PIPEDA — Personal Information Protection and Electronic Documents Act

Scope and territorial reach

Where it applies — 1 jurisdictions

🇨🇦Canada

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

01

Accountability Schedule 1, Principle 4.1

An organization is responsible for personal information under its control and must designate an individual (privacy officer) accountable for compliance. Responsibility extends to information transferred to third-party processors via contract. The organization must implement policies, train staff, and handle complaints — accountability cannot be outsourced even when processing is.
02

Identifying purposes Schedule 1, Principle 4.2

The purposes for collecting personal information must be identified at or before the time of collection. New purposes require fresh consent unless permitted by law. Purposes must be documented and communicated to the individual orally or in writing — a privacy notice is the standard mechanism. Vague catch-all purposes are not acceptable under OPC guidance.
03

Consent Schedule 1, Principle 4.3

Knowledge and consent of the individual are required for collection, use, or disclosure of personal information, except where inappropriate. Consent must be meaningful — the individual must reasonably understand what they agree to. Form (express vs implied) varies with sensitivity. Withdrawal must be possible at any time, subject to legal or contractual restrictions.
04

Limiting collection Schedule 1, Principle 4.4

Collection of personal information is limited to what is necessary for the identified purposes. Information must be collected by fair and lawful means — no deception, no over-collection 'just in case'. The OPC's Tim Hortons finding (2022) made this principle bite: collecting continuous geolocation 'for marketing' was disproportionate to the stated purpose.
05

Limiting use, disclosure, retention Schedule 1, Principle 4.5

Personal information may only be used or disclosed for the purposes identified at collection, except with consent or as required by law. Retention is limited to fulfilling those purposes, after which data must be destroyed, erased, or anonymized. Organizations must develop guidelines and procedures including minimum and maximum retention periods.
06

Accuracy Schedule 1, Principle 4.6

Personal information must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Routinely updating data is not required unless inaccuracy could prejudice the individual. Individuals may challenge accuracy and have inaccurate data corrected — feeds directly into the right of access (Principle 4.9).
07

Safeguards Schedule 1, Principle 4.7

Personal information must be protected by security safeguards appropriate to sensitivity. Methods include physical (locked cabinets), organizational (clearance levels, training), and technological (encryption, access controls). Sensitivity, amount, distribution, format, and method of storage all factor in. Failure here triggers PIPEDA's mandatory breach reporting (s. 10.1, in force since 1 November 2018).
08

Openness Schedule 1, Principle 4.8

Organizations must make readily available specific information about their policies and practices relating to personal information management. This is the privacy-policy principle — must include name and contact info of the accountable person, means to access personal information, what kinds of information are held and for what purposes, and a description of any third-party data sharing.
09

Individual access Schedule 1, Principle 4.9

Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and given access to it. The individual can challenge accuracy and completeness. Default response time is 30 days; extensions up to 30 more days are permitted with notice. Refusals must be justified in writing and the individual informed of recourse.
10

Challenging compliance Schedule 1, Principle 4.10

An individual must be able to address a challenge concerning compliance with the above principles to the designated accountable person. Organizations must have complaint-handling procedures that are easily accessible and simple to use. They must investigate complaints, and if a complaint is justified, take appropriate measures including amending policies and practices.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Schedule 1, Principle 4.3 + s. 6.1

Express consent

Required for sensitive information or when reasonable expectations would not include the use — opt-in checkbox, signature, or affirmative action.

Common for: Health data, financial data, marketing emails (CASL overlap), analytics cookies that profile users

OPC Guidelines on Consent (May 2018)

Implied consent

Permissible only when use is obvious from context, non-sensitive, and within reasonable expectations. OPC guidance has tightened — implied consent for online tracking is increasingly rejected.

Common for: Order fulfillment using shipping address, basic site analytics with no profiling

s. 7.2

Business transaction exception

Personal information may be used or disclosed for a prospective or completed business transaction (M&A, asset sale) without consent, subject to safeguarding and post-transaction notice obligations.

Common for: Due diligence in acquisitions, customer-list transfers

s. 7(1)(c.1), 7(2)(c.1), 7(3)(c)–(c.2)

Required by law / legal authority

Disclosure to government institution with lawful authority (subpoena, warrant, statutory authority), or where required by law.

Common for: Court orders, tax compliance, AML/FINTRAC reporting

s. 7(3)(d.1), 7(3)(d.2)

Investigation / breach response

Use or disclosure without consent is permitted to investigate a breach of agreement or contravention of law, or to detect/suppress fraud.

Common for: Fraud investigations, security incident response, anti-money-laundering checks

s. 7(1)(d), 7(2)(c.1), 7(3)(h.1) + Regulations Specifying Publicly Available Information (SOR/2001-7)

Publicly available information

Narrow exception — only specified categories: telephone directories, professional/business listings, public registries, court records, and publications. Web-scraping general public content is NOT covered (OPC v. Clearview AI, 2021).

