PIPEDA Fines and Penalties: What's at Stake for Non-Compliance

One of the most common questions Canadian businesses ask about PIPEDA is: "What happens if I do not comply?" The honest answer is that PIPEDA's current enforcement model is relatively gentle compared to GDPR — but that is changing fast.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney or privacy professional for guidance specific to your business. The information here is based on Canada's Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) and related guidance from the Office of the Privacy Commissioner of Canada, as of the date of publication.

Under the current rules, the Office of the Privacy Commissioner (OPC) can investigate your business, issue findings and recommendations, and publicly name you as non-compliant. For certain offences, fines can reach $100,000. But the proposed Consumer Privacy Protection Act (CPPA) would dramatically increase penalties to levels that rival GDPR.

Here is what you need to know about the current risks and what is coming.

How PIPEDA Enforcement Works Today

PIPEDA enforcement is primarily handled by the Office of the Privacy Commissioner of Canada (OPC). The enforcement model is best described as "investigate and recommend" rather than "fine and punish."

The Complaint Process

Most PIPEDA enforcement starts with a complaint. Here is how it works:

An individual files a complaint with the OPC under PIPEDA § 28. This can be about any aspect of an organization's handling of personal information — unauthorized collection, failure to respond to an access request, inadequate security, breach of consent, etc.
The OPC investigates. The Commissioner's office contacts the organization, gathers information, and assesses whether PIPEDA has been violated.
The OPC issues a finding. Findings are categorized as:
- Well-founded: The organization violated PIPEDA
- Well-founded and resolved: The organization violated PIPEDA but took corrective action during the investigation
- Not well-founded: No violation was found
- Settled: The parties reached an agreement during the investigation
The OPC makes recommendations. If a violation is found, the OPC recommends corrective actions — changes to policies, practices, or procedures.
If the organization does not comply with recommendations, the OPC or the complainant can apply to the Federal Court under PIPEDA § 14 for an order compelling compliance. The court can also award damages to the complainant.

Commissioner-Initiated Investigations

The OPC does not only wait for complaints. The Commissioner can also initiate investigations on their own, particularly for issues of significant public concern. These commissioner-initiated investigations have become more common and often target larger organizations or systemic privacy issues.

Public Reporting

One of the OPC's most significant enforcement tools is public reporting. When the OPC completes an investigation, findings are typically published on the OPC website, often naming the organization. For a business, being publicly named in an OPC finding can cause significant reputational damage — even without a monetary fine.

Current Fines and Penalties Under PIPEDA

PIPEDA's monetary penalties are limited to specific offences. The general framework is:

Offences That Carry Fines

Under PIPEDA § 28 (S.C. 2000, c. 5), the following are offences punishable by fine:

Obstructing a complaint investigation or audit by the OPC
Destroying personal information that an individual has requested access to, with the intent to evade the access request
Retaliating against an employee or other individual for filing a complaint or cooperating with an investigation
Failing to comply with breach notification requirements (added by the Digital Privacy Act in 2018):
- Failing to report a breach to the OPC when required
- Failing to notify affected individuals when required
- Failing to maintain breach records

Penalty Amounts

For organizations found guilty of these offences:

Summary conviction: Fines up to $10,000
Indictable offence: Fines up to $100,000

These are per-offence penalties. If you fail to report multiple breaches, each failure is a separate offence.

What About General PIPEDA Violations?

Here is the critical gap: for general PIPEDA violations — like collecting data without consent, failing to respond to access requests, or having inadequate security — there are currently no direct monetary penalties. The OPC can investigate, issue findings, make recommendations, and name you publicly, but it cannot fine you.

If you refuse to comply with OPC recommendations, the matter goes to Federal Court under PIPEDA § 14, which can order compliance and award damages. But this is a slow, costly process that the OPC and complainants rarely pursue.

This enforcement gap is one of the main reasons for the proposed CPPA reforms.

Breach Notification Penalties in Detail

The most concrete financial risk under current PIPEDA is failing to comply with breach notification requirements. Since the Digital Privacy Act (S.C. 2015, c. 32) took effect in November 2018, these obligations carry real teeth:

Mandatory Reporting Failures

If a breach creates a "real risk of significant harm" and you fail to:

Report to the OPC: Up to $100,000 per offence
Notify affected individuals: Up to $100,000 per offence
Maintain breach records: Up to $100,000 per offence

Each failure for each breach is a separate offence. If you have three reportable breaches and fail to report any of them, that is three separate offences — potential exposure of $300,000 for the reporting failures alone, before counting notification and record-keeping failures.

What Counts as "Failing to Report"

This is not just about deliberate concealment. You can be found in violation if you:

Did not have a process to detect breaches
Detected a breach but did not assess whether notification was required
Assessed the breach but used an unreasonably low standard for "real risk of significant harm"
Decided notification was required but delayed reporting unreasonably
Reported to the OPC but failed to notify affected individuals
Did not maintain records of the breach

The OPC has the right to request your breach records at any time. If you cannot produce them, that is itself a violation.

