PIPEDA: Canada's data privacy law explained

Having taken effect in 2000, PIPEDA predates the GDPR by nearly two decades. The law has been amended several times to meet the evolution of the digital landscape since it came into force.

However, successive attempts to replace PIPEDA have stalled amid parliamentary changes. The law was amended with the Digital Privacy Act in 2015, and requires Parliamentary review every five years under Section 29 of the Act. As of the time of writing, PIPEDA has not been fully replaced.

Canada’s PIPEDA has received an adequacy decision from the EU Commission, ensuring the free flow of personal data back and forth between Canada and the EU. Of note is that only PIPEDA has been deemed adequate, so it's only data transfers to and from the commercial, private sector of Canada that is secured with the EU.

In short, Canada’s PIPEDA regulates all gathering, use and disclosure of personal information in the private sector through its 10 PIPEDA Principles; chief among them the requirements that you inform users about your website’s data collection, and obtain their prior, meaningful consent.

PIPEDA is enforced by the Canadian Privacy Commissioner (OPC) and applies to all websites and companies in the world that process personal information from Canadian residents for commercial use.

At a glance

• Scope: PIPEDA applies to any private sector organization worldwide that collects, uses, or discloses personal information from Canadian residents for commercial purposes.
• Consent model: Organizations must obtain meaningful prior consent before collecting personal information — either implied or express, depending on the sensitivity of the data.
• 10 Principles: Compliance is structured around 10 Fair Information Principles covering accountability, consent, data minimization, accuracy, safeguards, openness, and individual access rights.
• Provincial laws: British Columbia, Alberta, and Quebec have substantially similar provincial privacy laws; organizations compliant with these are generally exempt from PIPEDA for in-province activity. Quebec's Law 25 is stricter than PIPEDA and is now fully in force.
• Enforcement: PIPEDA is enforced by the Office of the Privacy Commissioner of Canada (OPC). Penalties are tiered, with lower-severity violations and obstruction of the Privacy Commissioner carrying fines of up to CAD 10,000 per violation, and more serious offences can result in fines of up to CAD 100,000 per violation. The OPC cannot levy fines directly but can refer matters to Federal Court.
• Pending reform: Successive bills to replace PIPEDA with stronger legislation have stalled. PIPEDA remains the operative federal private-sector privacy law, though further reform attempts are expected.

Scan your website to see what cookies and trackers are in operation. Learn your compliance risk in minutes.

Key definitions under PIPEDA

When assessing your PIPEDA compliance needs, there are several terms that are important to understand.

Personal information

PIPEDA defines personal information broadly as any information about an identifiable individual — factual or subjective, recorded or otherwise. For most websites, this means the data collected through everyday tracking technologies falls squarely within scope. Common examples include IP addresses, device identifiers, browsing and search history, purchase history, and cookie data. More sensitive categories — such as medical records, financial information, and ethnic origin — are also covered, and will generally require a higher standard of consent.

Commercial activity

PIPEDA applies to personal information collected, used, or disclosed in the course of commercial activity. This covers any transaction or conduct of a commercial character, including the exchange of user data with third-party services in return for analytics, advertising, or tracking capabilities, which is a common arrangement for websites using tools such as Google Analytics or Meta Pixel.

Valid consent

For consent to be valid under PIPEDA, it must be reasonable to expect that the individual understands what they are consenting to — including the nature, purpose, and consequences of the collection, use, or disclosure of their personal information. Consent obtained through unclear language, buried disclosures, or pre-ticked boxes is unlikely to meet this standard.

Who does PIPEDA apply to?

PIPEDA applies to any private sector organization — anywhere in the world — that collects, uses, or discloses the personal information of Canadian residents in the course of commercial activities. It does not matter where your business is based: if your website processes data from Canadian residents for commercial purposes, PIPEDA applies to you.

Federally regulated organizations operating in Canada are also subject to PIPEDA, including airports and airlines, domestic and authorized foreign banks, inter-provincial and international transportation companies, telecommunications companies, and radio and television broadcasters.

Organizations operating in the Northwest Territories, Yukon, and Nunavut are also subject to PIPEDA, as these territories do not have their own substantially similar private sector privacy legislation.

Exceptions to PIPEDA

PIPEDA does not apply to Canadian federal government institutions, which are covered by the separate federal Privacy Act, or to provincial and territorial governments and their agents.

Additional exemptions include business contact information used solely for professional communication purposes; personal information collected or disclosed for purely personal use; information gathered for journalistic, artistic, or literary purposes; not-for-profit and charitable organizations where activities are not commercial; and political parties and associations, municipalities, universities, schools, and hospitals.

Through highly customizable consent banners that can be shaped to fit the compliance requirements specific to any region’s data privacy law, including Canada’s PIPEDA, Cookiebot CMP offers a simple way of collecting users’ valid, informed consent.

