PIPEDA Compliance Guide: What Canadian Businesses Need to Know

If you run a business in Canada that collects customer data — and in 2025 that is virtually every business — you need to understand PIPEDA. Not because it is exciting (it is not), but because it is the law, and the consequences of ignoring it are getting more serious every year.

PIPEDA is Canada's federal privacy law, and it governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities. If you have customers, employees (in certain cases), or any kind of data collection process, PIPEDA is part of your life.

This guide explains what PIPEDA actually requires, in plain language, with practical steps you can take to comply.

What Is PIPEDA?

PIPEDA stands for the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5). It is Canada's federal privacy law for the private sector, and it has been in effect since 2000 (with full application since 2004).

At its core, PIPEDA sets out rules for how organizations handle personal information during commercial activities. "Personal information" under PIPEDA means any information about an identifiable individual — names, email addresses, phone numbers, purchase history, IP addresses, financial information, health information, and more.

PIPEDA is not the only privacy law in Canada. Several provinces have their own substantially similar legislation:

• Alberta: Personal Information Protection Act (PIPA)
• British Columbia: Personal Information Protection Act (PIPA)
• Quebec: Law 25 (An Act respecting the protection of personal information in the private sector)

If your business operates in one of these provinces and only handles data within that province, the provincial law may apply instead of PIPEDA. But if your data crosses provincial borders or involves federal works, undertakings, or businesses (banking, telecommunications, inter-provincial transportation, etc.), PIPEDA applies.

The practical advice: Unless you are certain you only operate within Alberta, BC, or Quebec, assume PIPEDA applies. And even if a provincial law applies, the principles are similar enough that PIPEDA compliance gets you most of the way there.

Who Does PIPEDA Apply To?

PIPEDA applies to:

• Private-sector organizations that collect, use, or disclose personal information in the course of commercial activity
• Federally regulated organizations (banks, airlines, telecommunications companies, inter-provincial transportation) regardless of province
• Organizations that transfer personal information across provincial or national borders for commercial purposes

PIPEDA does not apply to:

• Federal government institutions (covered by the Privacy Act)
• Provincial and territorial governments
• Not-for-profit and charitable organizations acting in a non-commercial capacity
• Individuals collecting personal information for personal purposes (your personal address book is fine)
• Organizations in provinces with substantially similar legislation, for intra-provincial activities

Does PIPEDA Apply to Small Businesses?

Yes. There is no revenue threshold, employee count threshold, or data volume threshold. A sole proprietor running an online shop from their kitchen table is covered if they collect personal information from customers during commercial activities.

This catches some people off guard. PIPEDA is not like CCPA, which only kicks in at $25 million in revenue or 100,000 consumers. If you are in business and you collect personal data, PIPEDA applies.

The 10 Fair Information Principles

PIPEDA is built on 10 fair information principles from the CSA Model Code for the Protection of Personal Information. These principles are the backbone of the law, and understanding them is understanding PIPEDA.

1. Accountability

Your organization is responsible for personal information under its control. You must designate someone to be accountable for compliance — a privacy officer or equivalent. This does not need to be a full-time role. In a small business, it might be the owner or a senior employee with privacy as part of their responsibilities.

You are also accountable for information you transfer to third parties for processing. If you use a payment processor, email marketing tool, or cloud storage provider, you are still responsible for how they handle your customers' data.

2. Identifying Purposes

You must identify the purposes for which you collect personal information at or before the time of collection. You cannot collect data first and figure out what to do with it later.

In practice: Your signup form collects an email address. The identified purpose is "to create your account and send you order updates." If you later want to use that email for marketing, you need to go back and get consent for that new purpose.

3. Consent (PIPEDA Principle 4.3)

You must obtain meaningful consent for the collection, use, and disclosure of personal information. The form of consent can vary:

• Express consent: The individual explicitly agrees (opt-in checkbox, signed form). Required for sensitive information like health data, financial data, or data about children.
• Implied consent: Consent is reasonably inferred from the circumstances. For example, providing your shipping address when placing an order implies consent to use that address for delivery.
• Opt-out consent: Appropriate in limited circumstances, like using contact information for marketing when there is an existing business relationship.

The Office of the Privacy Commissioner (OPC) has been increasingly strict about what counts as meaningful consent. Burying consent in long terms of service is not acceptable. Consent must be informed, voluntary, and specific.

4. Limiting Collection

Only collect personal information that is necessary for the purposes you identified. Do not collect data "just in case" or because it might be useful someday.

Common violation: A newsletter signup form that asks for name, email, phone number, date of birth, and mailing address. You need an email address for a newsletter. Everything else is excessive.

