Guides  /  Rules & compliance
Plain-English education for Ontario realtors — guidance, not legal advice. Rules, figures and timeframes change; confirm the current position with RECO and Ontario e-Laws, and your broker of record is the final word.

Privacy (PIPEDA), CASL/Marketing Consent, and Client Data Handling (Ontario Realtors)

1. Scope — which laws apply to a realtor's data

A realtor in Ontario juggles three overlapping regimes plus professional duties:

Key mental model: PIPEDA = how you handle the data. CASL = how you may message people electronically. DNCL = how you may call them. TRESA = your professional confidentiality duty. A single marketing campaign can be governed by all four.

2. PIPEDA — the 10 fair information principles

PIPEDA is built on ten principles (Schedule 1). In plain terms for a brokerage:

  1. Accountability — the brokerage is responsible for personal information in its control, including data handed to service providers (CRM, e-sign, showing apps, AI tools). Designate a privacy officer.
  2. Identifying purposes — say why you're collecting information at or before the time of collection (e.g., "to complete your transaction and meet FINTRAC obligations").
  3. Consent — collection, use, and disclosure require the individual's knowledge and consent (express or implied, proportionate to sensitivity). Consent can be withdrawn.
  4. Limiting collection — collect only what's necessary for the identified purposes. Don't over-collect "just in case."
  5. Limiting use, disclosure, and retention — use/disclose only for the purposes consented to; keep only as long as needed (note: FINTRAC records = 5 years; see [[fintrac-obligations]]). Then securely destroy.
  6. Accuracy — keep information as accurate, complete, and up-to-date as necessary.
  7. Safeguards — protect information with security appropriate to its sensitivity (encryption, access controls, locked storage, MFA). This is where most realtor risk lives.
  8. Openness — make your privacy practices readily available (a privacy policy).
  9. Individual access — on request, tell an individual what you hold and let them access/correct it.
  10. Challenging compliance — provide a route to complain about your handling.

Sensitive information

ID documents, SIN, date of birth, financial/mortgage details, and banking info are sensitive and warrant express consent and stronger safeguards. Do not collect a SIN unless legally required (it generally is not required for a real estate trade — a mortgage lender may need it, but the realtor should not be the one collecting/storing it).

3. PIPEDA — mandatory breach response

Since November 1, 2018, PIPEDA requires handling of a "breach of security safeguards":

Practical realtor breaches: a lost laptop/phone with client files, an emailed offer/deposit form sent to the wrong person, a compromised email account, a mis-shared cloud folder, an AI tool retaining pasted client data.

4. CASL — the three-part rule for electronic marketing

To send a CEM (email, text/SMS, some social DMs) that has a commercial purpose, you generally need all three:

  1. Consent — express or implied (see §5).
  2. Identification — clearly identify who is sending the message (and on whose behalf), with valid contact information: mailing address and at least one of phone, email, or web address, kept valid for at least 60 days after the message.
  3. Unsubscribe mechanism — a working, no-cost way to opt out, using the same or an equivalent electronic means; you must give effect to an unsubscribe within 10 business days, and the mechanism must stay functional for at least 60 days after the message.

CASL covers texts/SMS the same as email. Penalties are severe: up to $10 million per violation for a business and $1 million for an individual; there is also director/officer liability and vicarious liability (a brokerage can be liable for an agent's violation, and vice-versa).

CASL recognizes implied consent in defined situations, including: - Existing Business Relationship (EBR): e.g., a purchase, sale, lease, or written contract within the prior 2 years, or an inquiry/application within the prior 6 months. Implied consent runs from that event and expires (roughly 2 years / 6 months respectively). - Existing Non-Business Relationship (e.g., donation/volunteer/membership within 2 years). - Conspicuous publication: the recipient published their business email conspicuously (e.g., a business card, a website "contact us"), without a statement refusing CEMs, and your message is relevant to their business role. A homeowner's personal email on a FSBO ad is a grey area — the message must be relevant to the capacity in which it was published; treat cautiously. - Disclosed business contact: the recipient gave you their address directly without saying "no CEMs," and the message relates to their role/business.

Because implied consent expires, most brokerages run on express consent and use CRM fields to track the type and expiry of each contact's consent.

The CASL "referral" exception

CASL permits a single CEM to a third party where there is a referral by an individual who has an existing business/non-business/family/personal relationship with both the sender and the recipient. The message must disclose the full name of the person who made the referral and state that the referral is why you're writing. It's one message only — after that you need consent.

