Privacy (PIPEDA), CASL/Marketing Consent, and Client Data Handling (Ontario Realtors)
1. Scope — which laws apply to a realtor's data
A realtor in Ontario juggles three overlapping regimes plus professional duties:
- PIPEDA — federal private-sector privacy law governing how personal information is collected, used, disclosed, and safeguarded in the course of commercial activity. Ontario has no general private-sector privacy law deemed "substantially similar," so PIPEDA applies to Ontario real estate brokerages and their agents (health-information handling can also engage Ontario's PHIPA, but that's rare for realtors). Enforced by the OPC (ombuds model — investigates, recommends, and can take matters to Federal Court).
- CASL — governs Commercial Electronic Messages (CEMs): email, SMS/text, and similar electronic messages that encourage participation in a commercial activity. Enforced primarily by the CRTC (with the Competition Bureau and OPC on related conduct).
- DNCL / telemarketing rules — the National Do Not Call List and CRTC telemarketing/Unsolicited Telecommunications Rules govern voice calls and faxes (not covered by CASL). Cold-calling FSBOs/expireds engages this regime.
- TRESA / RECO Code of Ethics — a registrant owes clients a duty of confidentiality; client information obtained in the course of a trade generally may not be used or disclosed except as authorized or required by law. This duty outlasts the transaction.
Key mental model: PIPEDA = how you handle the data. CASL = how you may message people electronically. DNCL = how you may call them. TRESA = your professional confidentiality duty. A single marketing campaign can be governed by all four.
2. PIPEDA — the 10 fair information principles
PIPEDA is built on ten principles (Schedule 1). In plain terms for a brokerage:
- Accountability — the brokerage is responsible for personal information in its control, including data handed to service providers (CRM, e-sign, showing apps, AI tools). Designate a privacy officer.
- Identifying purposes — say why you're collecting information at or before the time of collection (e.g., "to complete your transaction and meet FINTRAC obligations").
- Consent — collection, use, and disclosure require the individual's knowledge and consent (express or implied, proportionate to sensitivity). Consent can be withdrawn.
- Limiting collection — collect only what's necessary for the identified purposes. Don't over-collect "just in case."
- Limiting use, disclosure, and retention — use/disclose only for the purposes consented to; keep only as long as needed (note: FINTRAC records = 5 years; see [[fintrac-obligations]]). Then securely destroy.
- Accuracy — keep information as accurate, complete, and up-to-date as necessary.
- Safeguards — protect information with security appropriate to its sensitivity (encryption, access controls, locked storage, MFA). This is where most realtor risk lives.
- Openness — make your privacy practices readily available (a privacy policy).
- Individual access — on request, tell an individual what you hold and let them access/correct it.
- Challenging compliance — provide a route to complain about your handling.
Sensitive information
ID documents, SIN, date of birth, financial/mortgage details, and banking info are sensitive and warrant express consent and stronger safeguards. Do not collect a SIN unless legally required (it generally is not required for a real estate trade — a mortgage lender may need it, but the realtor should not be the one collecting/storing it).
3. PIPEDA — mandatory breach response
Since November 1, 2018, PIPEDA requires handling of a "breach of security safeguards":
- Assess "real risk of significant harm" (RROSH) — consider sensitivity of the data and probability of misuse. Harm includes identity theft, fraud, financial loss, humiliation, and damage to reputation/relationships.
- If RROSH exists, you must: report to the OPC, notify affected individuals (as soon as feasible), and notify other organizations that could help reduce harm.
- Record-keeping: keep a record of every breach of security safeguards (even low-risk ones) for at least 24 months, and produce them to the OPC on request.
- Failing to report/notify/record a qualifying breach can attract fines up to $100,000.
Practical realtor breaches: a lost laptop/phone with client files, an emailed offer/deposit form sent to the wrong person, a compromised email account, a mis-shared cloud folder, an AI tool retaining pasted client data.
4. CASL — the three-part rule for electronic marketing
To send a CEM (email, text/SMS, some social DMs) that has a commercial purpose, you generally need all three:
- Consent — express or implied (see §5).
- Identification — clearly identify who is sending the message (and on whose behalf), with valid contact information: mailing address and at least one of phone, email, or web address, kept valid for at least 60 days after the message.