5. Limiting Use, Disclosure, and Retention (PIPEDA Principle 4.5)

Personal information must not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law. Once the purpose is fulfilled, you should delete or anonymize the data.

In practice: If you collected someone's email address to send them a purchase receipt, you cannot add them to your marketing email list without their consent. And once the transaction is complete, you should not keep their payment details indefinitely.

6. Accuracy

Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used. This is particularly important for information used to make decisions about individuals.

7. Safeguards

You must protect personal information with appropriate security safeguards. The level of protection should be proportionate to the sensitivity of the information.

This means:

• Technical safeguards: encryption, access controls, secure storage, firewalls
• Organizational safeguards: security policies, employee training, access management
• Physical safeguards: locked offices, secure disposal of physical records

There is no prescriptive list of required security measures. The standard is "appropriate" given the sensitivity and volume of data you handle.

8. Openness

You must make your privacy policies and practices readily available. This means having a clear, accessible privacy policy that explains what you do with personal information.

Your privacy policy should cover:

• What information you collect and why
• How you use and disclose it
• How long you keep it
• How individuals can access their information
• Who to contact with questions or complaints

For guidance on building a privacy policy, see our article on whether you need a privacy policy.

9. Individual Access (PIPEDA Principle 4.9)

Individuals have the right to know what personal information you hold about them and to challenge its accuracy. This is Canada's version of a DSAR (Data Subject Access Request).

When someone requests access to their personal information, you must:

• Respond within 30 days of receiving the request
• Provide the information in a generally understandable form
• Explain how the information has been and is being used
• Identify any third parties to whom the information has been disclosed

You can charge a minimal fee for access requests, but the fee must not be so high that it discourages people from making requests.

You can refuse an access request in limited circumstances:

• The information is protected by solicitor-client privilege
• Disclosing it would reveal confidential commercial information
• The information was generated in the course of a formal dispute resolution process
• Providing access could threaten someone's life or security

If you refuse a request, you must explain why and inform the individual of their right to complain to the OPC (PIPEDA § 28).

10. Challenging Compliance

Individuals must be able to challenge your compliance with these principles. You need a complaint process, and you must investigate all complaints. If a complaint is justified, you must take appropriate corrective action.

Consent Requirements in Detail

Consent is the area where most businesses struggle with PIPEDA compliance. The OPC has published extensive guidance on what constitutes meaningful consent, and the bar is higher than many businesses realize.

What Meaningful Consent Looks Like

• Clear and plain language: No legalese. Explain what you are doing in words your customers can understand.
• Specific purposes: "We use your data to improve our services" is too vague. "We use your browsing history to recommend products you might like" is specific.
• Timing: Get consent at or before the time of collection, not after.
• Voluntary: Consent must be freely given. You cannot refuse service because someone does not consent to data collection that is not necessary for the service.
• Revocable: People can withdraw consent at any time, and you must make it easy to do so.

Exceptions to Consent

PIPEDA includes several exceptions where you can collect, use, or disclose personal information without consent:

• When required by law (court orders, regulatory requirements)
• For journalistic, artistic, or literary purposes
• When the information is publicly available
• For certain business transactions (mergers, acquisitions)
• For debt collection
• In emergencies threatening life, health, or security

These exceptions are narrow. Do not treat them as loopholes.

Breach Notification Rules

Since November 2018, PIPEDA requires mandatory breach of security safeguards reporting. If a breach creates a "real risk of significant harm" to individuals, you must:

Notify the Office of the Privacy Commissioner

Report the breach to the OPC as soon as feasible. Your report must include:

• A description of the breach
• The date or time period of the breach
• A description of the personal information involved
• The number of individuals affected (or an estimate)
• What you have done or plan to do to reduce the risk of harm
• What you have done or plan to do to notify affected individuals

Notify Affected Individuals

Notify affected individuals as soon as feasible. The notification must include:

• A description of the breach
• The date or time period of the breach
• A description of the personal information involved
• What you are doing to reduce the risk of harm
• What the individual can do to reduce their risk
• Contact information for someone who can answer questions

Notify Third-Party Organizations

If another organization or government institution could reduce the risk of harm, you must notify them as well.

Record Keeping

You must maintain records of every breach of security safeguards, regardless of whether it triggers reporting obligations. The OPC can request these records at any time. Retain records for at least two years.

What Is "Real Risk of Significant Harm"?

