3 Most Important Terms in Your Privacy Policy


Whether you are a founder drafting a Privacy Policy for your company or signing one as a customer, there are three (3) key components to a Privacy Policy that you should be aware of. A founder/customer should understand what data is being collected, how the data is being managed, and how the General Data Protection Regulations (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA) apply.

Data Collection

When drafting a Privacy Policy, it is important to specify and define the data that is going to be collected. Specificity is vital to an effective policy as the drafter does not want to leave anything up for interpretation.

The type of data being collected will vary depending on the goal of the company and what they plan on using the data for, but generally speaking, basic information such as First/Last Name, Gender, Telephone Number, Email Address, and Mailing Address will be collected.

An example of the importance for these terms can be seen in the TikTok case, where the social media giant collected data on its users against their own self-imposed privacy policy terms.

Data Management

In terms of specificity, similar to the collection of data, how the data is managed is just as important. A company should be upfront with their customers and they should outline various details of how they intend to manage the data they are collecting. Examples of this include: how long the data is being stored, where the data is being stored, how the data is used by the company, how the data is being protected, and who they may or may not be sharing the data with. As this article is discussing a Privacy Policy, it is important to point out the significance of the last example.

If as a company you will be sharing data collected from your customers, the details of such a relationship must be disclosed to the customer. In addition, being transparent about your management practices goes a long way in building company culture and trusting relationships with the people you care about the most - your customers.

GDPR & PIPEDA Application

Before a company collects data from their customers, they must determine if they need express or implied consent, and what the exceptions to consent are. The GDPR and PIPEDA have different requirements when it comes to expressed/implied consent and exceptions. Understanding the differences is vital to a company’s privacy compliance.

One of the differences between the GDPR and PIPEDA is that under the GDPR (see policy here), express consent is required to control/process personal data. While PIPEDA (see policy here) requires express or implied consent for the collection, use, or disclosure of personal information. That said, there are some circumstances where the GDPR will allow the processing or control of personal data with implied consent.

Both the GDPR and PIPEDA acknowledge that there are exceptions from the requirements in circumstances that involve compliance with legal obligations. However, they differ in that the GDPR considers performance of official duties to be an exception, while PIPEDA considers law enforcement purposes as an exception.

And as a general rule, you want to ensure compliance with both regulations depending on your current customer base, your anticipated future customer base, future partnerships, new products etc. Your privacy policy is highly dependant on your business’ functions and how you wish to scale.


In summation, company founders should pay close attention to the language in their Privacy Policy. Founders should ensure that the policy is clear and easy to determine what information is being collected from the customer and what the company is doing with this data. As with all other aspects of running a business, the Privacy Policy must also comply with the appropriate governing acts and/or legislature (i.e. GDPR and PIPEDA).


Want to review your Privacy Policy with our legal team? Book a free scoping call here to get your document up to speed!

Written by Evan.