PIPEDA — the Personal Information Protection and Electronic Documents Act — is Canada's federal private-sector privacy law. Enacted in 2000, it applies to the collection, use, and disclosure of personal information in the course of commercial activity across Canada (except in provinces with substantially similar legislation: Quebec, Alberta, and British Columbia, which have their own provincial laws for provincially regulated activities). For most online businesses, PIPEDA is the baseline federal standard, and Quebec's Law 25 represents the strictest provincial overlay.
PIPEDA's ten fair information principles
PIPEDA is built around ten fair information principles drawn from the CSA Model Privacy Code. These form the basis of what compliant data handling looks like under Canadian law:
- Accountability — designate a Privacy Officer responsible for compliance
- Identifying purposes — state the purpose for collecting personal information before or at the time of collection
- Consent — obtain knowledge and consent for collection, use, and disclosure (with limited exceptions)
- Limiting collection — collect only what is necessary for the identified purpose
- Limiting use, disclosure, and retention — use data only for its stated purpose; retain only as long as needed
- Accuracy — keep personal information as accurate as necessary for its purpose
- Safeguards — protect personal information with appropriate security
- Openness — make your privacy practices readily available
- Individual access — give individuals access to their information on request
- Challenging compliance — have a process for handling privacy complaints
Quebec Law 25: Canada's strictest privacy framework
Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25, also known as Bill 64) came into full effect in September 2023 and represents a significant escalation of Canadian privacy obligations. Key requirements that go beyond PIPEDA include:
- Privacy Impact Assessments (PIAs) are mandatory before implementing any project that involves collecting personal information
- Privacy by default — the highest level of privacy protection must be the default setting for any product or service
- Breach notification to the Commission d'acces a l'information (CAI) and affected individuals for any breach that presents a risk of serious injury
- Consent must be given for each specific purpose and must be given separately from other forms of consent (no pre-ticked boxes bundled with terms)
- Transparency index — websites that collect personal information must publish a clearly accessible privacy policy
- Data residency preferences — if personal information is communicated outside Quebec, a PIA must confirm that the destination provides adequate protection
Penalties under Law 25 reach up to 4% of worldwide turnover or CAD $25 million — bringing it to GDPR-equivalent levels of severity.
The upcoming CPPA reform
Bill C-27, which would replace PIPEDA with the Consumer Privacy Protection Act (CPPA) at the federal level, has been before Parliament since 2022. It would bring Canada's federal privacy framework closer to GDPR in several respects — stronger consent requirements, an expanded list of individual rights, and higher penalties. Businesses with operations across Canada should monitor its progress, as the CPPA would require updates to privacy policies, consent mechanisms, and data retention practices when it comes into force.