Cookiebot CMP safely stores all collected consents, automatically renews consent on a regular basis and makes it easy for your website’s users to withdraw their consent as easily as they gave it.

Data breach notification requirements under PIPEDA

Under the Digital Privacy Act amendment to PIPEDA, organizations that become aware of a data breach must, as soon as reasonably possible:

• Report the breach to the Office of the Privacy Commissioner (OPC)
• Keep a detailed record of all breaches involving personal data under their control
• Supply the OPC with records relating to the breach upon request
• Notify affected individuals if there is a real risk of significant harm
• Explain to individuals any steps they should take to reduce potential harm
• Notify other organizations or government bodies that can help mitigate harm

Third-party data processing

Under PIPEDA, your organization remains responsible for the personal information of your website's visitors even when that data is transferred to a third party for processing — for example, an analytics provider, advertising platform, or other service that handles data on your behalf.

You are required to conclude contracts or comparable agreements with any third-party processors to help ensure they provide a comparable level of protection for the personal information under their control. These agreements should make clear the limitations on processing, the security safeguards required, and the obligations for returning or deleting personal information at the end of the processing relationship.

Privacy Impact Assessments (PIA)

Under PIPEDA, Privacy Impact Assessments (PIAs) are a recommended practice rather than a strict legal requirement (unlike DPIAs under the GDPR). The Office of the Privacy Commissioner provides guidelines and forms for conducting a PIA, and organizations are encouraged to use them, particularly when implementing new data processing activities.

Canada’s PIPEDA in detail

Let’s break down Canada’s PIPEDA even further and look at its 10 PIPEDA Principles, how it interacts with provincial data privacy laws around Canada, e.g., Alberta, British Columbia, and Quebec, and hold it up against the EU’s GDPR for comparison.

The 10 PIPEDA Principles

Canada’s PIPEDA revolves around the ten so-called fair information principles that spell out the rules and regulations around the use of personal information for commercial purposes.

PIPEDA’s definition of commercial purpose includes acts such as selling or trading of your users’ data, e.g., in exchange for analytics services or marketing schemes.

If your website collects personal information from Canadian residents, such as IP addresses or search history, and then trades this information with a third-party service in exchange for tracking of users or marketing services, you are likely liable for PIPEDA compliance – no matter where in the world you and your website is operated from.

The 10 PIPEDA Principles are:

• Accountability
• Identifying purposes
• Consent
• Limiting
• Collection
• Limiting use, disclosure, and retention accuracy
• Safeguards
• Openness
• Individual Access
• Challenging compliance

Principle 1: Accountability

The first PIPEDA Principle makes it clear that you are responsible for all personal information that your website collects, and that you must have a designated representative in charge of ensuring your PIPEDA compliance.

You need to develop and implement privacy policies and practices, which must be readily available for individuals to read. Organizations are also responsible for training staff on privacy policies and practices, and for ensuring those policies are communicated internally.

Principle 2: Identifying purposes

Why does your website collect the personal information that it does?

This is the question that the second PIPEDA Principle requires you to answer in detail and prior to actually collecting any personal information from your users.

Principle 3: Consent

This is the most important PIPEDA Principle of all.

In a nutshell: you must obtain meaningful consent from users before collecting, using and sharing their personal information.

Meaningful consent under PIPEDA involves informing your users of exactly what they are consenting to, e.g., telling them what cookies your website uses, why and what the data is going to be used for.

PIPEDA states that consent is only valid if it is “reasonable to expect” that your users understand the nature, purpose and consequence of your website’s personal information processing.

Implied consent 

Implied consent may be appropriate in strictly defined circumstances, generally where the personal information is not sensitive and where collection and use would fall within the reasonable expectations of the individual.

Even where implied consent applies, you must still inform users prior to collection about the following:

• The types of personal information your website collects
• The purposes for which it is collected and used
• Who you share it with, including any third parties
• The risks and consequences for users

Express consent 

Express consent requires an active, explicit action from the individual, for example, clicking a button or ticking a box to confirm they agree to the collection of their personal information.

Express consent is required when the personal information is sensitive in nature — such as medical or health data, information about an individual's sexual orientation or religious beliefs — or where collection would fall outside the reasonable expectations of the individual, or where there is a meaningful risk of significant harm.

The OPC's position is that express consent must also be obtained from a parent or guardian where an individual lacks the capacity to provide meaningful consent themselves. In all but exceptional circumstances, this includes anyone under the age of 13.

Regardless of whether consent is implied or express, the following requirements apply:

• Users must be informed in an easily accessible way, for example, through your website's privacy policy.
• Users must be able to withdraw their consent at any time, as easily as they gave it.
• Consent must be reobtained when you make significant changes to your data collection practices, introduce new purposes for use, or begin sharing data with new third parties.

