What FIPPA Means for Your Municipal Website

The Freedom of Information and Protection of Privacy Act — FIPPA in British Columbia, with equivalent legislation in every Canadian province — is the foundational privacy law governing how public bodies collect, use, and disclose personal information. For municipal web teams, FIPPA is not an afterthought or a compliance checkbox. It is a design constraint that shapes every meaningful decision about your digital services.

If your municipality operates a website, collects form submissions, uses analytics, or integrates with third-party services, FIPPA applies to you. Here is what your team needs to understand.

The core principle: data stays in Canada

FIPPA requires that personal information in the custody of a public body be stored and accessed only in Canada, unless one of a narrow set of exceptions applies. This is not a guideline or a best practice — it is a legal requirement with real consequences for non-compliance.

For your website, this means every service that touches personal information must be evaluated for data residency. Where is your web host? Where does your form data go? Where are your email service servers? Where does your analytics platform store visitor data? If any of these answers point outside of Canada, you may have a compliance gap.

This is where many municipalities run into trouble without realizing it. A common scenario: a municipality uses a popular American form builder to collect service requests. The form looks fine, works fine, and nobody thinks twice about it. But the data — including names, email addresses, and sometimes home addresses — is being stored on servers in the United States. Under FIPPA, that is a problem.

What counts as personal information?

FIPPA defines personal information broadly. It includes any recorded information about an identifiable individual, not just names and email addresses. IP addresses, location data, device identifiers, and behavioural patterns collected through analytics can all constitute personal information depending on how they are collected and whether they can be linked to an individual.

This broad definition matters for web teams because it affects tools you might consider routine. Google Analytics, for example, collects IP addresses and detailed browsing behaviour. If that data is stored on Google's servers outside of Canada, its use by a public body may raise FIPPA concerns. This is why many municipalities have moved to privacy-respecting analytics platforms that store data in Canada or do not collect personal information at all.

Collection notices and consent

When a public body collects personal information, FIPPA requires that individuals be informed about the purpose of collection, the legal authority for it, and who to contact with questions. On a website, this means every form that collects personal information should include a collection notice — a brief statement explaining why the information is being collected and how it will be used.

This does not need to be a lengthy legal document. A well-written collection notice can be two or three sentences long. What matters is that it is present, accurate, and written in language that ordinary residents can understand. The notice should appear at or near the point of collection — not buried in a privacy policy that nobody reads.

Third-party services and the vendor question

Modern websites rely on dozens of third-party services: analytics, form builders, chat widgets, mapping tools, social media embeds, content delivery networks. Each of these services may collect, process, or store personal information. Under FIPPA, the public body remains responsible for the personal information regardless of which vendor is handling it.

This means your vendor selection process is also a privacy decision. When evaluating any third-party tool for your municipal website, you need to ask: where does this service store data? Does it share data with other parties? Can we get a data processing agreement that meets FIPPA requirements? If the vendor cannot answer these questions clearly, that is your answer.

Practical steps for your web team

FIPPA compliance for your website is not a one-time project — it is an ongoing practice. Here are the steps that matter most:

• Audit your third-party services. Make a list of every external service your website uses. For each one, determine where data is stored and whether personal information is involved. Replace any service that stores personal information outside Canada with a compliant alternative.
• Add collection notices to all forms. Every form that collects personal information should have a clear, plain-language notice explaining the purpose of collection and the authority under which it is collected.
• Review your analytics setup. If you are using Google Analytics or a similar platform that stores data outside Canada, evaluate alternatives like Plausible, Fathom, or Matomo with Canadian hosting.
• Update your privacy policy. Your website's privacy policy should accurately reflect your current data practices, not a template from three years ago. Review it annually at minimum.
• Build compliance into procurement. Make FIPPA compliance a mandatory criterion in your vendor evaluation process, not a nice-to-have. Include data residency requirements in your RFPs and contracts.

FIPPA as a design advantage

It is tempting to view FIPPA as a constraint that limits your options. And in some ways, it does — you cannot use every shiny new tool that comes along without evaluating it for compliance. But there is an upside: FIPPA forces you to be intentional about the tools you use and the data you collect. Municipalities that take privacy seriously end up with cleaner, more focused digital services that collect only what is needed and respect the trust that residents place in their local government.

In an era of growing public concern about data privacy, being able to tell your community that their information never leaves Canada and is only used for the purposes it was collected for is not just compliance — it is a competitive advantage in building and maintaining public trust.