Receiver General Buy Button upgrade: Privacy impact assessment summary

On this page

Introduction and background

The Receiver General Buy Button service modernization will continue to enable buy button clients to use the buy button for credit card and now also Interac as payment processing methods. The payment information is processed electronically using the buy button service from buy button clients' websites (also known as storefronts) that accept electronic payments.

Buy button clients will continue to use the buy button service as a means to process payments from individuals of the general public. The buy button provides the necessary tools to allow buy button clients to manage online, mail orders and in-person payment for goods or services, through the provision of authentication and administration processes. The use of these processes facilitates secure and private exchange of customer payment data with payment processing service providers on behalf of buy button clients.

The user community for the buy button service consists of:

Personal information collected by the existing Receiver General Buy Button service

The different clusters of personal information collected or used during the various buy button business processes are as follows:

The application also collects and retains transaction data from the selling department that is required for processing the transaction. This information includes the selling department's identification (ID), transaction type, departmental reference number, transaction amount and the language last used by the customer on the department's website (so that the buy button web pages can be presented in the same language for consistency). Transaction data collected from the department is assigned a buy button transaction ID and the data collected from the customer is appended to that record.

New personal information collected by the upgrade Receiver General Buy Button service

The new personal information collected or used during the various upgraded buy button business processes is as follows: 

Other information elements pertaining to the customers' online transactions are also collected or used, such as customer session logs, content of temporary cookies and signature verification logs. The architecture design specifications, however, do not permit these information elements to identify individuals or to be linked to individuals.

The customer is provided with the opportunity to review the buy button privacy statement on the payment page where they are required to submit personal information. The privacy statement describes the reason for collection, the specific use, the retention period, disposal procedures and personal information bank (PIB) where the personal information is stored.

The buy button administrative web interface is used to perform the following:

Privacy risks

Privacy risks and potential risk mitigation measures have been identified in the privacy impact assessment report. These risks are summarized below.


A number of privacy risks have been identified with the Receiver General Buy Button upgrade service and are evaluated at "low" in severity with a plan to mitigate these risks within an acceptable timeframe.

It is important to note that the buy button basic business model has not changed only the service provider and the collection of two additional pieces of personal information which will ensure accurate and secure payments are processed. The introduction of a payment gateway with multiple options within the buy button may raise privacy concerns. In that context, customers should be reminded that privacy protection was and remains a pivotal factor for the buy button's choice of subcontracting to a Payment Card Industry Data Security Standard (PCI DSS) Level 1 certified processing vendor. Customers who wish to further protect their privacy can also elect to procure buy button client services using different payment options such as credit card and Interac, thereby rendering the credit card number a payment processing specific identifier, and not a common identifier.

Date modified: