As of July 1, 2014 (Canada Day) “Spam” is off the menu in Canada!

On that date, Canada’s new anti-spam legislation, more formally known as the Electronic Commerce Protection Act, comes into effect and Canada will have some of the harshest laws in the world controlling commercial electronic messaging by text, email or social media.

ANY electronic message sent for a commercial purpose (this includes offers or coupons, alerts to a business opportunity or sales) MUST have the consent of the recipient. This applies to business to business communication as well as business to consumer.

Consent can be obtained in two ways:

  1. Implied - if your company has a prior business relationship with the recipient in the previous 2 years
  2. Express - you have obtained written consent from the recipient to include them on your mailing list.

Note: outgoing message MUST include an “unsubscribe” option to give all recipients a chance to change their minds at any time in the future.

Exceptions of interest to dealers are warranty recall, safety or security information for the vehicle the customer owns, but those communications are restricted to those issues ONLY and dealers should not view that as a means to include sales or marketing messages.

Don’t Delay

With a few months to go dealers might want to think about how they will ensure electronic communications are not sent without consent. Date tracking customers who have done business with you in the last two years, obtaining express consents and thinking about how that consent will be obtained are all good ideas at this stage.

You are not allowed to ask for express consent by means of electronic communication after July 1, 2014, so get started now! And remember, if you do this, a form with a box already checked “yes” is not sufficient, the recipient must opt-in actively and reply.

Note: It is unlikely that the privacy “consent boxes” most dealers have on their bills of sale will satisfy the express consent requirements of the new law.

Penalties - fines can be levied up to a maximum of $1 million for individuals and $10 million for organizations (and officers and directors). After July 1, 2017 private or class actions might be brought by individuals or groups against spam creators and their officers and directors.

For more information a dealer-focused Preparedness Guide has been designed can be viewed here(pdf). This document is used with the kind permission of SCI MarketView.


There is more information on all of this available from SCI at or call 888.919.8084.

The CRTC, who is tasked with enforcing the new law, also has a useful website with more information at

Click the link below for Requirements for Mandatory Policies, Training and Postings.

Requirements for Mandatory Policies, Training and Postings

You’ve probably heard about federal privacy protection legislation, known as the Personal Information Protection and Electronic Documents Act, or “PIPEDA” for short, which came into effect on January 1, 2004. PIPEDA applies to all commercial businesses, including motor vehicle dealers.

All businesses, including dealers, need to have the consent of individuals in order to collect, use or disclose “personal information”. PIPEDA defines Personal Information as “any information about an identifiable individual”, other than business information, relating to that individual.

Basic Principles

Dealers should be familiar with the ten principles which PIPEDA identifies and apply them to their business.


  1. Accountability

    One or more people should be designated as a “Privacy Officer” for the dealership. It is the Privacy Officer’s responsibility to ensure that only necessary personal information is being collected and that it is not being used or disclosed to others in ways that the individual has not consented to.

  2. Identify Purposes

    There should be good reasons why personal information is being collected. If there is no valid reason to collect personal information, don’t collect it.

  3. Knowledge and Consent

    The knowledge and consent of the individual is required prior to collecting, using or disclosing personal information.

  4. Limiting Collection

    The amount of personal information collected should be the minimum amount necessary to complete the business transaction between the dealer and the customer.

  5. Limiting Use, Disclosure and Retention

    Personal information should not be used or disclosed for purposes other than those for which it was collected, unless the individual consents or unless the use or disclosure is required by law. Personal information should only be retained long enough to fulfill those purposes or as required by law.

  6. Accuracy

    Personal information should be as accurate, complete and up-to-date as necessary for the purposes that it will be used. If personal information is being used for any purpose efforts should be made to ensure that its accuracy is maintained.

  7. Safeguards

    Security safeguards should be in place to ensure that personal information is not used or disclosed inappropriately. Individuals must give either express or implied consent to the use or disclosure of personal information.

  8. Openness

    Dealers are required to have details of their policies and procedures relating to personal information available on request. Anyone has the right to know how the dealership protects personal information.

