Canada PIPEDA Compliance: Privacy Guide for Digital Businesses

Canada's privacy framework for private sector organisations — built on the Personal Information Protection and Electronic Documents Act (PIPEDA) — is undergoing its most significant transformation since the law took effect in 2004. While PIPEDA remains the federal standard, Quebec's Law 25 (Act Respecting the Protection of Personal Information in the Private Sector, as reformed in 2021–2023) has set a new benchmark for Canadian provincial privacy, and the proposed federal Consumer Privacy Protection Act (CPPA) will eventually replace PIPEDA with a stronger, GDPR-influenced framework.

Understanding Canada's current layered privacy framework — federal PIPEDA, provincial laws in Quebec, Alberta, and British Columbia, and Quebec Law 25 — is essential for any digital business operating in or serving Canadian consumers.

Key Takeaways

• PIPEDA applies to private sector organisations that collect, use, or disclose personal information in the course of commercial activities — with extraterritorial application
• Quebec Law 25 (fully effective September 2023) is stricter than PIPEDA and has GDPR-like consent, rights, and assessment requirements
• Ten Fair Information Principles (from CAN/CSA Standard Q830) govern PIPEDA compliance
• PIPEDA's mandatory breach notification requires reporting to OPC and notification to individuals within 72 hours of determining a "real risk of significant harm"
• The Consumer Privacy Protection Act (CPPA) will eventually replace PIPEDA — monitor for enactment
• The Office of the Privacy Commissioner (OPC) can investigate and recommend compliance but cannot directly impose fines — Bill C-27 proposes to change this
• Quebec's Commission d'accès à l'information (CAI) can impose fines up to 4% of worldwide turnover or $25 million CAD under Law 25
• Consent under PIPEDA must be meaningful, but PIPEDA recognises both express and implied consent in appropriate contexts

---

Canadian Privacy Framework Overview

Federal: PIPEDA

PIPEDA (Personal Information Protection and Electronic Documents Act, 2004) is Canada's federal private sector privacy law. It applies to:

• Private sector organisations in federally regulated industries (banking, telecommunications, interprovincial transportation, broadcasting) — regardless of province
• Private sector organisations in all provinces without substantially similar provincial legislation — for information collected, used, or disclosed in the course of commercial activities

Exempted jurisdictions: Quebec, Alberta, and British Columbia have provincial laws deemed substantially similar to PIPEDA. In these provinces, PIPEDA still applies to federally regulated activities and cross-provincial/cross-border flows. Quebec's Law 25 adds further requirements on top.

Provincial Laws

Quebec (Act Respecting the Protection of Personal Information in the Private Sector, Law 25): Applies to enterprises collecting personal information in the course of carrying on an enterprise in Quebec. Law 25 reforms (implemented in phases 2022–2023) significantly strengthened Quebec's requirements beyond PIPEDA.

Alberta (Personal Information Protection Act — PIPA): Substantially similar to PIPEDA; applies to provincial activities of Alberta-based private organisations.

British Columbia (Personal Information Protection Act — PIPA BC): Similar framework; applies to provincial activities of BC-based private organisations.

Ontario, Manitoba, Saskatchewan: No substantially similar provincial law — PIPEDA applies.

The Proposed Consumer Privacy Protection Act (CPPA)

Bill C-27 (proposed legislation, introduced June 2022) would enact the Consumer Privacy Protection Act, replacing PIPEDA with:

• GDPR-influenced consent requirements
• Algorithmic transparency and automated decision-making rights
• Data mobility rights
• Significantly enhanced penalties: up to 3% of global revenue or $10 million CAD (Tier 1); 5% of global revenue or $25 million CAD (Tier 2)
• An independent Privacy Tribunal to adjudicate OPC decisions
• Explicit children's privacy protections

As of early 2026, the CPPA has not been enacted. Businesses should monitor legislative progress and design compliance programmes that can be adapted to the new framework when enacted.

---

PIPEDA's Ten Fair Information Principles

PIPEDA is built on the ten principles from the Canadian Standards Association's Model Code for the Protection of Personal Information (CAN/CSA Q830):

Consent under PIPEDA: Principle 3 requires meaningful consent — individuals must understand what they are consenting to. Consent can be express (explicit, written, or oral) or implied (where purpose is obvious and individual would reasonably expect it). Implied consent is appropriate for less sensitive information and lower-risk uses. Express consent is required for sensitive information and for uses individuals would not expect.

The OPC has consistently found that "bundled consent" (one tick box for multiple purposes) and "deemed consent" (burying data practices in dense terms and conditions) do not constitute meaningful consent.

---

Quebec Law 25: Stronger Requirements

Quebec's Law 25 (Act to Modernize Legislative Provisions as Regards the Protection of Personal Information) represents the most significant provincial privacy reform in Canada. Implemented in three phases:

Phase 1 (September 2022): Mandatory breach notification, governance requirements, privacy officer designation, retention schedule policies

Phase 2 (September 2023): Privacy impact assessments, new individual rights (access, correction, portability, objection to profiling), consent standards, transparency requirements for automated decision-making

Phase 3 (September 2023, continued): Data portability rights, de-indexing rights (right to oblivion), cross-border transfer protection impact assessments

Key Law 25 Requirements Beyond PIPEDA

Privacy impact assessments (PIAs): Required before any project involving collection, use, or communication of personal information. The PIA must be communicated to the CAI for high-risk projects.