Other CASL exclusions/relief

6. DNCL and calling rules (voice, not CASL)

7. Client records and data-handling workflow (checklist)

At intake - [ ] State why you're collecting information (purpose) and get consent — a signed privacy consent + a separate CASL marketing consent (don't bundle them into one silent tick). - [ ] Collect only what's needed; never collect a SIN for a realtor's own file unless legally required. - [ ] Log CASL consent in the CRM: type (express/implied), source, date, and expiry for implied.

During the deal - [ ] Store ID copies, offers, and financial docs in access-controlled, encrypted storage — not in personal email or an unsecured phone. - [ ] Share client data with only the parties who need it (lawyer, lender, brokerage admin) and only as authorized. - [ ] Use MFA on email and CRM; beware wire-fraud / business-email-compromise — verify banking changes by phone to a known number.

Marketing - [ ] Every CEM has sender ID + valid contact info + working unsubscribe. - [ ] Honour unsubscribes within 10 business days; suppress across all lists. - [ ] Re-check implied-consent expiry before each blast; move contacts to express consent where possible.

Retention & disposal - [ ] Keep records only as long as needed; hold FINTRAC records 5 years (see [[fintrac-obligations]]); then securely destroy (shred paper, wipe drives). - [ ] Keep a breach log (24 months) and know the RROSH reporting path.

Access requests / complaints - [ ] Route PIPEDA access/correction requests and complaints to the brokerage privacy officer; respond within statutory timelines.

8. Worked examples

9. AI assistant boundaries — what to put (and not put) into chat

This assistant is a drafting and reference tool, not the brokerage's system of record and not a lawyer. Data typed into a chat may be processed outside the brokerage's own systems, so treat the chat box like an outbound channel.

Do NOT paste into chat: - SIN, full dates of birth, driver's licence/passport numbers, or photos of ID documents. - Banking details, account/transit numbers, credit-card or mortgage-application financials. - A client's full name combined with their home address, deal terms/price, and personal circumstances — i.e., anything that identifies a specific person's private transaction. - Whole client files, signed forms, or ID scans for "cleanup" or "summarizing." - Anything covered by the TRESA confidentiality duty that the client hasn't authorized you to share.

Prefer to: - Redact / use placeholders — "my buyer client (call them B)," "$X purchase price," "closing on [date]" — the assistant can draft just as well from anonymized facts. - Ask general/procedural questions ("what's the CASL unsubscribe deadline?", "draft a market-update email with a compliant footer") rather than pasting real personal data. - Keep the authoritative record (consents, IDs, financials) in the brokerage's secured CRM/storage, not in chat history.

Assistant guardrails (how this tool should behave): - If a user pastes obvious sensitive PII (SIN, ID numbers, banking), flag it, decline to store/echo it, and suggest redaction rather than working with it verbatim. - Never invent consent status, do-not-call status, or that a message is CASL-compliant — surface the rule and tell the user to verify against their CRM records and brokerage policy. - For edge cases (does implied consent still apply? is this a CEM? is this a reportable breach?), defer to brokerage counsel/compliance rather than giving a definitive ruling. - Include a compliant footer (sender ID + contact + unsubscribe) whenever drafting marketing email/SMS, and remind the user consent must exist before sending. - Treat privacy/marketing law as jurisdiction- and time-sensitive; cite the rule and point to the official source rather than asserting current thresholds from memory.

Sources

Sources: Office of the Privacy Commissioner of Canada (OPC) — [priv.gc.ca](https://www.priv.gc.ca/); the Personal Information Protection and Electronic Documents Act (**PIPEDA**); Canada's Anti-Spam Legislation (**CASL** — *An Act to promote the efficiency and adaptability of the Canadian economy…*, S.C. 2010, c. 23) and its regulations; CRTC CASL guidance — [crtc.gc.ca](https://crtc.gc.ca/eng/internet/anti.htm) and [fightspam.gc.ca](https://fightspam.gc.ca/); RECO/TRESA on client confidentiality. Reference material only — this is **not legal or compliance advice.** Rules, thresholds, and exemptions change; your **brokerage's counsel/compliance program decides edge cases.** **Verify current requirements at [priv.gc.ca](https://www.priv.gc.ca/) and [crtc.gc.ca](https://crtc.gc.ca/) before relying on any point below.** *(Access date: 2026-07-16.)*

Turn this into a filled OREA form

Describe your deal in plain English — Automaite drafts the form, conditions and Schedule A, and explains every step.

Start free