PIPEDA Compliance: A Guide for Canadian Businesses

Updated: March 2026

Canada’s approach to private sector data protection is built on a federal framework that many businesses underestimate. 

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to nearly every private sector organisation operating in Canada’s commercial activity, imposes enforceable obligations around consent, transparency, and security, and sits alongside Quebec’s strengthened provincial law (Law 25, also known as Bill 64), which has introduced GDPR-comparable requirements at the provincial level since 2022. 

This guide covers what PIPEDA compliance requires, who must comply, how the 10 fair information principles translate into operational obligations, and how the evolving Canadian landscape compares with international frameworks.

What is PIPEDA, and who does it apply to?

PIPEDA (the Personal Information Protection and Electronic Documents Act) is Canada’s federal private sector privacy law. It governs how private sector organisations collect, use, and disclose personal information in the course of commercial activity. It applies to federally regulated businesses regardless of province and to all other organisations in provinces that do not have “substantially similar” provincial legislation.

PIPEDA came into force in stages between 2001 and 2004. It is administered and enforced by the Office of the Privacy Commissioner of Canada (OPC). The OPC can investigate complaints, conduct audits, and apply to the Federal Court for compliance orders and penalties.

PIPEDA applies to:

• All federally regulated businesses in Canada (banks, telecoms, airlines, interprovincial pipelines)
• All organisations collecting, using, or disclosing personal information in the course of commercial activity across provincial or national borders
• Organisations in provinces without substantially similar legislation

Provinces with substantially similar legislation (where PIPEDA is largely replaced for intra-provincial activity) include:

• Alberta (Personal Information Protection Act, PIPA)
• British Columbia (Personal Information Protection Act, PIPA)
• Quebec (Act Respecting the Protection of Personal Information in the Private Sector, significantly strengthened by Law 25 / Bill 64 from 2022-2024)

Even where a provincial law applies, PIPEDA continues to govern cross-border transfers of personal data and federally regulated operations.

What are PIPEDA’s 10 fair information principles?

PIPEDA structures its requirements around 10 fair information principles drawn from the Canadian Standards Association Model Code for the Protection of Personal Information. These principles are not aspirational guidelines. They are legally binding obligations set out in Schedule 1 of PIPEDA, and compliance with each is assessed against the context and sensitivity of the personal information being processed.

1. Accountability

Organisations must designate an individual (or individuals) responsible for compliance with PIPEDA. This role is typically called the Privacy Officer or Chief Privacy Officer. The designated individual’s name and contact details must be communicated to anyone who requests it.

Accountability also means that responsibility for personal information extends to third parties who process data on the organisation’s behalf. If you transfer personal information to a service provider, you remain accountable for its protection and must use contractual or other means to ensure comparable privacy protection.

2. Identifying Purposes

The purpose for which personal information is collected must be identified before or at the time of collection. Organisations cannot use personal information for a new purpose without either obtaining fresh consent or having a legal authority that justifies the new use.

3. Consent

PIPEDA requires that knowledge and consent of the individual be obtained for the collection, use, or disclosure of personal information, unless an exception applies. As of amendments introduced in 2015 (PIPEDA S.C. 2015, c. 32), organisations may rely on “valid consent,” which must be meaningful: individuals must understand what they are consenting to.

Consent can be express or implied, depending on the sensitivity of the information and the individual’s reasonable expectations. For sensitive information (health data, financial data, certain biographical data), express consent is generally required. For less sensitive information where the purpose is obvious, implied consent may be sufficient.

Individuals can withdraw consent at any time, subject to legal or contractual restrictions. Organisations must inform individuals of the implications of withdrawing consent and must honour withdrawal within a reasonable time.

4. Limiting Collection

Collection of personal information must be limited to what is necessary for the identified purposes. This is Canada’s equivalent of GDPR’s data minimisation principle. Organisations cannot collect personal information “just in case” or beyond what their stated purpose requires.