Principle 4: Limiting collection

The crux of the fourth PIPEDA Principle is this: your website is not allowed to collect personal information in ways that exceed or fall outside the stated purposes, to which your users have already consented.

If you want to use personal information for different purposes, you must rewrite your privacy policy to include these new purposes – and renew the consent of your users.

Principle 5: Limiting use, disclosure, and retention

Similar to the fourth, the fifth PIPEDA principle requires you to only use and disclose personal information in the ways that you’ve stated in your privacy policy, and to which your users have already consented.

You are also only allowed to keep personal information (known as “retention”) for as long as needed to serve the purposes that you’ve informed your users about and to which they’ve consented.

As with the previous principle, should you change the ways you want to use or share personal information on your website, you must inform users anew and obtain their consent again.

Principle 6: Accuracy

It’s a requirement for PIPEDA compliance that the personal information your website collects is accurate and complete, as well as up to date.

Canadian residents have the right to access data collected about them and the right to have it corrected, should they find it inaccurate.

Principle 7: Safeguards

It is also your responsibility to keep collected personal information safe and secure.

Though Canada’s PIPEDA doesn’t specify exactly what kinds of security measures you must take on your website in order to protect your users’ personal information, this PIPEDA principle helps you get an overview of the safeguards required.

Among the proposed safeguards in PIPEDA are:

• Up to date encryption technologies, fire walls and security systems
• Organizational practices and controls for handling personal information
• Regular review of security and encryption measures

Personal information must be protected by appropriate security relative to the sensitivity of the information. Where the data collected is of a more sensitive nature, for example, information about sexual orientation, stronger safeguards will be required.

Principle 8: Openness

Your website needs to be transparent, honest and clear about the kinds of personal information it collects, what it uses it for and the ways in which it gathers and shares it. This eighth PIPEDA Principle clarifies that your privacy policies and information to users must be easy to understand and written in plain language (i.e. not long legal texts). Information to be open about to your website’s users includes:

• Who the individual is who is responsible for your website’s privacy policies and practices
• Contact information for users to send access requests via
• Information on how your users can be granted access to the personal information your website has collected about them
• The ways in which users can complain to you
• Information on what kinds of personal information you share with third parties from your website, and the purposes

Principle 9: Individual access

Canadian residents have the right to access what personal information your website has collected from them, as well as the right to have it corrected if the data is not accurate or complete.

This ninth PIPEDA Principle spells out how you are required to respond to such requests from users, including:

• Telling users what personal information your website has collected from them
• How your website has collected the data (by which means)
• How your website has used the collected data
• With whom the data has been shared

Organizations must respond to access requests within 30 days of receipt. A single 30-day extension is permitted where meeting the initial deadline would unreasonably interfere with the organization's activities, consultation required cannot be completed in time, or converting information to an alternative format requires additional time. Any extension must be communicated to the individual within the initial 30-day period, including the new deadline, reasons, and the individual's right to complain to the Privacy Commissioner.

Principle 10: Challenging compliance

If users find that you are non-compliant with PIPEDA, e.g., because you violate or don’t live up to one of the above Principles, they are legally allowed to challenge your compliance status.

The last PIPEDA principle spells out how such challenges must be issued and how you must respond to them, i.e. by providing users with a simple way to give their complaint and informing them of their rights to refer to the Privacy Commissioner.

PIPEDA enforcement

PIPEDA is enforced by the Office of the Privacy Commissioner of Canada (OPC), which operates in an ombudsman capacity. When an individual lodges a complaint, the OPC is required to investigate and produce a report, but that report is advisory rather than binding.

The OPC cannot directly order an organization to comply or levy fines. If a complainant is unsatisfied with the outcome, they can take the matter to Federal Court, which does have the power to order corrective action and award damages. The OPC can also initiate audits and require organizations to enter into compliance agreements where there are reasonable grounds to believe a violation has occurred or is likely to occur.

Individuals' rights under PIPEDA

PIPEDA provides Canadian residents with the following rights:

• Right to be informed: To know why an organization collects, uses, or discloses their personal information, and to have access to it and request corrections.
• Right to responsible use: To expect an organization to collect, use, or disclose their personal information reasonably and only for the purposes to which they have consented.
• Right to security: To expect appropriate security measures to protect their personal data, and to know who within an organization is responsible for that protection.
• Right to rectification: To expect personal information to be accurate, complete, and up to date, and to request corrections where needed.
• Right to complain: To complain about an organization's handling of their personal information if they believe their privacy rights have been violated.

PIPEDA and provincial data privacy laws

Though Canada’s PIPEDA is a federal data privacy law, several Canadian provinces have similar data privacy laws that are in effect in parallel with PIPEDA.