- Unsubscribe mechanism — a working, no-cost way to opt out, using the same or an equivalent electronic means; you must give effect to an unsubscribe within 10 business days, and the mechanism must stay functional for at least 60 days after the message.
CASL covers texts/SMS the same as email. Penalties are severe: up to $10 million per violation for a business and $1 million for an individual; there is also director/officer liability and vicarious liability (a brokerage can be liable for an agent's violation, and vice-versa).
5. CASL — express vs. implied consent
Express consent
- Actively given (a checked-but-not-pre-checked box, a signed form, a verbal yes you log). It must state the purpose and identify who is seeking consent.
- Does not expire until withdrawn. This is the gold standard — build your list on express consent.
- The sender bears the burden of proving consent. Log who consented, when, how, and to what (screenshot the form, keep the timestamp/source).
Implied consent (time-limited — track expiry dates)
CASL recognizes implied consent in defined situations, including: - Existing Business Relationship (EBR): e.g., a purchase, sale, lease, or written contract within the prior 2 years, or an inquiry/application within the prior 6 months. Implied consent runs from that event and expires (roughly 2 years / 6 months respectively). - Existing Non-Business Relationship (e.g., donation/volunteer/membership within 2 years). - Conspicuous publication: the recipient published their business email conspicuously (e.g., a business card, a website "contact us"), without a statement refusing CEMs, and your message is relevant to their business role. A homeowner's personal email on a FSBO ad is a grey area — the message must be relevant to the capacity in which it was published; treat cautiously. - Disclosed business contact: the recipient gave you their address directly without saying "no CEMs," and the message relates to their role/business.
Because implied consent expires, most brokerages run on express consent and use CRM fields to track the type and expiry of each contact's consent.
The CASL "referral" exception
CASL permits a single CEM to a third party where there is a referral by an individual who has an existing business/non-business/family/personal relationship with both the sender and the recipient. The message must disclose the full name of the person who made the referral and state that the referral is why you're writing. It's one message only — after that you need consent.
Other CASL exclusions/relief
- Messages to family or personal relationships (as defined), and certain one-to-one replies to inquiries, get relief.
- A CEM sent in response to a request, inquiry, or complaint, or to complete a transaction the recipient previously agreed to, is generally permitted.
- Transactional/relationship messages (e.g., providing info about a deal already underway) still need accurate sender identification even where full consent rules are relaxed — when in doubt, include the ID + unsubscribe anyway.
6. DNCL and calling rules (voice, not CASL)
- Telemarketing phone calls are governed by the National DNCL and CRTC Unsolicited Telecommunications Rules — not CASL.
- Before cold-calling for business, you generally must subscribe to the DNCL and scrub your call list, honour do-not-call requests, call only within permitted hours, and identify yourself/the brokerage.
- There are exemptions (e.g., an EBR), but they are narrower and different from CASL's — don't assume CASL consent covers calling.
- Calling a homeowner from a "For Sale By Owner" or expired listing is telemarketing if it solicits business; check DNCL registration and exemptions first.
7. Client records and data-handling workflow (checklist)
At intake - [ ] State why you're collecting information (purpose) and get consent — a signed privacy consent + a separate CASL marketing consent (don't bundle them into one silent tick). - [ ] Collect only what's needed; never collect a SIN for a realtor's own file unless legally required. - [ ] Log CASL consent in the CRM: type (express/implied), source, date, and expiry for implied.
During the deal - [ ] Store ID copies, offers, and financial docs in access-controlled, encrypted storage — not in personal email or an unsecured phone. - [ ] Share client data with only the parties who need it (lawyer, lender, brokerage admin) and only as authorized. - [ ] Use MFA on email and CRM; beware wire-fraud / business-email-compromise — verify banking changes by phone to a known number.
Marketing - [ ] Every CEM has sender ID + valid contact info + working unsubscribe. - [ ] Honour unsubscribes within 10 business days; suppress across all lists. - [ ] Re-check implied-consent expiry before each blast; move contacts to express consent where possible.
Retention & disposal - [ ] Keep records only as long as needed; hold FINTRAC records 5 years (see [[fintrac-obligations]]); then securely destroy (shred paper, wipe drives). - [ ] Keep a breach log (24 months) and know the RROSH reporting path.
Access requests / complaints - [ ] Route PIPEDA access/correction requests and complaints to the brokerage privacy officer; respond within statutory timelines.