5. Limiting Use, Disclosure, and Retention

Personal information must not be used or disclosed for purposes other than those for which it was collected, except with consent or where required by law. Information must be retained only as long as necessary for the identified purposes, then securely destroyed or anonymised.

Organisations should establish documented retention schedules for each category of personal information, with defined destruction procedures. Retaining personal information indefinitely is a common PIPEDA violation.

6. Accuracy

Personal information used to make decisions affecting individuals must be accurate, complete, and up to date. Organisations that make decisions based on inaccurate personal information face both PIPEDA compliance risks and potential legal liability for errors.

7. Safeguards

Organisations must protect personal information with security safeguards appropriate to its sensitivity. Safeguards must protect against loss, theft, and unauthorised access, disclosure, copying, use, or modification.

The OPC has issued guidance specifying that safeguards should include physical security measures (locked filing cabinets, restricted-access areas), organisational measures (training, access controls, confidentiality agreements), and technical measures (encryption, firewalls, intrusion detection systems).

Mandatory breach reporting: Since November 2018, PIPEDA has required organisations to report breaches of security safeguards to the OPC and to notify affected individuals when a breach creates a “real risk of significant harm.” Organisations must also maintain a record of all breaches.

8. Openness

Organisations must be transparent about their policies and practices for managing personal information. Privacy policies must be written in plain language, accessible to anyone who requests them, and describe:

• The type of personal information collected
• How it is used and to whom it is disclosed
• How individuals can access their information and correct inaccuracies
• Contact details for the designated Privacy Officer
• Any international transfers of personal information

9. Individual Access

Upon request, organisations must inform individuals whether they hold personal information about them, provide access to that information, and explain how it has been used and to whom it has been disclosed. Access must generally be provided within 30 days.

Grounds for refusing access are limited and include where providing access would reveal personal information about a third party, information protected by solicitor-client privilege, or information subject to law enforcement confidentiality.

10. Challenging Compliance

Individuals must have a mechanism to challenge the organisation’s compliance with PIPEDA. Organisations must have complaint procedures in place and must investigate complaints and correct non-compliance.

How does Quebec’s Law 25 differ from PIPEDA, and does it apply to your business?

Quebec’s Law 25 (Bill 64, the Act to Modernise Legislative Provisions Respecting the Protection of Personal Information) significantly strengthens Quebec’s provincial privacy framework and introduces requirements comparable in several respects to the European GDPR. If you collect personal information from Quebec residents in the course of commercial activity, Law 25 applies, regardless of where your organisation is based.

Law 25 was implemented in three phases between September 2022 and September 2023. Key requirements include:

• Privacy Impact Assessments (PIAs): Required before any project involving personal information is launched, and when acquiring, developing, or overhauling information systems. Quebec’s PIA requirement is broader than anything in PIPEDA.

• Privacy by default: Technology products offered to Quebec consumers must be configured to provide the highest level of privacy without user intervention.

• Data portability: Individuals have the right to receive their personal information in a structured, commonly used technological format.

• Right to be forgotten: Individuals can request that their personal information be de-indexed (removed from search results) in specific circumstances.

• Mandatory Privacy Officer designation: Public disclosure of the Privacy Officer’s name and contact details is required.

• Anonymisation as an alternative to deletion: Where an individual requests deletion, organisations may anonymise data where deletion is impossible.

• Significant penalties: Up to $25 million CAD or 4% of worldwide turnover for serious violations, and up to $10 million CAD or 2% for other violations. This places Quebec significantly above PIPEDA’s enforcement level.

What are the penalties for PIPEDA non-compliance?

Under PIPEDA, organisations that knowingly fail to report a breach to the OPC, notify affected individuals, or maintain breach records face fines of up to $100,000 CAD per violation. Beyond financial penalties, the OPC can seek Federal Court orders requiring compliance, make findings public, and refer matters to the Attorney General. Reputational damage from public OPC findings is often more damaging than the financial penalty.