  9. Individual Access

    Individuals have the right, on request, to access personal information about themselves held by the dealer and to know how the dealer has used or disclosed it. Individuals may have information changed where it is inaccurate.

  10. Compliance Challenge

    Individuals can challenge a dealer’s compliance with these principles to the Information and Privacy Commissioner of Canada. They may also commence a legal action if they believe their rights have been violated.

Internal Privacy Audit


In order to identify any problems that you may have complying with PIPEDA, dealers should conduct an internal “privacy audit”. This should be done by the Privacy Officer to identify what personal information is collected, and how it's used. If potential problems are found, they should be corrected immediately.

Following is the suggested format of a privacy audit.

Step 1. Identify what personal information you typically collect

Here are just a few examples of personal information:

  • Name
  • home address, phone number, personal cell/pager number, personal email, home fax
  • drivers licence information
  • insurance information,
  • age/date of birth
  • marital status, spouse and child information,
  • language spoken
  • education level
  • occupation
  • income
  • banking information
  • credit information
  • social insurance number


Step 2. Determine if the collection of the information is necessary

The type of information that should be collected will vary, depending on the nature of the transaction. Following are some typical examples:

i) The retail sale of a vehicle to a consumer, without financing.

  • name
  • home address and home phone number,
  • cell or pager number
  • email addresses
  • drivers licence number
  • insurance information

ii) The retail sale with financing or lease of a vehicle to a consumer.

  • items listed in i) above,
  • employment
  • banking
  • credit history information
  • birth date or SIN (for credit check)

iii) Repairs for a consumer.

  • contact information (address, phone number, etc.)
  • birth date (where lien needs to be registered)

iv) A test drive

  • copy of drivers licence


Step 3. Limit the use, disclosure and retention of personal information.

Once the required information has been determined, the dealer is expected to take steps to ensure that the information is used only for those purposes necessary. This should not be difficult for most dealers, who currently will not be using personal information for reasons other than those required to complete the business transaction. However, to ensure that information is not misused, security mechanisms should be put in place, whether information is stored on paper or electronically.

Once information is no longer required, it should be destroyed or returned to the customer. In most cases, returning documents to the customer doesn’t make much sense. Most customers wouldn’t want them anyway. So, the best option is to destroy the information. Particularly in the case of sensitive information such as credit, income and financial information, shredding the documents may be advisable.

How long you need to keep information will depend on circumstances. OMVIC requires certain information be kept on vehicles sold for 6 years. For tax reasons, you could be required to provide records for up to seven years.

Where information was collected from someone who did not enter into any sort of transaction with you, it should be destroyed or deleted once it’s apparent that no deal will be done, unless you have consent from the individual to keep it, for example for future contact. More on consent later.

Step 4. Limiting Access to Personal Information

Access to work areas should be restricted to staff only. Where others are in areas where they could have access to personal information, either in documents or stored electronically, they should be supervised at all times.

Paperwork, such as bills of sale, lease agreements, credit applications or other documents containing personal information should not be left in places where unauthorized staff or others have access to it. If possible, paperwork containing personal information should be kept in secure storage, such as a locked filing cabinet.

Security passwords should be used to restrict access to personal information stored electronically, so only those authorized to access it may do so.

Step 5. Communicating personal information

Because email and fax communications are not considered by the Privacy Commissioner to be secure, it would be a good idea to get an individual’s consent before sending personal information by email or fax. The following simple clause could also be included in emails and faxes.

If you have received this in error, please destroy it and notify us as soon as possible.

Step 6. How long to keep Information

PIPEDA says that personal information should be kept only so long as is necessary for the purpose it was collected or as long as required by law. Legal requirements under the Motor Vehicle Dealers Act, 2002 require certain records to be kept as long as 6 years. Garage registers are required to be kept for 2 years. For tax audit purposes, information is required to be kept for 7 years. Beyond this time, there should generally be no reason to keep anyone’s personal information unless they have consented to it.

There is no reason to keep some sensitive personal information, such as shown on a credit report, after the data on it has been used to determine whether or not to provide financing.

Step 7. Providing Access to Third Parties

Without the consent of individuals, their personal information should not be disclosed to third parties unless necessary in order to process the business transaction involving the customer. Examples of situations where information must be disclosed to third parties include where financing is being applied for or where extended warranty or credit insurance is being purchased.