Common for: Phone-book lookup, public registry searches

OPC interpretation under Principle 4.3

Information voluntarily disclosed by the individual

Where an individual has voluntarily made information public (e.g., on a public profile) for a purpose, use consistent with that purpose may proceed — but this is narrowly construed and not a general 'social-media is fair game' carve-out.

Common for: Public LinkedIn job titles for B2B prospecting, with caveats

Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

Right	Article	Response	Scope
Right to access personal information	Schedule 1, Principle 4.9 + s. 8	30 days	Individual may request access to their personal information held by the organization, including how it has been used and to whom disclosed. Response within 30 days; one 30-day extension permitted with written notice. Refusals must cite a statutory exception (s. 9).
Right to challenge accuracy	Schedule 1, Principle 4.6 + 4.9.5	30 days	If the individual demonstrates information is inaccurate or incomplete, the organization must amend it. If the challenge is unresolved, the substance must be recorded and disclosed to third parties who received the information.
Right to withdraw consent	Schedule 1, Principle 4.3.8 + OPC Guidelines on Consent (2018)	30 days	Individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Organization must inform the individual of the implications of withdrawal (e.g., service discontinuation).
Right to complain to the Commissioner	s. 11	At collection	Individual may file a written complaint with the OPC against any organization for contravention of PIPEDA. The Commissioner investigates, attempts mediation, and issues a report of findings (well-founded, not well-founded, resolved, settled, discontinued).
Right to seek Federal Court remedy	s. 14	At collection	After receiving the Commissioner's report, the complainant may apply to the Federal Court within one year for a hearing. Court can order the organization to correct practices, publish a notice of corrective action, and award damages — including for humiliation.
Right to be informed of a breach	s. 10.1 (in force 2018-11-01)	At collection	Where a breach of security safeguards creates a 'real risk of significant harm' (RROSH), the organization must notify the individual and report to the OPC as soon as feasible. Records of all breaches must be kept for 24 months — failure is a criminal offence (s. 28) up to CAD $100,000.

Topic: DSARs in practice Template: DSR reply (Art 15)

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

Country	National act	Stricter than GDPR baseline?	Note
🇨🇦 Canada (federal) CA-FED	PIPEDA — S.C. 2000, c. 5	Aligned	Federal default. Applies to all federally regulated businesses (banks, telecom, airlines, inter-provincial transport) Canada-wide, AND to private-sector organizations in any province lacking 'substantially similar' legislation. Bill C-27 (CPPA) died on the Order Paper at January 2025 prorogation and was not revived after the April 2025 election.
🇨🇦 Quebec CA-QC	Law 25 (modernized Act respecting the protection of personal information in the private sector)	Stricter	Three-phase rollout: Phase 1 (22 Sep 2022) — privacy officer + breach notification to CAI; Phase 2 (22 Sep 2023) — privacy policy, PIA mandate, automated-decision disclosure, biometric registration; Phase 3 (22 Sep 2024) — right to data portability. Penalties up to CAD $25M or 4% of global turnover — by far Canada's strictest.
🇨🇦 Alberta CA-AB	Personal Information Protection Act (PIPA), 2003	Aligned	Substantially similar to PIPEDA. Enforced by the Office of the Information and Privacy Commissioner of Alberta (OIPC AB). Currently under legislative review (Standing Committee on Resource Stewardship, 2024).
🇨🇦 British Columbia CA-BC	Personal Information Protection Act (PIPA), 2003	Aligned	Substantially similar to PIPEDA. Enforced by the Office of the Information and Privacy Commissioner for BC (OIPC BC). Frequently joins federal OPC investigations (Facebook 2019, Tim Hortons 2022, TikTok 2023+).
🇨🇦 Ontario CA-ON	PHIPA (health) — general private-sector law under consideration	Aligned	Personal Health Information Protection Act 2004 covers health-information custodians. For commercial activity outside health, PIPEDA applies as Ontario has no general substantially-similar private-sector law (as of 2026). Ontario consulted on a provincial law in 2021 but has not enacted.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES

GDPR vs CCPA / CPRA

Opt-in EU baseline against opt-out California — same rows on each side.

COMPARE · 2 ENTITIES

GDPR vs UK GDPR

Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.

COMPARE · 2 ENTITIES

GDPR vs LGPD

EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does PIPEDA apply to my US-based business?

Yes, if there is a real and substantial connection to Canada. The OPC and Federal Court have applied PIPEDA extraterritorially where a foreign organization collects, uses, or discloses personal information of Canadians in the course of commercial activity (Lawson v. Accusearch, 2007 FC 125; AT v. Globe24h.com, 2017 FC 114). A US site marketing to Canadians, accepting Canadian customers, or processing Canadian users' data is generally in scope. Quebec residents trigger Law 25 in addition.

What's the maximum PIPEDA fine?