What Is Coming: The CPPA and Dramatically Higher Penalties

The Consumer Privacy Protection Act (CPPA), proposed under Bill C-27, would transform PIPEDA enforcement from a recommendation-based model to a penalty-based model. The changes are substantial.

New Penalty Structure

The CPPA proposes a two-tier penalty system:

Administrative Monetary Penalties (AMPs):

For less serious violations, the Privacy Commissioner would have the power to impose AMPs of up to $10 million or 3% of the organization's gross global revenue, whichever is greater
These would be imposed directly by the Commissioner — no need to go through the courts

Fines for Serious Offences:

For the most serious violations (knowing or reckless contraventions), fines could reach up to $25 million or 5% of gross global revenue, whichever is greater
These would be imposed through a new Personal Information and Data Protection Tribunal

To put this in perspective: for a company with $100 million in global revenue, the maximum penalty under the CPPA would be $5 million (5% of revenue) for serious offences, compared to $100,000 under current PIPEDA.

New Enforcement Powers

The CPPA would also give the OPC enhanced enforcement tools:

Compliance orders: The Commissioner could directly order organizations to comply, without going to court
Compliance agreements: Binding agreements between the OPC and organizations to address violations
Audit powers: Enhanced authority to audit organizations' privacy practices proactively

Private Right of Action

For the first time, individuals would be able to sue organizations directly for privacy violations — after the Tribunal has made a finding of violation. This creates a pathway for class-action lawsuits that does not exist under current PIPEDA.

Timeline

As of early 2025, Bill C-27 is still moving through Parliament and its timeline remains uncertain. But the direction of travel is clear. Whether it is the CPPA in its current form or a future revision, Canadian privacy penalties are going up significantly.

Real Enforcement Examples

The OPC publishes its findings, giving us a clear picture of how PIPEDA is enforced in practice. Here are notable examples.

Clearview AI (2021)

The OPC investigated Clearview AI, a facial recognition company that scraped billions of images from the internet. The Commissioner found that Clearview AI:

Collected and used personal information (facial images) without consent
Collected information for purposes that a reasonable person would not consider appropriate
Failed to be transparent about its practices

The OPC recommended that Clearview AI stop collecting images from Canadian residents and delete images already collected. When Clearview AI refused, the OPC referred the matter to the Federal Court — highlighting both the OPC's willingness to pursue significant cases and the limitations of its enforcement powers (it could not simply issue a fine).

Home Depot (2020)

The OPC investigated Home Depot Canada after discovering that the retailer was sharing customer email receipts data with Meta (Facebook) through an offline conversions tool. Customers who opted for email receipts did not know their purchase information would be shared with Facebook for targeted advertising.

The Commissioner found that Home Depot did not obtain meaningful consent for this sharing. Home Depot cooperated and made changes to its practices, and the finding was classified as "well-founded and resolved."

Equifax (2019)

Following the massive 2017 Equifax data breach that affected approximately 19,000 Canadians, the OPC investigated and found multiple PIPEDA violations:

Equifax failed to have adequate safeguards to protect personal information
Known security vulnerabilities were not patched in a timely manner
Retention of personal information beyond what was necessary increased the impact of the breach

The OPC made recommendations for improved security practices. This case highlighted the real-world consequences of inadequate security safeguards — though the absence of direct fine authority meant the financial penalty was reputational rather than monetary.

Tim Hortons (2022)

The OPC investigated Tim Hortons (owned by Restaurant Brands International) for using its mobile app to track customers' locations continuously — even when the app was not in use. The investigation found that:

Tim Hortons collected vast amounts of granular location data
The purposes for collection were not clearly explained to users
Consent was not meaningful — users were not adequately informed of the extent of tracking
Data retention practices were inappropriate

Tim Hortons agreed to delete the location data it had collected and to make significant changes to its app and privacy practices.

Facebook/Cambridge Analytica (2019)

The OPC investigated Facebook's handling of user data in connection with the Cambridge Analytica scandal. The Commissioner found that Facebook:

Failed to obtain meaningful consent for the disclosure of user information to third-party apps
Had inadequate safeguards to protect user information
Did not take responsibility for information under its control

Facebook contested the findings, and the OPC took the matter to Federal Court — again illustrating the enforcement limitations. The case was eventually settled, with Facebook agreeing to make changes to its privacy practices.

How PIPEDA Penalties Compare to Other Laws

Understanding where PIPEDA fits in the global enforcement landscape helps contextualize the risks.

