Know Your Privacy Rights

1. What is Meaningful Consent? (PIPEDA s.6.1)

Under Section 6.1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations may collect, use, or disclose your personal information only with your knowledge and meaningful consent.

What personal information is being collected;
With which parties personal information is being shared;
For what purposes personal information is collected, used or disclosed;
The risks, harms, or consequences.

Send these to the organization’s Privacy Officer or compliance contact if not informed of potential financial loss, identity theft, or negative effects on credit records, and keep a copy for your records.

2. What Must Institutions Tell You Before Running Your Credit?

Before conducting a credit check, any institution — including banks, telecommunications providers, lenders, utilities, insurance companies, collections agencies, or landlords — is required to provide you with:

Clear notice of their intent to obtain your consumer report;
The purpose for obtaining a consumer report (for example, to extend credit);
If your information will be shared regularly with a credit reporting agency, they must tell you why (for example, to update your credit file);
Your personal information cannot be shared with other credit grantors or agencies without your consent, and you must be notified in writing if it will be;
Notice must be easy to see and read, such as bold type, underlined letters, or a large font — never hidden in fine print;
If adverse action is taken based on the report (such as being denied credit or charged higher rates), the institution must tell you the source and your right to request details within sixty days;

This information should be presented upfront (such as at the time of the application for credit) — not buried in terms and conditions. It must also include the name and address of the consumer reporting agency providing the report when requested. Without this, your consent may not be valid under federal and provincial laws.

Submit a Complaint:

You can submit complaints regarding any institution that has accessed your consumer report, including banks, telecommunications providers, collections agencies, lenders, utilities, insurers, or landlords. If you need assistance completing your complaint, simply submit a report, and we will guide you through the process.Your personal information cannot be shared with other credit grantors or agencies without your consent, and you must be notified in writing if it will be.

3. How to Request Proof of Your Consent

You have the right to request proof of your consent under PIPEDA Section 4.9

Application forms you completed;
Any documents where you gave consent (e.g., checkboxes);
Time, date, and form of consent (e.g., physical signature or electronic signature);
If an electronic process was used — such as an online credit application or service agreement — ensure that all electronic documents are transmitted with a secure electronic signature or digital signature certificate, as required to authenticate the document for what it purports to be and to preserve the integrity of its contents. These documents must include the necessary security features to detect any modification and protect against the misuse of personal information.
Copies of the privacy policy or risk disclosures provided to you.

Submit a written request to the organization’s Privacy Officer or Compliance Contact. Under PIPEDA Section 4.9, the organization must respond within 30 days. Where information cannot be verified, the organization must either amend the record or delete unverifiable information.

4. Templates for PIPEDA Section 4.9 and CRA s.10 Requests

To simplify your request for access or correction of personal information, here are template examples:

PIPEDA s.4.9 Request:
“I am requesting access to all personal information held by your institution, including credit applications, consent records, and disclosures, pursuant to Section 4.9 of PIPEDA.”
Consumer Reporting Act(CRA) s.10 Notice:
“Please provide a copy of the written notice and consent provided to me prior to accessing my consumer report, as required by Section 10 of Ontario’s Consumer Reporting Act. This notice must comply with Section 10(6), which states: ‘Any notice referred to in this section shall be clearly set forth in bold type or underlined and in letters not less than ten point in size.’”

Instructions for Use:

Send these requests to the organization’s Privacy Officer or Compliance Contact.
Retain a copy of all correspondence for your records.
Response timelines:
- PIPEDA Section 4.9: 30 days
- CRA Section 10: 15 days

You may send these to the organization’s privacy officer or compliance contact, and retain a copy for your records.

5. Practical Tips for Requests

When making access or correction requests, keep these best practices in mind:

1. Reject sample documents – Do not accept generic or redacted forms that fail to show your actual consent or personal information.
2. Review the signature (physical or electronic) – Verify that the organization has retained the original signature record, whether handwritten or electronic (e.g., checkbox or digital consent) from the time you applied.
3. Ensure mandatory notice – Confirm that the institution provided you with the legally required notice before accessing your consumer report.
  📥 Download the Guide to Mandatory Notices Under the Consumer Reporting Act (Ontario) to learn more about your rights and what to look for in each notice.
4. Check for clear consent language – Make sure any consent you provided was explicit, informed, and clearly documented.
5. Understand key definitions – Familiarize yourself with terms like “consumer report,” “consumer reporting agency,” and “personal information” or “credit information” as defined in the Consumer Reporting Act. Knowing these definitions helps you recognize when an organization is improperly accessing or disclosing your information and strengthens your ability to challenge non-compliant practices.