Federal PIPEDA does not give the OPC direct fining power. The Commissioner investigates and issues findings, but monetary remedies require a Federal Court application by the complainant under s. 14 (damages, including humiliation). Criminal offences under s. 28 (failure to report a breach, retaliation against whistleblowers, obstruction) carry fines up to CAD $100,000 per offence on indictment. This is the single biggest enforcement-power gap that Bill C-27/CPPA was meant to close — it died at January 2025 prorogation. Quebec's Law 25, by contrast, allows administrative monetary penalties up to CAD $10M or 2% of global turnover, and penal fines up to CAD $25M or 4%.

PIPEDA vs Quebec Law 25 — which applies to my Quebec users?

Both can apply, but Law 25 has primacy for Quebec residents because the federal government has declared Quebec's Act 'substantially similar' to PIPEDA — meaning Quebec law governs intra-provincial private-sector activity, while PIPEDA still covers federally regulated businesses (banks, telecom, airlines) and inter-provincial flows. Practical rule: if you process Quebec residents' data, comply with Law 25 (it's stricter on consent, PIA, transfers, and right to portability). Federal businesses must comply with both in parallel.

Express vs implied consent — when do I need which?

Express consent (opt-in checkbox, signature, affirmative action) is required when (a) information is sensitive — health, financial, biometric, geolocation, sexual orientation; (b) the use is outside reasonable expectations; or (c) the activity carries meaningful residual risk. Implied consent is acceptable only for non-sensitive data with obvious purposes within reasonable expectations — and the OPC's 2018 Guidelines on Consent narrowed this significantly for online tracking. Tim Hortons (2022) confirmed that 'continuous geolocation for marketing' fails the implied-consent test even when buried in a privacy policy.

Do I need a Canadian-based privacy officer?

PIPEDA Principle 4.1 requires you to designate an individual accountable for privacy compliance — this person does not need to reside in Canada. The role can be fulfilled by an existing privacy officer (DPO, CPO) anywhere, but their contact details must be made available to Canadian individuals (Principle 4.8 — Openness). Quebec Law 25, by contrast, requires designation of a privacy officer whose title/contact is published — by default this is the highest-ranking person in the organization unless otherwise designated.

PIPEDA mandatory breach notification — what triggers it?

Section 10.1, in force since 1 November 2018, requires notification when a 'breach of security safeguards' creates a 'real risk of significant harm' (RROSH) to an individual. Significant harm includes bodily harm, humiliation, damage to reputation/relationships, loss of employment or business opportunities, financial loss, identity theft, negative effects on credit record, and damage to property. Notify the OPC and the individual 'as soon as feasible' — no fixed 72-hour clock like the GDPR, but delays are scrutinized. Records of all breaches (not just RROSH ones) must be kept for 24 months.

How does PIPEDA interact with provincial laws?

PIPEDA applies as the federal default but yields to provincial laws declared 'substantially similar' for activity within that province. Substantially similar to date: Quebec (Law 25), Alberta (PIPA), British Columbia (PIPA). Ontario's PHIPA covers health-information custodians only — for other commercial activity in Ontario, PIPEDA applies. Federally regulated businesses (banks, telecom, airlines, inter-provincial transport) always remain under PIPEDA regardless of province.

What can the OPC actually do — Federal Court remedies and powers?

The OPC investigates complaints (s. 12), conducts audits (s. 18), issues findings and recommendations, and concludes compliance agreements (s. 17.1). It cannot directly fine or order. After OPC findings, the complainant or Commissioner may apply to the Federal Court within one year (s. 14) — the Court can order corrective measures, publication of corrective notices, and award damages. Criminal offences under s. 28 are prosecuted by the Public Prosecution Service. This 'soft' enforcement model is widely criticized as a key reason why Bill C-27/CPPA was proposed (and then died).

Bill C-27 / CPPA status — what happened?

Bill C-27 (Digital Charter Implementation Act, 2022) would have replaced PIPEDA Part 1 with the Consumer Privacy Protection Act (CPPA), created the Personal Information and Data Protection Tribunal, and enacted the Artificial Intelligence and Data Act (AIDA). After two and a half years in committee, Parliament was prorogued in January 2025 and Bill C-27 died on the Order Paper. The April 2025 federal election did not lead to its revival in identical form. As of May 2026, PIPEDA (2001) remains the federal private-sector privacy law, unchanged in substance since the 2015 Digital Privacy Act. Future federal reform is expected but not currently scheduled — most observers expect a CPPA-lite reintroduction split from AIDA.

Cross-border transfer rules under PIPEDA — what do I need?

PIPEDA does not prohibit cross-border transfers but imposes Principle 4.1.3 — accountability follows the data. The transferring organization remains responsible and must use contractual or other means to provide a comparable level of protection. Transparency is required: individuals must be informed (Principle 4.8) that data may be processed in a foreign jurisdiction and may therefore be accessible by foreign authorities. Quebec Law 25 (s. 17, in force since 22 September 2023) goes further: a Privacy Impact Assessment is mandatory before transferring personal information outside Quebec, evaluating sensitivity, purpose, safeguards, and the legal regime of the destination — most directly affecting transfers to the US.