If a dealer wants to share information with parties other than those necessary to complete the transaction, the consent of the individual will be needed.

Dealers should ensure that the third party companies that they are sharing personal information with also have procedures in place to protect the personal information.

Step 8. Future Contact

Once the transaction is complete, there should be no further contact with the customer, unless they have provided their consent. This applies not only to third parties contacting the customer, but to the dealer as well. Consent should be obtained at the time of sale, lease or service, if the dealer wants to make future contact with a customer. Prior consent is not required where contact is required by law, for example, to inform a customer of a manufacturer's recall of a vehicle.

Obtaining Consent


It's clear that consent is a key element of PIPEDA. An individual’s consent to the collection, use or distribution of personal information may be obtained in any way, including verbally, but written consent is always better, as it prevents dispute over whether consent was truly given.

The formality of the consent required will vary, depending on circumstances. For example, consent to send promotional material or messages to an individual using personal information like email or home address will require less formality than consent to provide credit or income information to a third party.

The use of publicly available information to contact individuals, such as names, addresses and telephone numbers from a phone book, is permitted. However, anyone contacted must be given a clear “opt-out”, option, in order to stop unwanted future contact. For example, mailings sent out to customers or others should state that if the recipient no longer wishes to receive mailings from the dealer, that they should contact the dealer, in writing, at an address provided in the mailing requesting no further contact. Similar options should exist where the dealer uses fax, email or phone to contact customers.

Personal information that a dealership has collected prior to PIPEDA coming into effect does not need to be re-collected, but if it is to be used to contact people or disclosed to third parties, consent will be required if it has not already been obtained.

Bills of Sale


The most obvious place to obtain consent will be on the contract a customer signs when purchasing, or leasing, a vehicle. To help members, the UCDA Used Vehicle Bill of Sale, New Vehicle Bill of Sale and Lease Agreement each include a consent clause. Once signed, the clause provides the customer's consent to the sharing of personal information collected as part of the purchase and to future contact by the dealer and others the information is shared with. A similar clause should be included on lease agreements and service and repair work orders.

Where no bill of sale or other agreement has been signed, such as with a prospective customer, dealers and sales staff should be clear when obtaining information like address and phone number, that they have the consent of the individual to make follow-up contact. No one, who has asked not to be contacted, should be.

For more information on UCDA bills of sale and to order call Margi at (416) 231-2600 or 1 (800) 268-2598.



It is important for all dealers, large and small to perform the audit and become compliant with PIPEDA. Dealers who do not, risk having customers complain to the Privacy Commissioner. While it is the commissioner’s role to help resolve disputes, complaints which are viewed as serious and justified can be investigated and ultimately referred to Federal Court for a hearing.

Individuals may also bring a legal action against a dealer that has collected, used or disclosed personal information without consent. Even if the action is groundless, it can be costly and time consuming to deal with. Better to prevent the problem by understanding and following proper guidelines.

If you have any questions about the privacy guidelines contained in PIPEDA and how they affect you, please email the UCDA Legal Services Director, Jim Hamilton, at

Dealers can also find useful templates and guides at:

Click the link below for Accessibility laws.

Accessibility laws



Sample Workplace Violence Policy


________________(insert name of dealer) is committed to the prevention of workplace violence and is responsible for employee health and safety. We will take whatever steps are reasonably necessary to protect our employees from workplace violence from all sources. Workplace violence includes unwanted physical contact and both written (including email) and verbal threats of violence.

Violent behaviour in the workplace is unacceptable from anyone. This policy applies to everyone on the premises of ___________________, (insert name of dealer) including visitors. Everyone is expected to uphold this policy and to work together to prevent workplace violence.

The workplace violence programme includes measures and procedures to protect employees from workplace violence, a means of summoning immediate assistance and a process for employees to report incidents, or raise concerns. _________________, (insert name of dealer) will ensure this policy and the supporting programme are implemented and maintained and that all employees and managers have the appropriate information and instruction to protect them from violence in the workplace.