The following provincial data privacy laws are considered equivalent to PIPEDA, so if you’re in compliance with them, it means you are exempt from also seeking compliance with PIPEDA –

Firstly, Alberta’s Personal Information Protection Act (PIPA) regulates the commercial use of personal information in Alberta, enforced and supervised by the Information and Privacy Commissioner of Alberta.

Secondly, British Columbia’s Personal Information Protection Act (PIPA) regulates the commercial use of personal information in British Columbia, enforced and supervised by the Information and Privacy Commissioner of British Columbia.

Lastly, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector regulates the commercial use of personal information in Quebec, enforced and supervised by the Commission d’accès à l’information du Québec.

Quebec Law 25

Quebec's Law 25, which resulted from Bill 64, an act to modernize legislative provisions regarding the protection of personal information, came into force in three stages: September 2022, September 2023 (the majority of requirements), and September 2024. Like PIPEDA, it is extraterritorial, protecting Quebec residents' data regardless of where the organizations processing it are based.

Law 25 is explicitly opt-in, meaning cookies and other tracking technologies cannot be activated without prior explicit individual consent. It has no compliance thresholds based on company revenue or data volumes.

Penalties for serious violations mirror the GDPR: four percent of global revenue or CAD 25,000,000, whichever is higher. Unlike PIPEDA, Law 25 allows for private right of action, with potential damages of at least CAD 1,000 per individual. It also provides rights of deletion and data portability, which PIPEDA does not.

PIPEDA vs. GDPR: Key differences

Though PIPEDA and the GDPR share a number of foundational principles — including consent requirements, data minimization, and individuals' rights of access and correction — there are meaningful differences between the two laws that are worth understanding, particularly if your organization is already GDPR-compliant and is assessing what additional work PIPEDA compliance may require.

Scope

PIPEDA applies only to the commercial use of personal information by private sector organizations. The GDPR applies to both public and private sector processing of personal data, with broader reach across government and institutional contexts. Canada has a separate law — the federal Privacy Act — that governs personal information handling by Canadian government departments and agencies.

Consent model

PIPEDA operates a hybrid consent model, allowing for implied consent in lower-risk contexts where the sensitivity of the personal information does not warrant explicit action from the individual. The GDPR requires explicit, freely given, specific, and informed consent — with no equivalent implied consent mechanism. It is worth noting, however, that the GDPR also provides alternative legal bases for processing, including legitimate interests and contractual necessity, whereas PIPEDA is more narrowly centered on consent as the primary mechanism, with limited exceptions.

International data transfers

PIPEDA does not use a country-level adequacy model for outbound transfers. Instead, it takes an organization-to-organization approach: each organization involved in a cross-border transfer of personal information is responsible for ensuring that adequate protections are in place, regardless of where the receiving organization is located. In the other direction, Canada holds an adequacy designation from the European Commission, meaning EU personal data can flow to Canadian commercial organizations subject to PIPEDA without additional safeguards. Organizations handling data in both jurisdictions should note that adequacy in one direction does not equal compliance in the other — PIPEDA and GDPR obligations remain distinct.

Private right of action

Under the GDPR, individuals can bring private legal action against organizations for violations of their rights. PIPEDA does not provide a private right of action. Complaints must be directed to the Office of the Privacy Commissioner, which investigates and produces recommendations; further action can then be taken in Federal Court if a complainant is unsatisfied with the outcome.

Individual rights

The GDPR provides individuals with the right to data portability and the right to erasure. PIPEDA provides neither. Organizations subject to PIPEDA are required to provide access to personal information and allow corrections, but are not obligated to delete it or provide it in a portable format. Quebec's Law 25 does provide both rights to Quebec residents, but this applies at the provincial level only.

PIPEDA compliance with Cookiebot CMP

Canada's PIPEDA is one of the older data privacy laws still in active force, and one of the more substantive — providing Canadian residents with meaningful, enforceable rights over their personal information and placing real obligations on any organization that handles it, wherever in the world that organization is based.

Meeting those obligations means knowing what data your website collects, having valid consent in place before you collect it, and being able to demonstrate that consent if required. For most websites, that is a more complex task than it appears.

Cookiebot CMP by Usercentrics is a plug-and-play consent management solution used across 2.4 million websites and applications worldwide. It scans your website to detect cookies and tracking technologies, gives you detailed information on each one, and provides customizable consent banners designed to support compliance with PIPEDA and other major data privacy laws — including the EU's GDPR, the UK's GDPR, California's CCPA/CPRA, Brazil's LGPD, and many others.

Cookiebot CMP also stores consent records, supports consent renewal, and makes it straightforward for your website's visitors to withdraw consent as easily as they gave it — all of which are requirements under PIPEDA.

Try our interactive builder to see how easy it is to set up and customize your consent banner with Cookiebot CMP. Then start your free 14-day trial and go live in minutes.