Law	Maximum Penalty	Enforcement Style
PIPEDA (current)	$100K per offence (breach notification only)	Complaint-driven, recommendation-based
CPPA (proposed)	3-5% of global revenue or $10-25M	Direct penalties, tribunal, private right of action
GDPR	4% of global revenue or 20M EUR	Direct fines by supervisory authorities
CCPA/CPRA	$2,500-$7,500 per violation	Attorney General enforcement + private right of action for breaches
Quebec Law 25	$25M or 4% of worldwide turnover	Direct fines by the CAI

Currently, PIPEDA is at the lenient end of the spectrum. The CPPA would move it to roughly GDPR-level enforcement. Quebec's Law 25 already has GDPR-level penalties for organizations operating in Quebec.

The Real Cost of Non-Compliance

Fines are only part of the picture. The actual costs of PIPEDA non-compliance include:

Reputational Damage

OPC findings are public. Media outlets cover significant cases. Being named in an OPC finding for mishandling customer data can damage customer trust in ways that last far longer than any fine.

Operational Disruption

An OPC investigation requires significant time and resources to respond to. You need to gather documents, prepare responses, potentially hire legal counsel, and implement changes. For a small business, this can be a major distraction from normal operations.

Legal Costs

If the OPC or a complainant takes your case to Federal Court, legal costs can easily exceed the maximum PIPEDA fine. Privacy litigation is expensive, even if you ultimately prevail.

Lost Business

Increasingly, business partners and customers want assurance that you handle data properly. A public PIPEDA violation can cost you contracts, partnerships, and customer relationships.

Future Liability

If the CPPA passes, organizations that have not addressed existing compliance gaps will face dramatically higher penalties. Building compliance now is significantly cheaper than paying penalties later.

What Small Businesses Should Do

You do not need to panic. PIPEDA enforcement against small businesses has historically been proportionate — the OPC is not coming after your bakery with a $100,000 fine. But you do need to take reasonable steps.

Minimum Viable Compliance

At a bare minimum, every Canadian business collecting personal information should:

Have a privacy policy that explains what you collect and why. See our guide on whether you need a privacy policy.
Get meaningful consent before collecting personal information. This means clear explanations, not buried-in-the-terms consent.
Have a breach response plan. Know what you will do if data is compromised. Have a process for assessing the risk of significant harm and reporting to the OPC if necessary.
Maintain breach records. Even breaches that do not trigger notification requirements must be recorded. The OPC can ask for these records at any time.
Respond to access requests within 30 days. When someone asks what data you have on them, you must be able to find it and deliver it promptly.
Limit collection to what you need. Do not collect data "just in case." The less data you hold, the lower your risk.

Preparing for the CPPA

Even though the CPPA has not passed yet, you can prepare:

Audit your data practices now. Know what data you hold, where it is, and why you have it. This is the foundation of compliance under any law.
Review your consent mechanisms. The CPPA will have stricter consent requirements. If your current consent practices are weak, improve them now.
Implement a proper DSAR process. Access requests are a core right under both PIPEDA and the CPPA. Having a reliable process in place before penalties increase is common sense.
Document your compliance efforts. Under the CPPA, being able to demonstrate that you took privacy seriously — even before the law changed — could matter in enforcement decisions.

For a comprehensive guide to PIPEDA compliance, see our PIPEDA compliance guide.

The Bottom Line

PIPEDA's current enforcement model is relatively forgiving — but that does not mean you can ignore it. The OPC investigates real complaints, publishes real findings, and has shown willingness to pursue cases through the courts. Breach notification failures already carry $100,000 fines.

More importantly, the enforcement landscape is changing. The CPPA would bring GDPR-level penalties to Canada. Quebec's Law 25 already has them. Whether it is this year or next, significantly higher penalties are coming to Canadian privacy law.

The smart move is to build your compliance program now, while the stakes are relatively low and you have time to get it right. Waiting until penalties increase means paying more for the same work under more pressure.

References

Personal Information Protection and Electronic Documents Act (PIPEDA): S.C. 2000, c. 5. Full text on Justice Laws website
PIPEDA § 28 (Offences): Outlines offences punishable by fine under PIPEDA. Full text
PIPEDA § 14 (Federal Court Application): Allows application to the Federal Court for enforcement. Full text
Digital Privacy Act (S.C. 2015, c. 32): Amended PIPEDA to add mandatory breach notification. Full text
Office of the Privacy Commissioner of Canada (OPC): Official OPC website
OPC PIPEDA guidance: PIPEDA in brief

Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.

Build Your Compliance Foundation Now

The most operationally visible aspect of PIPEDA compliance — and the area where businesses most often stumble — is handling data access requests. Missing the 30-day deadline or fumbling the response is exactly the kind of failure that triggers OPC complaints.

Our DSAR Compliance Guide gives you a complete process for handling access requests under PIPEDA, GDPR, CCPA, and other privacy laws. Set it up once, use it for every request.

Download the DSAR Compliance Guide and get your data request process right before the stakes go up.