Cross-border transfer PIAs: Before communicating personal information outside Quebec, enterprises must conduct a privacy protection impact assessment using criteria set by the CAI. This must consider the sensitivity of the information, the legal protections in the destination jurisdiction, and the measures that will be applied to protect the information.

Right to de-indexing (right to oblivion): Individuals can request removal of hyperlinks attached to their name that disseminate personal information where: the information is no longer accurate, the person is a minor, or there is no legitimate justification for the indexing.

Automatic decision-making transparency: Where a decision based exclusively on automated processing of personal information is made with legal or significant effects, individuals must be informed and have the right to request human review.

Consent standards: Consent must be clear, freely given, and informed. It must be requested for each specific purpose. Implicit consent is generally not sufficient for Quebec — explicit, affirmative action is required.

Penalties: The CAI can impose fines of up to $25 million CAD or 4% of worldwide turnover (whichever is higher) for serious contraventions of Law 25. The CAI has begun enforcement and has issued its first penalty decisions.

---

Mandatory Breach Reporting Under PIPEDA

The mandatory breach reporting requirements under PIPEDA (in force since November 1, 2018) apply when a breach of security safeguards creates a "real risk of significant harm" to individuals.

Significant harm includes: bodily harm, humiliation, damage to reputation, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to relationships or loss of trust.

Reporting requirements:

1. Report to OPC: As soon as feasible after determining a real risk of significant harm. Use the OPC's Data Breach Reporting Form.

2. Notify affected individuals: At the same time as OPC reporting, or as soon as feasible. Notification must:

   • Describe the circumstances of the breach
   • Identify what personal information was involved
   • Describe steps taken to address the breach
   • Explain what affected individuals can do to protect themselves
   • Provide contact information for the organisation

3. Notify other organisations: Where another organisation may be able to reduce the risk of harm (e.g., credit bureaus, law enforcement), notify them.

Record-keeping: Maintain records of all breaches (whether or not a real risk of significant harm was determined) for 24 months. OPC can request these records.

Quebec Law 25 breach requirements: Quebec's own notification requirements apply to enterprises in Quebec. Law 25 requires notification to the CAI within 72 hours of becoming aware of a confidentiality incident involving personal information that presents a risk of harm, using the CAI's prescribed form.

---

Data Transfers and Accountability

PIPEDA's accountability principle (Principle 1) extends to third-party data handling: organisations are responsible for personal information in their custody, including when transferred to third parties for processing. Contracts with processors must provide comparable protection.

Cross-border transfers: PIPEDA does not prohibit cross-border data transfers but requires organisations to be accountable for their personal information when transferred overseas. Use contractual agreements to ensure comparable protection. The OPC's guidelines recommend documenting the countries to which data may be transferred.

Quebec Law 25 cross-border restrictions: Quebec imposes a stricter cross-border transfer framework requiring a documented Privacy Impact Assessment before any out-of-province transfer, considering destination protections, sensitivity of the information, and safeguards applied.

---

Privacy Management Programme

OPC guidelines recommend implementing a comprehensive privacy management programme as the foundation for PIPEDA compliance:

1. Privacy governance:

• Designate a Privacy Officer with appropriate authority and expertise
• Develop and implement privacy policies and procedures
• Create a privacy governance structure with clear accountability

2. Risk management:

• Conduct Privacy Impact Assessments (PIAs) for new or modified programs, systems, and activities
• Maintain a risk register for privacy risks
• Integrate privacy review into product development and IT change management

3. Policy framework:

• Privacy Policy (public-facing)
• Data Retention and Disposal Policy
• Breach Response Procedure
• Third-Party Vendor Management Policy
• Employee Privacy Policy

4. Training and awareness:

• Annual privacy training for all employees
• Role-specific training for those who routinely handle personal information
• Training for new employees at onboarding

5. Monitoring and verification:

• Regular privacy audits
• Periodic review and update of PIAs
• Annual review of privacy policies
• Monitoring of regulatory guidance from OPC, CAI, and provincial privacy commissioners

---

OPC Enforcement and Complaints Process

The OPC (Office of the Privacy Commissioner of Canada) operates primarily as an ombudsperson under PIPEDA — it investigates complaints and makes recommendations, but cannot directly impose fines. Compliance with OPC recommendations is not legally compelled under current PIPEDA, though OPC can apply to Federal Court for a court order enforcing its findings.

Complaint process:

1. Individual submits complaint to organisation (recommended first step)
2. Individual submits complaint to OPC (no prior organisation contact required)
3. OPC attempts early resolution; if unsuccessful, proceeds to formal investigation
4. OPC publishes findings and recommendations
5. OPC can apply to Federal Court for orders requiring compliance

Court orders can include requirements to change practices, destroy information, publish notices, and pay damages.