Managers will adhere to this policy and the supporting programme. Managers are responsible for ensuring that measures and procedures are followed by employees and that employees have the information they need to protect themselves.

Every employee must work in compliance with this policy and the supporting programme. All employees are encouraged to raise any concerns about workplace violence and to report any violent incidents or threats. Incidents of violence should be reported to _____________________ (Indicate who incidents of violence should be reported to. This could be more than one person.)

Employees will not suffer negative consequences for reporting an incident of violence.

Management pledges to investigate and deal with all incidents and complaints of workplace violence in a fair and timely manner, respecting the privacy of all concerned as much as possible.

Signed: ________________________ President/Owner ________________


Sample Workplace Violence Programme

Measures and procedures to control the risks of workplace violence may include:

  • safe work procedures;
  • personal protective equipment;
  • design or physical layout of the workplace such as doors with clear windows, adequate lighting, location and structure of counters, barriers, etc.;
  • designated safe locations for emergency situations;
  • procedures for informing or advising employees of potentially violent situations or people;
  • employee training on the workplace violence policy and programme and dealing with aggressive or violent clients.

Measures and procedures for summoning immediate assistance may include:

  • equipment to summon assistance such as fixed or personal alarms, locator or tracking systems, phones, cell phones, etc.;
  • emergency telephone numbers and/or e-mail addresses;
  • emergency procedures.

Measures and procedures for employees to report incidents of workplace violence to the employer or manager may include information about:

  • how, when and to whom an employee should report incidents or threats;
  • forms or other reporting mechanisms;
  • roles and responsibilities of employers, managers, employees, Joint Health and Safety Committees, health and safety representatives and others in the incident reporting process;
  • when the incident requires external reporting (i.e. to the police, Workplace Safety Insurance Board, Ministry of Labour, etc.).

Measures and procedures for how the employer will investigate and deal with incidents or complaints of workplace violence may include information about:

  • how and when investigations will be conducted;
  • what will be included in the investigation;
  • roles and responsibilities of employers, managers, employees, Joint Health and Safety Committees, health and safety representatives and others;
  • follow-up to the investigation (description of actions and timeframe);
  • record keeping requirements.


Sample Harassment Policy


_______________(insert name of dealer) is committed to providing a work environment in which all individuals are treated with respect and dignity.

Workplace harassment will not be tolerated from any person in the workplace. Everyone in the workplace must be dedicated to preventing workplace harassment. Managers and employees are expected to uphold this policy, and will be held accountable by the employer.

Workplace harassment means engaging in a course of vexatious comment or conduct against an employee in a workplace -- a comment or conduct that is known or ought reasonably to be known to be unwelcome.

Harassment may also relate to a form of discrimination as set out in the Ontario Human Rights Code, but it does not have to.

This policy is not intended to limit or constrain the reasonable exercise of management functions in the workplace

Employees are encouraged to report any incidents of workplace harassment. Incidents should be reported to _____________________ (Indicate who incidents of harassment should be reported to. This could include be than one person.) Employees will not suffer negative consequences for reporting an incident of harassment.

Management will investigate and deal with all concerns, complaints, or incidents of workplace harassment in a fair and timely manner while respecting employees’ privacy as much as possible.

Nothing in this policy prevents or discourages an employee from filing an application with the Human Rights Tribunal on a matter related to Ontario’s Human Rights Code within one year of the last alleged incident. Employees retain the right to exercise any other legal avenues that may be available.

Signed: ________________________ President/Owner Date:_______________


Sample Harassment Programme


The workplace violence policy should be consulted whenever there are concerns about violence in the workplace.

Measures and procedures for employees to report incidents of workplace harassment to the employer or manager may include information about:


  • how, when and to whom an employee should report incidents;
  • forms or other reporting mechanisms;
  • roles and responsibilities of employers, managers, employees and others in the incident reporting process.

Measures and procedures for how the employer will investigate and deal with incidents and complaints of workplace harassment may include information about:

  • how and when investigations will be conducted;
  • what will be included in the investigation;
  • roles and responsibilities of employers, supervisors, employees and others;
  • follow-up to the investigation (description of actions and timeframe);
  • record keeping requirements.