The threshold for mandatory reporting is whether the breach creates a "real risk of significant harm." Significant harm includes:

• Bodily harm
• Humiliation
• Damage to reputation or relationships
• Loss of employment, business, or professional opportunities
• Financial loss
• Identity theft
• Negative effects on credit record
• Damage to or loss of property

Consider both the sensitivity of the information involved and the probability that the information will be misused.

For details on the penalties for failing to report breaches, see our guide on PIPEDA fines and penalties.

Bill C-27 and the Consumer Privacy Protection Act (CPPA)

PIPEDA is being updated. Bill C-27, introduced in June 2022, proposes three new acts:

1. Consumer Privacy Protection Act (CPPA) — would replace Part 1 of PIPEDA
2. Personal Information and Data Protection Tribunal Act — would create a new tribunal to hear appeals and impose penalties
3. Artificial Intelligence and Data Act (AIDA) — would regulate AI systems

The CPPA, if passed, would bring significant changes:

• Much higher penalties: Up to 3% of gross global revenue or $10 million, whichever is greater, for the most serious violations. Up to 5% or $25 million for the most egregious cases.
• Stronger consent requirements: Enhanced rules around meaningful consent and new provisions for minors' data.
• Algorithmic transparency: Organizations using automated decision-making would need to explain how those decisions are made.
• Private right of action: Individuals would be able to sue organizations directly for violations — something PIPEDA currently does not allow.
• De-identified data rules: New rules governing the use of de-identified (anonymized) data.
• Disposal obligations: Explicit requirements to dispose of personal information when it is no longer needed.

As of early 2025, Bill C-27 is still working through Parliament. The timeline for passage remains uncertain, especially with potential changes in government. But the direction is clear: Canadian privacy law is getting stricter, with bigger penalties and stronger individual rights.

What to do now: Build your compliance program to meet current PIPEDA requirements. The good news is that most CPPA requirements are extensions of existing PIPEDA principles — if you are compliant today, the transition to the CPPA will be smoother.

How PIPEDA Compares to GDPR

If you do business in both Canada and the EU, you are dealing with both PIPEDA and GDPR. Here is how they compare:

Key takeaway: GDPR is stricter in most areas. If you are GDPR-compliant, you are well positioned for PIPEDA. But PIPEDA has its own nuances — particularly around the fair information principles and the OPC complaint process — that GDPR compliance alone does not fully address.

Practical Steps for PIPEDA Compliance

Here is your action plan, in order of priority.

1. Appoint a Privacy Lead

Designate someone in your organization as responsible for privacy compliance. In a small business, this is probably you. Document who this person is and make their contact information available to customers.

2. Audit Your Data Practices

Map what personal information you collect, where it goes, and how long you keep it. Be thorough — include data in your CRM, email marketing tool, analytics, payment processor, and any other systems.

3. Review Your Consent Practices

For each type of data you collect, verify that you have appropriate consent. Is the consent meaningful? Is it specific to the purpose? Can people easily withdraw it?

4. Write (or Update) Your Privacy Policy

Make it clear, specific, and accessible. Cover all 10 fair information principles. Post it on your website and reference it at data collection points.

5. Set Up a Data Request Process

You need to be able to respond to access requests within 30 days. Build a process that includes:

• A way for individuals to submit requests
• Identity verification procedures
• A workflow for locating and compiling the requested information
• Templates for common responses

6. Implement Breach Response Procedures

Know what you will do if a breach occurs. Have a plan for:

• Detecting breaches
• Assessing the risk of significant harm
• Notifying the OPC and affected individuals
• Documenting the breach

7. Review Third-Party Agreements

If you share personal information with vendors, service providers, or partners, make sure your agreements include appropriate privacy protections. You are accountable for how they handle your customers' data.

8. Train Your Team

Everyone who handles personal information needs to understand the basics: what is personal information, how to handle it, what to do if someone makes a request or reports a concern.

References

• Personal Information Protection and Electronic Documents Act (PIPEDA): S.C. 2000, c. 5. Full text on Justice Laws website
• Office of the Privacy Commissioner of Canada (OPC): Official OPC website
• OPC PIPEDA guidance: PIPEDA in brief
• OPC guidance on meaningful consent: Guidelines for obtaining meaningful consent

---

Get Your Access Request Process Right

Handling access requests — Canada's version of DSARs — is one of the most visible aspects of PIPEDA compliance. It is also where many businesses stumble.

Our DSAR Compliance Guide gives you a step-by-step process for handling access requests under PIPEDA, GDPR, CCPA, and other privacy laws. One unified workflow that keeps you compliant across jurisdictions.

Download the DSAR Compliance Guide and make sure you can respond to every request on time, every time.