Tips for raising your privacy concern with a business

Reviewed: January 2024

Businesses and other commercial organizations are required to responsibly handle the personal information entrusted to them.

Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets out the ground rules for how organizations collect, use and disclose personal information in the course of commercial activities.

When a privacy issue arises, your first step should generally be to try to resolve the issue directly with the organization. Organizations should take your concerns seriously and work with you to resolve them.

If you believe that your personal information has been mishandled, consider laying out your concerns with the organization.

General tips

Do not wait. If you have a privacy concern, raise it immediately. With time, information is deleted and memories fade. The longer that you wait to raise your concerns, the more difficult it becomes to address them.

Engage the right person. You can save time in the long run by checking the organization’s privacy policy or calling to find out to whom you should be addressing your concerns/complaints. The person responsible for privacy issues within the organization is often called the Privacy Officer.

Be crystal clear. Use simple language and be concise. Stay focused on the specific privacy issue. Consider raising your concern in writing to help to avoid misunderstandings. If you raise your concern in writing, send an email or type your letter whenever possible, or ensure you write clearly.

Be courteous. You are more likely to convey your point successfully and get the results that you are looking for if you are diplomatic. 

Set timelines. Seek firm, reasonable timelines for a response. Ask the organization to, if necessary, provide an initial response within an agreed-upon timeline, and to tell you how long it will take to provide a full response.

Be thorough and keep good records. Include all relevant details about your situation to help organizations identify you and your concerns more quickly. Provide copies of key supporting documentation. Keep originals in case you need them later. Make sure that letters are dated, take notes on all conversations and keep emails and make copies of any correspondence.

Sample letter/email

If you opt to put your concerns in writing, the following template provides a suggested starting point for drafting a letter or email outlining your privacy concerns.

Be sure to include enough information for the organization to identify you in its records (for example, full name, account numbers, address) and to contact you; and a reference number (if you have had previous contact with the organization on the matter).

 

Dear Sir/Madam (or name of person you have been in contact with previously),

I am writing to you regarding a privacy concern.

[Provide details about your concern and the specific issue. Briefly explain what occurred and, if applicable, what impact it has had on you.]

My hope is that you will be able address this/these issue(s) and alleviate my concern(s).

[If appropriate, state the specific action you would like the organization to take.]

I would appreciate a response within 30 business days. If you cannot provide a response within that time, please let me know when you will be able to respond.

Please do not hesitate to contact me at [your daytime phone number and/or your email address] if you would like additional details or to discuss the matter further.

Complaints to the Office of the Privacy Commissioner of Canada

If you are not satisfied with an organization’s response to your concerns, you may be able to file a formal privacy complaint about a business with the Office of the Privacy Commissioner of Canada.