.

2. Obtaining consent would compromise the availability or accuracy of the information. The OPC interprets "compromise the availability or the accuracy" to mean that notifying the individual would cause them to destroy, conceal, or alter evidence or would otherwise obstruct the investigation. For example, an employer investigating suspected employee theft may collect email logs, access logs, and transaction records without notifying the employee because advance notice would give the employee an opportunity to delete incriminating files or fabricate exculpatory records. The burden is on the organization to demonstrate that the "would compromise" condition is met on the specific facts of the case—blanket policies asserting that all investigations require secrecy do not satisfy the standard.

Section 7(1)(b) applies only to collection, not to use or disclosure. Once the organization has collected the information without consent under section 7(1)(b), it may use the information for the investigation under section 7(2)(b) (discussed in the existing guide section) and may disclose it under section 7(3)(d.1) (discussed below) or to law enforcement under section 7(3)(c) or section 7(3)(d) (court orders and voluntary disclosures to government institutions with reasonable grounds to believe the information relates to a contravention of law).

## Section 7(3)(d.1): Disclosure to another organization for breach or contravention investigations

Section 7(3)(d.1), added by the Digital Privacy Act in 2015, permits disclosure of personal information without consent when it is "made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation."

This exception replaced PIPEDA's previous "designated investigative body" regime (which maintained a public list of investigative bodies to whom disclosures could be made). Under section 7(3)(d.1), an organization may now disclose to any other organization—not only to government investigative bodies—when the conditions are met. The OPC's March 2017 guidance document Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA emphasizes that this change increases accountability obligations because there is no longer a publicly verifiable list of permissible recipients.

The four statutory conditions

1. The disclosure is made to another organization. "Organization" is defined in section 2(1) of PIPEDA to include associations, partnerships, persons (including sole proprietorships), and trade unions. The recipient may be a private-sector fraud analytics firm, an industry consortium investigating coordinated fraud schemes, a financial institution coordinating with other banks to trace money-laundering networks, or an insurance company investigating suspected collusion with a claimant. The exception does not permit disclosures to government institutions—those are governed by separate exceptions under section 7(3)(c), (c.1), (c.2), or (d).

2. The disclosure is reasonable for investigating a breach of an agreement or a contravention of law. The same "specific suspected breach or contravention" requirement that applies under section 7(1)(b) applies here. The disclosure must be reasonably related and proportionate to the investigation. The OPC's March 2017 guidance states: "Organizations should be able to demonstrate, if/when called upon to do so, how each disclosure is reasonable for the stated purposes." Over-disclosure of unrelated information (for example, disclosing an entire customer account history when the investigation concerns only a single disputed transaction) violates the exception and triggers liability under Principle 4.5 (limiting use and disclosure to identified purposes).

3. The breach or contravention has been, is being, or is about to be committed. Section 7(3)(d.1) covers past, ongoing, and imminent contraventions. The organization must have formed a reasonable belief that the breach or contravention falls into one of these three temporal categories. Purely speculative disclosures based on theoretical future fraud scenarios do not qualify.

4. It is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation. This is the "would compromise" gateway, and the OPC interprets it narrowly. In its March 2017 guidance, the OPC states: "Before disclosing personal information under paragraph 7(3)(d.1), an organization must turn its mind to and have formed a reasonable expectation that disclosure with the knowledge or consent of the individual would compromise the investigation." The compromise must be specific to the individual and the investigation at hand—not a generalized assertion that fraud investigations always require secrecy. Typical scenarios that satisfy the test: notifying the individual would allow them to move funds offshore, destroy evidence, intimidate witnesses, or coordinate a cover-up with co-conspirators.

## Section 7(3)(d.2): Disclosure to another organization for fraud detection, suppression, or prevention

Section 7(3)(d.2), also added in 2015, permits disclosure without consent when it is "made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud."

Section 7(3)(d.2) is broader in scope than section 7(3)(d.1) because it permits disclosures for detecting, suppressing, and preventing fraud—not only for investigating an already-suspected fraud. This exception is commonly invoked by financial institutions participating in fraud-detection consortia, insurers pooling claims data to identify patterns of insurance fraud, and e-commerce platforms sharing account-takeover indicators with payment processors.

The four statutory conditions

1. The disclosure is made to another organization. Same definition and scope as section 7(3)(d.1).

2. The disclosure is reasonable for detecting, suppressing, or preventing fraud. "Fraud" is not defined in PIPEDA. The OPC and courts interpret it in accordance with its ordinary legal meaning: dishonest conduct intended to deprive another of property or a legal right, typically encompassing fraud under section 380 of the Criminal Code, insurance fraud, identity theft, payment-card fraud, account takeover, and phishing schemes. The disclosure must be reasonably tailored to the fraud-detection purpose. The OPC's March 2017 guidance states: "Organizations must ensure that disclosures of personal information for the purposes of detecting or suppressing fraud or of preventing fraud are reasonably related and proportionate to a specified purpose and should not over-reach in their scope."

