A customer success email lands in your inbox with a single line that stops you: "Before we renew, can you confirm your business is PIPEDA compliant?" You have heard the acronym. You have probably clicked "I agree" on a privacy policy that mentioned it. But if someone asked you to explain, in two sentences, what PIPEDA actually requires your business to do, you might stall. That is a common position for founders and operators to be in, and it is a fixable one. PIPEDA is not a sprawling regulatory code; it is a principles-based statute that most businesses can understand well enough to know where they stand and where they need help.
This guide explains what PIPEDA is, whether it applies to your business, the 10 principles it is built on, what it says about data breaches and enforcement, where federal privacy reform currently stands, and how to start putting a compliant program in place.
What is PIPEDA?
PIPEDA is the Personal Information Protection and Electronic Documents Act, Canada's federal private-sector privacy law. According to the Office of the Privacy Commissioner, it "sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada." In plain terms, if your business gathers information about identifiable people (customers, website visitors, leads) and does so as part of doing business, PIPEDA sets the baseline rules for how you handle that information.
Personal information under PIPEDA means information about an identifiable individual. That covers obvious data like names, email addresses, and payment details, and less obvious data like IP addresses, location, purchase history, and online identifiers when they can be tied back to a person. The Act governs the full lifecycle: how you collect that information, what you use it for, who you share it with, how you protect it, how long you keep it, and how you respond when an individual asks to see it.
PIPEDA has been the federal private-sector privacy law since the early 2000s and, despite years of reform proposals, remains in force as of June 2026. The section on reform below explains where the proposed replacement landed.
Does PIPEDA apply to my business?
PIPEDA generally applies to any private-sector organization in Canada that collects, uses, or discloses personal information in the course of commercial activity. That is a broad net, and most for-profit businesses fall inside it. There are, however, some important wrinkles in how it interacts with provincial law.
Three provinces (Alberta, British Columbia, and Quebec) have their own private-sector privacy laws that the federal government has deemed substantially similar to PIPEDA. For organizations operating within those provinces, the provincial law generally governs personal information handled inside the province, and the provincial regulator takes the lead. Ontario, by contrast, does not have a general private-sector privacy statute of its own, so PIPEDA fills that gap for most Ontario businesses, with sector-specific provincial rules (such as health-information legislation) layered on top where they apply.
A few additional points on scope:
- PIPEDA applies to federally regulated businesses (such as banks, airlines, telecommunications companies, and broadcasters), including for their employee personal information.
- Personal information that crosses provincial or national borders in the course of commercial activity remains subject to PIPEDA even where a provincial law would otherwise apply within a province.
- Organizations in the territories (Northwest Territories, Yukon, and Nunavut) are treated as federally regulated for these purposes.
The table below summarizes which private-sector privacy law generally sets the baseline, depending on where and how your business handles personal information:
| Where and how you handle personal information | Baseline private-sector privacy law |
|---|---|
| Ontario (no general provincial private-sector statute) | PIPEDA (federal) |
| Alberta, British Columbia, or Quebec | Provincial law deemed substantially similar to PIPEDA |
| Federally regulated business (bank, airline, telecom, broadcaster) | PIPEDA, including for employee personal information |
| Personal information crossing provincial or national borders | PIPEDA |
The practical takeaway for an Ontario business is straightforward: PIPEDA is very likely your baseline privacy law. If you also handle the personal information of people in Quebec, British Columbia, or Alberta, or of customers in the European Union or certain U.S. states, additional regimes can layer on top, and the analysis is worth doing deliberately rather than assuming one rulebook covers everything. A privacy lawyer in Canada can help sort out which regimes are doing real work for your particular business.
What are the 10 fair information principles?
PIPEDA is built around 10 fair information principles set out in its Schedule 1. These principles are the substance of the law: meeting them, in a way that fits your business, is what "PIPEDA compliance" largely means. The Office of the Privacy Commissioner lists them as follows:
- Accountability. Your organization is responsible for the personal information under its control and must designate someone to be accountable for compliance.
- Identifying purposes. Identify why you are collecting personal information at or before the time of collection.
- Consent. Obtain the individual's knowledge and consent for collection, use, or disclosure, except where the Act allows otherwise.
- Limiting collection. Collect only the personal information you need for the identified purposes, by fair and lawful means.
- Limiting use, disclosure, and retention. Use or disclose personal information only for the purposes it was collected for, unless the individual consents or the law permits, and keep it only as long as needed.
- Accuracy. Keep personal information as accurate, complete, and up to date as is necessary for the purposes.
- Safeguards. Protect personal information with security safeguards appropriate to its sensitivity.
- Openness. Make your policies and practices relating to personal information readily available to individuals.
- Individual access. On request, tell an individual what personal information you hold about them and allow them to challenge its accuracy.
- Challenging compliance. Give individuals a way to address a complaint about your handling of their information to the person accountable for compliance.
Read together, these principles describe a privacy program rather than a single document. A privacy policy on your website supports the openness and consent principles, but it does not by itself satisfy the safeguards, retention, or access principles. That gap (a polished policy sitting on top of data practices nobody has actually mapped) is a common place where businesses overestimate how compliant they are.
What does PIPEDA require after a data breach?
PIPEDA requires an organization to report a breach of security safeguards to the Privacy Commissioner, and to notify affected individuals, when it is reasonable to believe the breach creates a real risk of significant harm to an individual. This threshold, often shortened to "RROSH," is assessed on two factors: the sensitivity of the information involved, and the probability that the information has been, or will be, misused.
Two further obligations are easy to miss:
- Notification can extend beyond the regulator and the individual. Where notification is required, an organization may also need to notify other organizations or government institutions that can reduce the risk of harm.
