Absolutely, and if businesses do, then there is not going to be any problem. What PIPEDA does is it takes an industry code of practice, developed by industry, and just turns it into legislation so that perhaps the minority of bad actors out there are also caught. The good guys are following their own codes of practice and doing the right thing--common sense, respecting their customers' privacy, not getting into trouble. The legislation is necessary to go after the other guys, the big data brokers who are just ignoring people's privacy. That's more what it's there for.
I can see how it seems really daunting when you don't know the legislation; it's new, and you suddenly feel, oh my God, I have to have a privacy policy, I have to be careful, I have to have all my records in locked cabinets, and that kind of thing. But I think when you go through it, most of it is actually just common sense. In this day and age, when we're suddenly now in an environment where information is so easily available and traded and lost and shared and abused, we just need to, all of us--and this act only applies to commercial activities, but I think there are other activities that we also need to be very careful about--make sure that our computers have passwords, encryption, or whatever, on them to protect the information.
You do need to make sure that if you decide to make secondary use of that information, let's say, in a car dealership.... I know you have my file there, and I know you might contact me in the future about something. I'm your customer, that's fine. But if you then want to sell it to someone else for some other purpose, then I want to have the option of saying no, and I think I should have it.
That's what PIPEDA does; it gives me that option.