All Regulations
🇨🇦Canada

PIPEDA

Personal Information Protection and Electronic Documents Act

Canada's federal private sector privacy law governing how organisations collect, use, and disclose personal information in the course of commercial activity.

Overview

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private sector privacy law. It applies to organisations that collect, use, or disclose personal information in the course of commercial activity across provincial borders or in provinces without substantially similar private sector privacy legislation. PIPEDA is built around ten Fair Information Principles derived from the Canadian Standards Association Model Code.

PIPEDA has been under review for several years, with Bill C-27 — which would replace it with the Consumer Privacy Protection Act (CPPA) — progressing through Parliament. Until amended legislation takes effect, PIPEDA remains in force. Quebec's Law 25 (effective September 2023) and Alberta's and British Columbia's substantially similar provincial laws apply in those provinces for purely intra-provincial activities, but PIPEDA applies to federal undertakings and cross-border transfers in all provinces.

The OPC has broad investigation and audit powers but historically limited enforcement teeth — it issues findings and recommendations rather than binding orders. However, Bill C-27 proposes significantly strengthened enforcement with penalties up to 5% of global revenue or CAD $25 million, a new Privacy Tribunal, and private rights of action, signalling a major shift toward the GDPR-style enforcement model.

Scope & Applicability

PIPEDA applies to private sector organisations (other than those subject to substantially similar provincial privacy laws) that collect, use, or disclose personal information in the course of commercial activities, and to federally regulated businesses. It covers personal information about identifiable individuals, excluding business contact information and aggregate anonymous data. Provinces with substantially similar legislation (Quebec, Alberta, British Columbia) apply their own laws to intra-provincial activities.

Key Principles

  1. 1
    Accountabilityorganisations are responsible for personal information under their control and must designate a privacy officer
  2. 2
    Identifying Purposespurposes for collection must be identified at or before the time of collection
  3. 3
    Consentmeaningful consent is required for collection, use, and disclosure, appropriate to sensitivity of the information
  4. 4
    Limiting Collectiononly information necessary for the identified purposes may be collected
  5. 5
    Limiting Use, Disclosure and Retentioninformation must only be used or disclosed for the purposes it was collected, and retained only as long as necessary
  6. 6
    Accuracypersonal information must be accurate, complete, and up to date
  7. 7
    Safeguardsappropriate security safeguards must protect personal information against loss, theft, unauthorised access, disclosure, copying, use, or modification
  8. 8
    Opennessorganisations must make readily available their policies and practices relating to personal information management
  9. 9
    Individual Accessindividuals have the right to access their personal information held by an organisation
  10. 10
    Challenging Complianceindividuals must be able to challenge an organisation's compliance with the Fair Information Principles

Data Subject Rights

Right of Access

Individuals can request access to their personal information held by an organisation and receive it within 30 days, along with information about how it has been used and to whom it has been disclosed.

Right to Correction

Individuals can request correction of inaccurate personal information, and organisations must amend the information as appropriate or note the disagreement.

Right to Withdraw Consent

Individuals can withdraw consent for collection, use, or disclosure at any time, subject to legal or contractual restrictions, with reasonable notice.

Right to Challenge Compliance

Individuals can challenge an organisation's compliance with PIPEDA by filing a complaint with the OPC, which will investigate and issue findings.

Right to Know Purposes

Individuals must be informed of the purposes for which their personal information is collected at or before the time of collection.

Business Obligations

Designate a Privacy Officer

Organisations must designate one or more individuals accountable for PIPEDA compliance and make the title/name of that individual available to the public.

Obtain Meaningful Consent

Meaningful consent must be obtained for all collection, use, and disclosure — express consent for sensitive information, implied consent for less sensitive. Consent must be informed of the purposes.

Respond to Access Requests

Access requests must be responded to within 30 days (extendable by 30 days in certain circumstances) and personal information provided in understandable form.

Report Significant Breaches

Organisations must report breaches of security safeguards that create 'real risk of significant harm' to the OPC, notify affected individuals, and keep records of all breaches for 24 months.

Implement Safeguards

Security safeguards appropriate to the sensitivity of the information must protect against loss, theft, and unauthorised access, use, modification, or disclosure.

Publish Privacy Policies

Organisations must make their privacy policies and practices readily available to individuals in a clear, understandable format.

Cross-Border Transfer Rules

PIPEDA permits transfers of personal information to third parties, including those in other countries, for processing, provided that comparable levels of protection are maintained. Organisations are accountable for third parties they transfer data to and must use contractual or other means to provide comparable protection. There is no list of adequate countries — organisations must conduct their own due diligence and maintain accountability for transferred data. The OPC has indicated that organisations should inform individuals of the possibility of transfer to another jurisdiction.

Breach Notification Requirements

Notification Timeline

As soon as feasible after determining that a breach has occurred — there is no specific deadline, but the OPC expects prompt reporting

Notify Authority

Office of the Privacy Commissioner of Canada — report must be made if the breach creates real risk of significant harm to individuals

Notify Individuals

Individuals must be notified as soon as feasible if the breach creates real risk of significant harm; organisations must keep records of all breaches for 24 months

How TruePrivacy Helps

Purpose-built tools for every PIPEDA obligation.

PIPEDA Access Request Management

Centralised workflows handle PIPEDA access requests with 30-day tracking, identity verification, and automated information retrieval across systems.

Breach Assessment and OPC Reporting

Structured breach assessments determine whether a breach meets the 'real risk of significant harm' threshold and generate OPC-ready notification reports.

Meaningful Consent Workflows

Consent management tools capture granular, purpose-specific consent records aligned with OPC guidance on what constitutes 'meaningful' consent.

Privacy Management Program Documentation

TruePrivacy builds and maintains a complete privacy management programme documentation package aligned with OPC accountability guidance.

Bill C-27 Readiness Assessment

Gap analysis tools identify where PIPEDA compliance falls short of the proposed Consumer Privacy Protection Act standards, enabling proactive preparation.

Ready to achieve PIPEDA compliance?

TruePrivacy automates your compliance workflows so your team can focus on what matters.

Start Free TrialBook a Demo