3. The fraud is being detected or suppressed, or is likely to be committed and the disclosure is for prevention. Unlike section 7(3)(d.1), which requires that the contravention "has been, is being, or is about to be committed," section 7(3)(d.2) permits disclosures to prevent fraud that is likely to be committed—a somewhat lower threshold that permits preventive fraud analytics. The organization must demonstrate that the fraud scenario is likely (more than speculative) based on indicators such as transaction patterns, device fingerprints, IP geolocation anomalies, or behavioral analytics.

4. It is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect, or suppress fraud. The "would compromise" gateway applies with equal force to section 7(3)(d.2). The OPC's March 2017 guidance emphasizes: "Organizations must ensure that the precise requirements set out in the relevant paragraph have been met and should document their rationale before initiating a disclosure." The compromise test is met when notifying the individual would alert fraudsters to the detection mechanism, allowing them to adapt their tactics, switch accounts, or cease the fraud temporarily to evade detection. For example, a bank disclosing transaction data to a fraud-analytics consortium to identify synthetic-identity fraud satisfies the test because notifying each account holder of the disclosure would reveal the detection methodology to any fraudsters in the data set, compromising the fraud-prevention system.

## The OPC's March 2017 guidance: accountability, documentation, and transparency safeguards

In response to concerns that sections 7(3)(d.1) and 7(3)(d.2) permit "invisible" disclosures without transparency or oversight, the OPC issued comprehensive guidance in March 2017 (Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA) setting out mandatory accountability measures:

1. Document the rationale before disclosure. "Organizations must ensure that the precise requirements set out in the relevant paragraph have been met and should document their rationale before initiating a disclosure." The documentation must show how the disclosure is reasonable, how the "would compromise" test is satisfied, and what information is being disclosed.

2. Do not take requests at "face value." When an organization receives a request for disclosure from another organization invoking section 7(3)(d.1) or (d.2), the recipient must independently verify that the conditions are met. The OPC states: "Claims from requesting organizations should not be taken at 'face value.' The organization receiving such requests should take certain measures, such as asking for and documenting the rationale and bona fide nature of a claim from the requesting organization."

3. Develop and publish policies. "An organization should develop policies and procedures setting out how it requests and/or responds to these disclosures. Organizations should be open about their policies and practices and make them available to individuals." Principle 4.8 (Openness) requires organizations to make information about their policies and practices available to individuals without unreasonable effort.

4. Train employees on an ongoing basis. "Any related policies and procedures should be accompanied with up-to-date training for employees on an on-going basis."

5. Consider transparency reporting. "Organizations could further consider reporting publicly on the number and types of disclosures made on an annual or semi-annual basis, using aggregate and anonymized data." This is a recommended (not mandatory) practice intended to provide public accountability without compromising ongoing investigations.

6. Honor data-subject access rights unless an exception applies. "Individuals generally have the right to access their personal information, including obtaining an account of the third parties to whom their personal information has been disclosed. Organizations must provide access to personal information on request, unless an exception under PIPEDA applies." Section 9(2)(b) permits an organization to refuse access if providing access would reveal confidential commercial information, and section 9(2.2) permits refusal if providing access could reasonably be expected to threaten the safety or physical or mental health of the individual or another individual. Organizations relying on sections 7(3)(d.1) or (d.2) must analyze whether an access-request exception applies on a case-by-case basis—the mere fact that a disclosure was made under section 7(3)(d.1) or (d.2) does not automatically exempt the organization from the duty to provide an account of disclosures under Principle 4.9.

## Section 7.1: Prohibition on reliance for address-harvested and spyware-collected information

Section 7.1, added in 2014 when Canada's Anti-Spam Legislation (CASL) came into force, strips sections 7(1)(b), 7(2), and 7(3)(d.1) and (d.2) of effect when the personal information was collected by address harvesting or spyware. Section 7.1(2) states:

> Paragraphs 7(1)(a), (c) and (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of: > (a) the collection of an individual's electronic address, if the address is collected by the use of a computer program that is designed or marketed primarily for use in generating or searching for, and collecting, electronic addresses; or > (b) the use of an individual's electronic address, if the address is collected by the use of a computer program described in paragraph (a).

Section 7.1(1) extends the same prohibition to the collection or use of personal information "by means of accessing a computer system in contravention of an Act of Parliament" (spyware and unauthorized computer access).

