We’re a Canadian-based company with Canadian and U.S.-based clients. We use marketing tools from Canadian and American vendors. Moreover, we use a lot of Software-as-a-Service tools that securely store some of our business data and information “in the cloud”.
So, like our clients and many Canadian companies in general, we collect data from our prospects and customers that could be stored and/or processed in a foreign country. We’re not legal or privacy experts, so you need to seek appropriate counsel when dealing with these issues in your business.
Because of our expertise in B2B marketing and automation tools, we are often asked about the significance of PIPEDA as it relates to business-to-business marketing (here’s a link to some great privacy resources for organizations on the Privacy Commissioner of Canada’s website).
We’re also asked about common and best practices with respect to the collection, processing, and storage of marketing data in the course of marketing and selling to other businesses (as opposed to consumers).
For the sake of context, one of the big concerns for Canadian companies storing or processing data in the United States is the U.S. Patriot Act. The executive summary version is that the Act permits U.S. law enforcement officials to access any personal information about any individual without that person’s knowledge or consent. The Act would enable access to personal information of Canadian individuals if that information was physically or electronically located within the USA.
If you want deeper background reading on the subject, I recommend taking a look at the well-writtenFAQ page and more detailed Report on Assessment of Privacy Concerns Related to the USA Patriot Act published on the Treasury Board of Canada Secretariat’s website.
From the perspective of Canadian privacy compliance, any business collecting personal information needs to be aware of the implications of storing and/or processing that information in the USA. Some Canadian companies seek out data management solutions that keep all personal information within Canadian borders, while others employ other risk management strategies.
Here are the key considerations for Canadian B2B marketers
Personal information, as defined in PIPEDA, does not include things like the name, title, business address or telephone number of an employee of an organization. This is spelled out very clearly in a fact sheet about PIPEDA compliance on the Privacy Commissioner of Canada’s website.
Our advice to B2B marketing clients is typically two-fold:
- Seek expert guidance and counsel from your corporate lawyer and privacy experts
- your company is not collecting personal information which would be covered by PIPEDA
- your company will only collect business information about an individual
- as a matter of best practice and full disclosure (but NOT PIPEDA compliance), data collected through your website may be stored and or processed in a foreign country. (see the Privacy Commissioner’s website for more advice on disclosure)