OPC powers expansion under proposed CPPA: Bill C-27 would give the OPC power to impose administrative monetary penalties directly, enforceable through the Privacy Tribunal. Fines would reach $25 million or 5% of global revenue.

---

PIPEDA/Law 25 Compliance Checklist

• Federal applicability determined (PIPEDA vs. provincial law based on sector and province)
• Quebec Law 25 applicability assessed (enterprise collecting PI in course of business in Quebec)
• Privacy Officer designated and empowered
• Privacy Policy published, up-to-date, accessible
• Collection limited to what is reasonably necessary (Principle 4)
• Consent obtained: express for sensitive information; meaningful implied for non-sensitive
• Consent records maintained
• PIAs conducted for new projects (Law 25 mandatory; OPC recommends for PIPEDA)
• Cross-border transfer assessment completed (Law 25: PIA required before out-of-province transfer)
• Processor/vendor contracts include comparable protection requirements
• Data retention schedule documented and implemented
• Access request procedure documented (30-day response)
• Correction request procedure documented
• Breach response procedure documented (OPC report + individual notification)
• Breach records maintained (24 months)
• CAI breach notification procedure for Quebec operations (72-hour preliminary)
• Employee training completed and documented
• Automated decision-making transparency implemented (Law 25)

---

Frequently Asked Questions

Does PIPEDA apply to my US company serving Canadian customers?

PIPEDA applies to organisations that collect, use, or disclose personal information in the course of commercial activities. If your US company has a website serving Canadian consumers and collects their personal information, PIPEDA likely applies — particularly to the collection and use of that information. Quebec's Law 25 applies to enterprises "carrying on an enterprise in Quebec," which can include maintaining a website accessible to Quebec residents with commercial intent. The OPC has investigated non-Canadian companies for PIPEDA violations involving Canadian residents' data.

What is the difference between PIPEDA and Quebec Law 25?

Quebec Law 25 is generally stricter than PIPEDA in several key areas: (1) Consent: Law 25 requires explicit, specific consent for most processing — PIPEDA permits implied consent for non-sensitive information; (2) Cross-border transfers: Law 25 requires a formal Privacy Impact Assessment before out-of-province transfers; PIPEDA requires accountability but no prescribed assessment format; (3) Rights: Law 25 includes right to de-indexing, portability, and objection to profiling — PIPEDA's rights are more limited; (4) Enforcement: Law 25 allows CAI to impose fines up to $25M or 4% of worldwide turnover; PIPEDA's OPC can only seek court orders; (5) Privacy impact assessments: Mandatory under Law 25 for new projects; recommended but not mandatory under PIPEDA.

How does consent work under PIPEDA for email marketing?

PIPEDA consent for email marketing is also governed by Canada's Anti-Spam Legislation (CASL), which operates alongside PIPEDA. CASL requires express consent before sending commercial electronic messages unless an exemption applies (existing business relationship, prior express consent). Express consent must be opted-in (not pre-checked boxes). An existing business relationship creates implied consent under CASL for 2 years after a transaction. Under PIPEDA Principle 3, meaningful consent for marketing must identify the purpose clearly. CASL's specific requirements for commercial email override PIPEDA in cases of conflict — compliance with CASL generally satisfies PIPEDA's consent requirements for email marketing purposes.

When is a Privacy Impact Assessment (PIA) required?

Under PIPEDA, PIAs are strongly recommended by OPC for new programs or systems that will involve personal information — but not legally mandatory. Under Quebec Law 25, PIAs are mandatory before carrying out any project involving collection, communication, or use of personal information, and before communicating personal information outside Quebec. The CAI issues PIA guidelines and provides templates. Federal government departments are also required to conduct PIAs for programs using Canadians' personal information. Practically, PIAs should be standard practice for any new product, feature, or business process involving significant personal data collection.

What is the "right to be forgotten" under Quebec Law 25?

Quebec Law 25 includes a right of de-indexing — sometimes called the right to be forgotten or right to oblivion. Individuals can request that an enterprise cease disseminating personal information or de-index any hyperlink attached to their name if the dissemination: causes them harm and violates law; is excessive, not relevant, or has been the subject of unlawful collection; is no longer relevant to the purposes for which it was collected; or the person is a minor. This differs from GDPR's right to erasure — it specifically targets de-indexing of hyperlinks, not just deletion of underlying data.

---

Next Steps

Canada's privacy landscape is more complex than it appears from outside — federal PIPEDA, Quebec Law 25, provincial PIPA laws, and proposed CPPA reform create a layered compliance environment. For digital businesses with Canadian operations or users, building a comprehensive privacy programme that satisfies PIPEDA as a baseline and Law 25 as the highest bar is the most efficient approach.

ECOSIRE's team helps businesses navigate Canadian privacy requirements, design privacy-by-design digital platforms, and implement consent management systems that satisfy both PIPEDA and Quebec Law 25 requirements.

Learn more: ECOSIRE Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Canadian privacy law is evolving through federal legislation and Quebec Law 25 implementation. Consult qualified Canadian legal counsel for advice specific to your organisation.