Practical impact: no fraud-detection exception for harvested email lists

Even if an organization's purpose is legitimate fraud detection under section 7(3)(d.2), the organization cannot rely on that exception if the email addresses or other personal information were collected via address-harvesting software (web scrapers, dictionary-attack generators, email-address harvesters). The OPC's PIPEDA Report of Findings #2016-003 (Compu-Finder) illustrates the application. Compu-Finder used address-harvesting software to compile approximately 170,000 email addresses between 2012 and 2014, then sold access to this database to third-party marketers. Compu-Finder argued that some of its email campaigns were "entirely business-to-business" and that it was exempt under section 4.01 (the business-contact-information carve-out). The OPC held that section 7.1(2) barred reliance on any PIPEDA exception—including the section 7 fraud-detection exceptions—for addresses collected via harvesting software. The Commissioner stated: "Even if the e-mail addresses could be considered 'publicly available', we note that Compu-Finder would not be entitled to rely on this exemption for the e-mail addresses it obtained through the use of address harvesting software pursuant to paragraphs 7.1(2) of the Act."

Organizations that purchase email lists from third-party vendors bear the risk that the list was compiled through address harvesting. The OPC's Helpful tips for businesses doing e-marketing states plainly: "When buying a list of addresses from a vendor or employing a firm to conduct e-marketing on your behalf, be sure to ask: Where do they get e-mail addresses and how were they gathered? … Even when your organization relies on a third-party to collect e-mail address lists for marketing purposes, you are responsible for ensuring that appropriate consent is obtained." If the vendor harvested the addresses, the purchasing organization cannot rely on section 7(3)(d.2) to disclose those addresses to a fraud-detection consortium, even if the disclosure would otherwise satisfy the "would compromise" test.

## Interaction with subsection 5(3): the "appropriate purposes" independent gate

Even when an organization satisfies all four conditions of section 7(3)(d.1) or (d.2), the disclosure must still pass the independent "appropriate purposes" test in subsection 5(3), which states: "An organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances." The OPC's March 2017 guidance reminds organizations: "Even though information-sharing may occur in specified circumstances without consent, an organization is still required to fulfill its other PIPEDA obligations, including but not limited to, limiting the disclosure of personal information, safeguarding it, and ensuring that any disclosure of personal information is only for purposes that a reasonable person would consider are appropriate in the circumstances."

The OPC's May 2018 Guidance on inappropriate data practices identifies a five-factor balancing test for subsection 5(3): (1) the sensitivity of the information; (2) whether the purpose represents a legitimate need / bona fide business interest; (3) whether the disclosure would be effective in meeting the need; (4) whether there are less invasive means of achieving the same ends at comparable cost and with comparable benefits; and (5) whether the loss of privacy is proportional to the benefits. Disclosure of highly sensitive information (medical records, biometric templates, financial transaction histories) for fraud detection requires a correspondingly high showing of necessity and proportionality.

## Practical compliance takeaways

• Document the "would compromise" analysis before every disclosure. The OPC expects organizations to maintain contemporaneous records showing why notifying the individual would compromise the investigation or fraud-detection activity on the specific facts of the case. Generic boilerplate assertions do not satisfy the standard.

• Tailor disclosures to the minimum necessary. Sections 7(3)(d.1) and (d.2) do not authorize bulk data-sharing. Disclose only the personal information that is reasonably related and proportionate to the specific breach investigation or fraud-detection purpose.

• Verify requests received from other organizations. Do not take the requesting organization's assertion of section 7(3)(d.1) or (d.2) applicability at face value. Ask for and document the rationale, the specific breach or fraud being investigated, and the basis for the "would compromise" claim.

• Publish a transparency policy. Draft and make publicly available a policy describing the organization's approach to sections 7(3)(d.1) and (d.2) disclosures—including the types of investigations or fraud-detection activities that may trigger disclosures, the categories of recipient organizations, and the safeguards applied. The OPC encourages aggregate annual reporting (number of disclosures by category) to enhance public accountability.

• Screen third-party data sources for address harvesting. If your organization acquires email lists, device identifiers, or other personal information from vendors, conduct due diligence to verify that the information was not collected via address-harvesting software or spyware. Section 7.1 bars reliance on section 7 exceptions (including fraud-detection exceptions) for harvested information, and the purchasing organization bears vicarious liability under Principle 4.1.3 (accountability for third parties).

• Remember that sections 7(3)(d.1) and (d.2) do not exempt you from other PIPEDA principles. You must still implement safeguards proportionate to sensitivity (Principle 4.7), limit retention to the minimum necessary (Principle 4.5), and honor data-subject access rights unless a specific access-request exception in section 9 applies.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, sections 7(1)(b), 7(3)(d.1), 7(3)(d.2), 7.1 Source: Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA, Office of the Privacy Commissioner of Canada (March 2017) Source: PIPEDA Report of Findings #2016-003 (Compu-Finder), Office of the Privacy Commissioner of Canada