- Record-keeping applies to every breach, not just reportable ones. An organization must keep a record of every breach of security safeguards involving personal information under its control, regardless of whether it met the real-risk-of-significant-harm threshold, and retain those records for 24 months. The Privacy Commissioner can ask to see them to verify that the organization assessed and handled breaches properly.
Because the real-risk analysis happens under time pressure, the businesses that handle a breach well are usually the ones that wrote an incident response plan before they needed it. Building privacy considerations in from the start, rather than retrofitting them after an incident, is the core idea behind privacy by design.
How is PIPEDA enforced, and what are the penalties?
This is where many online summaries import a U.S. or European assumption that does not hold in Canada. The Office of the Privacy Commissioner operates on an ombudsman model: it investigates complaints, conducts audits, and issues findings and recommendations, but it does not itself issue administrative fines or binding orders against organizations under PIPEDA. That is a meaningful difference from regimes where a regulator can levy large penalties directly.
Enforcement instead runs through two channels:
- Federal Court applications. Because the Commissioner's recommendations are not legally binding, a complainant (or the Commissioner) may apply to the Federal Court for a hearing after a report of findings is issued, under sections 14 and 15 of PIPEDA. Under section 16, the Court can order an organization to correct its practices and can award damages to the complainant, including for humiliation. Courts have treated damage awards as appropriate for more serious cases rather than routine ones, so the amounts vary considerably with the facts.
- Offence prosecutions. Under section 28 of PIPEDA, an organization that knowingly contravenes the breach reporting, notification, or record-keeping requirements, or that obstructs a Commissioner investigation or audit, commits an offence. The fine can reach up to $10,000 on summary conviction or up to $100,000 on indictment. The Commissioner does not prosecute these offences; it can refer a matter to the Attorney General of Canada, who decides whether to proceed.
The reputational and commercial consequences of a privacy failure often outweigh the statutory exposure. A regulator finding, a Federal Court application, or a public breach can affect customer trust, enterprise sales, and investment diligence well beyond any fine. That is part of why privacy questionnaires from enterprise buyers have become a routine gate on deals.
Is PIPEDA being replaced? Bill C-27 and what comes next
As of June 2026, PIPEDA remains Canada's federal private-sector privacy law, but reform has been on the agenda for years. The most recent major attempt, Bill C-27, would have replaced PIPEDA's private-sector portion with a new Consumer Privacy Protection Act, created a Personal Information and Data Protection Tribunal, and introduced an Artificial Intelligence and Data Act. Bill C-27 died on the Order Paper when Parliament was prorogued in January 2025, and a comprehensive successor had not been reintroduced as of mid-2026.
Two developments are worth knowing about. First, a future comprehensive privacy statute is widely expected to include a penalty-based enforcement regime, which would be a significant shift from PIPEDA's ombudsman model. Second, Parliament has already made a narrower change to PIPEDA itself: the Budget 2025 Implementation Act, No. 1 received royal assent on March 26, 2026 and added a data-mobility right, designed to let individuals ask certain prescribed organizations to transfer their personal information to another organization in a structured, commonly used format. As of June 2026, that right is not yet operational, because it depends on regulations the government has said it will develop to set the security and interoperability standards.
The sensible planning posture is to comply with PIPEDA as it stands today while designing privacy practices that could adapt to a stricter, penalty-backed regime without a full rebuild. Programs grounded in the fair-information principles tend to carry over well, because those principles have been the through-line across every Canadian reform proposal.
How do I start complying with PIPEDA?
PIPEDA compliance is less about a single document and more about a small set of practices that fit how your business actually handles data. A practical starting sequence:
- Map your data. Write down what personal information you collect, from whom, why, where it is stored, who can access it, how long you keep it, and which third parties touch it. Almost every other step depends on this.
- Designate someone accountable. The accountability principle requires a named person responsible for privacy compliance, even in a small organization.
- Write or refresh your privacy policy so it matches what your product and operations actually do, in language a customer can follow. A policy that describes a product you shipped two versions ago is a liability, not a safeguard.
- Get consent right. Identify your purposes at or before collection, and make sure the consent you rely on is appropriate to the sensitivity of the data.
- Set retention limits. Decide how long you keep each category of personal information, and delete or de-identify it when the purpose is met.
- Put safeguards in place that are proportionate to the sensitivity of the data, covering both technical controls and staff practices.
- Write a breach response plan before you need one, including who runs the real-risk-of-significant-harm analysis and how you will document every breach for the 24-month record requirement.
Many businesses can make real progress on this list internally. Where the data is sensitive, where enterprise or international customers are involved, or where a breach or regulator inquiry is already in play, professional review tends to pay for itself. For a fuller treatment of when the spend is worth it, see when your business needs a privacy lawyer in Canada.
Bringing it together
PIPEDA is Canada's federal private-sector privacy law, built around 10 fair-information principles, with a breach-reporting regime keyed to a real risk of significant harm and an ombudsman-style regulator that recommends rather than fines. For most Canadian businesses, especially those in Ontario without a provincial private-sector statute, it is the baseline that governs how personal information is collected, used, protected, and disclosed. Understanding it well enough to map your data and put a sensible program in place is achievable, and it is far cheaper to do before a customer questionnaire or a breach forces the issue.
Clearview is licensed by the Law Society of Ontario and advises Ontario clients on PIPEDA and related privacy obligations, from data mapping and policy drafting through vendor contracts and breach response planning. To talk through where your business stands and what a privacy engagement might cover, contact Clearview or read more about the firm's privacy law practice. An introductory call to scope the work usually costs nothing; legal advice does not start until you become a client.