8. Worked examples
- "Can I email my past buyers a market update?" — If they bought through you within 2 years, you likely have implied consent (EBR) — but it expires, and you still need sender ID + unsubscribe. Better: get express consent at closing so the list never lapses.
- "A client referred me to their friend — can I email the friend?" — Yes, one CEM under the referral exception, and you must name the referring client in the message. After that, you need the friend's consent.
- "I scraped agent emails off a board site — can I market to them?" — No. Scraping addresses (and "address harvesting") is expressly targeted by CASL; conspicuous-publication implied consent requires the message be relevant to their role and that they didn't refuse CEMs — and it never blesses harvested lists.
- "Someone unsubscribed but is still a client — can I email them?" — Transactional messages about their active deal are generally fine (still identify yourself), but stop the marketing CEMs.
- "I'll cold-call the FSBOs in this neighbourhood." — That's telemarketing → DNCL rules, not CASL. Scrub against the DNCL and honour do-not-call requests.
- "I lost my phone with client offers on it." — Potential breach of security safeguards. Assess RROSH; if it applies, report to OPC + notify clients; log it either way.
9. AI assistant boundaries — what to put (and not put) into chat
This assistant is a drafting and reference tool, not the brokerage's system of record and not a lawyer. Data typed into a chat may be processed outside the brokerage's own systems, so treat the chat box like an outbound channel.
Do NOT paste into chat: - SIN, full dates of birth, driver's licence/passport numbers, or photos of ID documents. - Banking details, account/transit numbers, credit-card or mortgage-application financials. - A client's full name combined with their home address, deal terms/price, and personal circumstances — i.e., anything that identifies a specific person's private transaction. - Whole client files, signed forms, or ID scans for "cleanup" or "summarizing." - Anything covered by the TRESA confidentiality duty that the client hasn't authorized you to share.
Prefer to: - Redact / use placeholders — "my buyer client (call them B)," "$X purchase price," "closing on [date]" — the assistant can draft just as well from anonymized facts. - Ask general/procedural questions ("what's the CASL unsubscribe deadline?", "draft a market-update email with a compliant footer") rather than pasting real personal data. - Keep the authoritative record (consents, IDs, financials) in the brokerage's secured CRM/storage, not in chat history.
Assistant guardrails (how this tool should behave): - If a user pastes obvious sensitive PII (SIN, ID numbers, banking), flag it, decline to store/echo it, and suggest redaction rather than working with it verbatim. - Never invent consent status, do-not-call status, or that a message is CASL-compliant — surface the rule and tell the user to verify against their CRM records and brokerage policy. - For edge cases (does implied consent still apply? is this a CEM? is this a reportable breach?), defer to brokerage counsel/compliance rather than giving a definitive ruling. - Include a compliant footer (sender ID + contact + unsubscribe) whenever drafting marketing email/SMS, and remind the user consent must exist before sending. - Treat privacy/marketing law as jurisdiction- and time-sensitive; cite the rule and point to the official source rather than asserting current thresholds from memory.
Sources
- OPC — PIPEDA overview and fair information principles: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
- OPC — PIPEDA in brief / 10 principles: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/
- OPC — Mandatory breach reporting (RROSH, 24-month records): https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/
- OPC — Getting accountability right / privacy program: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/
- CASL — Government of Canada plain-language hub: https://fightspam.gc.ca/
- CRTC — CASL requirements (consent, identification, unsubscribe): https://crtc.gc.ca/eng/internet/anti.htm
- CRTC — Guidelines on the meaning of consent under CASL (CRTC 2012-549): https://crtc.gc.ca/eng/archive/2012/2012-549.htm
- CASL statute (Justice Laws): https://laws-lois.justice.gc.ca/eng/acts/E-1.6/
- Electronic Commerce Protection Regulations (CRTC) 2012-548: https://crtc.gc.ca/eng/archive/2012/2012-548.htm
- National Do Not Call List (DNCL) / CRTC telemarketing rules: https://crtc.gc.ca/eng/phone/telemarketing/index.htm
- RECO — TRESA and the Code of Ethics (client confidentiality): https://www.reco.on.ca/agents-and-brokerages/tresa-explained
- CREA — CASL compliance guidance for REALTORS®: https://www.crea.ca/