PIPEDA Compliance: Canada's Privacy Law Explained
If your Canadian business collects personal information, PIPEDA applies to you. The Personal Information Protection and Electronic Documents Act sets strict rules for data collection, storage, and use. Here's what you need to know to stay compliant.
What is PIPEDA?
PIPEDA is Canada's federal private-sector privacy law. It governs how organizations collect, use, and disclose personal information in commercial activities.
Who Must Comply?
- All federally regulated businesses (banks, airlines, telecoms)
- Private sector organizations in provinces without similar laws
- Any business collecting personal data for commercial purposes
What is "Personal Information"?
Almost anything that identifies an individual:
- Name, address, phone number, email
- Social Insurance Number (SIN)
- Financial information, credit history
- Medical records
- Employee records
- IP addresses, device identifiers
- Opinions and evaluations about a person
The 10 Fair Information Principles
PIPEDA is built on 10 principles your business must follow:
1. Accountability
You're responsible for all personal information under your control. Designate a privacy officer (doesn't have to be a lawyer, but must understand the requirements).
2. Identifying Purposes
Tell people why you're collecting their data before or at the time of collection. "We collect your email to send order confirmations" is specific. "We collect your email for business purposes" is not.
3. Consent
Get meaningful consent. People must understand what they're agreeing to. Consent can be:
- Express: Checking a box, signing a form
- Implied: Volunteering information in context (giving phone number for callback)
Sensitive information (medical, financial) requires express consent.
4. Limiting Collection
Only collect what you actually need. Don't ask for SIN if you don't need it for tax purposes. Don't collect date of birth unless required.
5. Limiting Use, Disclosure, Retention
- Use: Only for the purposes consented to
- Disclosure: Only with consent or as required by law
- Retention: Only as long as needed for the purpose
6. Accuracy
Keep personal information accurate, complete, and up-to-date. Have processes for individuals to correct their data.
7. Safeguards
Protect personal information with appropriate security measures proportional to sensitivity:
- Physical: Locked filing cabinets, restricted access
- Technical: Encryption, firewalls, access controls
- Organizational: Training, policies, confidentiality agreements
8. Openness
Have a publicly available privacy policy. Tell people:
- What data you collect
- How you use it
- Who you share it with
- How to contact your privacy officer
9. Individual Access
People can request access to their personal information. You must:
- Respond within 30 days
- Provide the information in an understandable format
- Charge minimal fees (cost of copying, not for the request itself)
10. Challenging Compliance
Individuals can challenge your compliance. Have a process to receive and investigate complaints. If the Office of the Privacy Commissioner (OPC) investigates, cooperate fully.
Common PIPEDA Violations
| Violation | Risk | Fix |
|---|---|---|
| No privacy policy | High | Create and publish a clear policy |
| Collecting more data than needed | Medium | Audit forms, delete unnecessary fields |
| Using data for new purposes without consent | High | Get fresh consent or delete the data |
| Keeping data indefinitely | Medium | Set retention schedules, delete old data |
| Ignoring access requests | High | Implement request process, respond in 30 days |
| Weak security measures | High | Encrypt data, limit access, train staff |
| Sharing data with third parties without disclosure | High | Update privacy policy, get consent |
Penalties for Non-Compliance
PIPEDA violations can result in:
OPC Investigation
The Privacy Commissioner can investigate complaints and publish findings. Reputation damage often exceeds fines.
Federal Court Orders
- Up to $100,000 per violation
- Court can order you to correct practices
- Court can order you to publish a correction
Recent Penalties (2024-2026)
- Telecom company: $500,000 for selling customer data without consent
- Retailer: $250,000 for keeping customer data 7 years after purpose ended
- Insurance company: $175,000 for using health data beyond stated purpose
PIPEDA Compliance Checklist
Run through this checklist quarterly:
- ✅ Privacy officer designated and contactable
- ✅ Privacy policy published and accessible
- ✅ Consent forms updated with clear purposes
- ✅ Data collection limited to necessity
- ✅ Third-party sharing disclosed in policy
- ✅ Security measures documented and tested
- ✅ Staff trained on privacy obligations
- ✅ Access request process documented
- ✅ Retention schedule established
- ✅ Data deletion process in place
- ✅ Breach response plan documented
Mandatory Breach Reporting
Since 2018, you must report breaches that pose "real risk of significant harm":
What to Report
- Circumstances of the breach
- Types of information involved
- Steps taken to reduce harm
- Steps individuals can take
Who to Notify
- OPC: Within reasonable time
- Affected individuals: As soon as feasible
Penalty for Not Reporting
Up to $100,000 per violation - and failing to report each affected individual can be a separate violation.
Provincial Privacy Laws
Some provinces have their own laws that override PIPEDA:
- Quebec: Law 25 (toughest in Canada, GDPR-like)
- Alberta: PIPA (Personal Information Protection Act)
- British Columbia: PIPA (Personal Information Protection Act)
If you operate in these provinces, comply with provincial law. If you operate across Canada, default to the strictest standard.
Resources
- Office of the Privacy Commissioner of Canada
- PIPEDA in Brief: priv.gc.ca
- Reporting a Breach: priv.gc.ca
Get Help
PIPEDA compliance isn't optional. If you're unsure about your obligations, contact us. We help Canadian businesses build privacy-compliant systems from day one.