The OPC’s enforcement powers increased significantly through the 2015 and 2018 amendments to PIPEDA. The OPC can now initiate investigations without a complaint, conduct proactive audits of organisations’ privacy practices, and publish findings even where an organisation disputes them.

Under Quebec’s Law 25, as noted above, penalties are significantly higher and more closely match international standards.

What is a Privacy Impact Assessment, and when is one required?

A Privacy Impact Assessment (PIA) is a structured process for identifying and mitigating privacy risks associated with a new programme, system, or activity that involves personal information. Under PIPEDA, PIAs are a best practice strongly encouraged by the OPC for high-risk projects. Under Quebec’s Law 25, PIAs are mandatory for any project involving personal information, and for any project before acquiring, developing, or overhauling information systems.

A PIA under PIPEDA and Quebec Law 25 typically includes:

• Scope definition: What personal information is involved? What is the purpose? Who will have access?
• Regulatory mapping: Which privacy laws apply? What are the specific requirements?
• Risk assessment: What risks to individuals arise from the collection, use, or disclosure of this information? What is the likelihood and severity?
• Risk mitigation: What controls, safeguards, or design changes can reduce identified risks?
• Documentation: A written PIA report that can be provided to the OPC or Quebec’s Commission d’accès à l’information (CAI) if requested

The OPC’s PIA Guidelines provide a step-by-step framework that private sector organisations can adapt.

Frequently Asked Questions

Does PIPEDA apply to non-Canadian businesses? PIPEDA applies to organisations that collect, use, or disclose personal information from Canadian individuals “in the course of commercial activity.” This can include foreign companies with no physical presence in Canada if they are engaged in commercial activity involving Canadians. Whether PIPEDA applies depends on the nature and extent of the commercial activity.

What is the difference between PIPEDA and Quebec’s Law 25? PIPEDA is Canada’s federal private sector privacy law. Law 25 (Bill 64) is Quebec’s provincial law that applies to organisations that process the personal information of Quebec residents. Law 25 is significantly stricter, with higher penalties and additional requirements, including mandatory PIAs, privacy by default, data portability, and the right to de-indexation. If you serve Quebec residents, you must comply with both.

What is the mandatory breach notification threshold under PIPEDA? Organisations must report to the OPC and notify affected individuals when a breach creates a “real risk of significant harm.” The OPC defines significant harm to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, and negative effects on a credit record. When in doubt, err on the side of reporting.

Does Canada have a “right to be forgotten”? Under the federal PIPEDA, there is no explicit right to erasure equivalent to the GDPR’s Article 17. However, individuals can withdraw consent and request that personal information collected with their consent be destroyed, subject to retention obligations. Quebec’s Law 25 includes a right to de-indexation of personal information from technology products.

How does PIPEDA handle personal information about employees? PIPEDA covers employee personal information of federally regulated organisations. For provincially regulated private-sector employees in Alberta, British Columbia, and Quebec, the applicable provincial law governs. In other provinces, PIPEDA covers employee information collected, used, or disclosed in the course of commercial activity, though there is nuance around what constitutes “commercial activity” in an employment context.

What must a PIPEDA-compliant privacy policy include? The designated Privacy Officer’s contact details, what personal information is collected, the purposes for collection, how information is used and disclosed, any transfers to third parties (including internationally), how individuals can access their information and challenge accuracy, and how to make a privacy complaint.

How long can personal information be retained under PIPEDA? PIPEDA requires that personal information be retained only as long as necessary to fulfil the purposes for which it was collected. Organisations must establish documented retention schedules and secure destruction procedures. There is no single mandated retention period: it depends on the purpose of collection and any applicable legal retention requirements.

GDPRLocal supports organisations with cross-jurisdictional compliance, including PIPEDA, GDPR, and more. Contact our team for tailored advice.