It’s time to bridge Pipa compliance gap

Under Pipa — which became fully effective on January 1, 2025 — privacy notices are the primary mechanism for an organisation to meet its transparency obligations. When a notice is noncompliant, it creates specific legal vulnerabilities and financial implications.

My review also found varying levels of compliance with the legislation.

Forty-four per cent of companies reviewed had no privacy notice, 6 per cent were inherited from notices with a General Data Protection Regulation (European Union) framework, 3 per cent had global policies and 37 per cent were deficient primarily owing to lack of transparency or lack of accessibility.

This review follows the 2024 Global Privacy Enforcement Network Sweep, where Bermuda’s Privacy Commission contributed to an assessment of more than 1,000 websites and applications that used deceptive designs to influence privacy choices.

The GPEN is an informal network of more than 60 privacy enforcement authorities in 39 jurisdictions.

As part of the local sweep, the Privacy Commission examined the websites of 196 organisations located in Bermuda and found a number of deficiencies.

Out of those 196, only 78 per cent had privacy notices, 44 per cent included contact information for a privacy officer or team, just 5 per cent provided the Privacy Commission’s contact information, and 13 per cent had a link to a privacy notice, but the document was missing.

Failing to maintain a compliant privacy notice is not just a paperwork error, but a significant regulatory and operational risk. It could trigger formal action from the Privacy Commissioner such as enforcement orders that compel an organisation to bring its practices into compliance, public admonishment that could lead to significant reputational damage, or criminal prosecution where an organisation could be fined up to $250,000 for wilful noncompliance.

Under Pipa, personal information must be used fairly and lawfully. If a privacy notice is vague, misleading, or missing entirely, any data collected could be deemed “unfair” or “unlawful” because the individual was not properly informed of the purpose of its use. Other than in limited circumstances, this could invalidate the legal basis for holding that data.

There is also an increased liability for privacy harm to individuals. A privacy notice that does not comply with Pipa could harm the privacy rights of individuals where data is used in ways not disclosed in a notice, which is a direct violation of Pipa’s “purpose limitation”, or where there is a lack of informed choice in which individuals do not know their data is being collected or used therefore, they cannot exercise their rights.

One of these rights is the right to seek compensation for financial loss or distress pursuant to section 21 of Pipa. This provision allows individuals who suffer harm because of an organisation’s failure to comply with Pipa to sue for damages.

Section 21 also explicitly allows for compensation where an individual discovers that their data was used in ways not disclosed in a notice and which resulted in emotional distress.

An organisation could avoid liability if it could prove that it took all reasonable steps to comply. However, providing a privacy notice that lacks mandatory elements is a clear failure of this standard, making the defence difficult to maintain.

This review of a cross-section of privacy notices offers an overview of existing practices and indicates that there may be an essential need to strengthen transparency and address potential compliance gaps across the business community.

In a privacy-regulated environment, a noncompliant privacy notice is a significant liability to an organisation. Now is the time for businesses in Bermuda to bridge the compliance gap before the Privacy Commissioner, or a disillusioned consumer, bridges it for them.

First Published in The Royal Gazette, Legally Speaking column, June 2026