PIPEDA requires Canadian businesses to have a privacy policy covering all 10 fair information principles. Your policy must disclose what personal information you collect, the purposes for collection, how you obtain consent, your data security safeguards, and how individuals can access their data or file complaints. Non-compliance can result in fines up to $100,000 CAD under current law, with proposed increases to $25 million CAD under Bill C-27.
If your business operates in Canada, collects data from Canadian residents, or transfers personal information across Canadian provincial borders, you need to comply with PIPEDA. Canada's federal privacy law has been in effect since 2000, and it governs how private-sector organizations handle personal information during commercial activities.
Unlike some privacy laws that focus primarily on digital data, PIPEDA covers all personal information collected in the course of commercial activity, whether digital or physical. For website operators, this means every form submission, every analytics cookie, and every email address you collect falls under PIPEDA's scope if the visitor is a Canadian resident.
This guide provides a detailed breakdown of PIPEDA's requirements, explains how they translate into specific privacy policy sections, compares PIPEDA with GDPR, addresses the upcoming Bill C-27 changes, and gives you a template outline for creating your own compliant policy.
What Is PIPEDA?
PIPEDA stands for the Personal Information Protection and Electronic Documents Act. It is Canada's federal privacy law that governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities. The law was enacted in 2000 and has been amended several times since, most notably in 2015 with the Digital Privacy Act which introduced mandatory data breach notification requirements.
PIPEDA is built around 10 fair information principles, which are codified in Schedule 1 of the Act. These principles form the foundation of Canadian privacy law and dictate what your privacy policy must contain. Unlike GDPR, which prescribes specific requirements in detailed articles, PIPEDA takes a principles-based approach that gives organizations some flexibility in how they implement compliance.
What Counts as Personal Information Under PIPEDA
PIPEDA defines personal information broadly as any information about an identifiable individual. This includes names, addresses, phone numbers, email addresses, Social Insurance Numbers, age, income, credit records, medical records, IP addresses, device identifiers, and opinions or comments associated with an individual. For websites, this means analytics data, form submissions, cookie data, and any other information that can be linked to a specific person.
The Office of the Privacy Commissioner (OPC)
PIPEDA is enforced by the Office of the Privacy Commissioner of Canada (OPC). The OPC investigates complaints from individuals, conducts audits, publishes findings and recommendations, and can refer matters to the Federal Court for binding orders. While the OPC's current enforcement powers are more limited than those of EU data protection authorities, the proposed Bill C-27 would significantly strengthen them.
Q: Does PIPEDA apply to non-profit organizations?
Generally no. PIPEDA applies to private-sector organizations engaged in commercial activities. Non-profits, charities, and political parties are typically exempt unless they engage in commercial activities. However, if a non-profit operates a commercial side (such as selling merchandise), that commercial activity may fall under PIPEDA.
Q: Does PIPEDA apply to employee data?
Only for federally regulated employers (banks, airlines, telecommunications companies). For most private-sector employers, employee data is governed by provincial privacy legislation rather than PIPEDA. However, PIPEDA applies to employee data that crosses provincial or national borders.
Does PIPEDA Apply to You?
Determining whether PIPEDA applies to your organization depends on several factors. Here is a breakdown of when PIPEDA applies, when provincial laws apply instead, and when you might need to comply with both.
| Scenario | PIPEDA Applies? | Notes |
|---|---|---|
| Canadian business, collects data from Canadian users | Yes | Applies in all provinces without equivalent provincial legislation |
| International business, collects data from Canadian users | Yes | Extraterritorial application for commercial activities involving Canadian data |
| Transfers data across provincial borders | Yes | PIPEDA applies to interprovincial and international data transfers |
| Operates only in British Columbia | Partially | BC's PIPA applies for intra-provincial activities. PIPEDA for interprovincial transfers. |
| Operates only in Alberta | Partially | Alberta's PIPA applies for intra-provincial activities. PIPEDA for interprovincial transfers. |
| Operates only in Quebec | Partially | Quebec's Law 25 (An Act Respecting the Protection of Personal Information) applies. PIPEDA for interprovincial transfers. |
| Non-profit with no commercial activity | No | Exempt from PIPEDA unless engaged in commercial activities |
Did you know?
Quebec's Law 25 (which took full effect in September 2024) is one of the strictest privacy laws in Canada, with fines up to $25 million CAD or 4% of worldwide turnover. If you serve Quebec residents, you may need to comply with Law 25 in addition to PIPEDA. Law 25 requires privacy impact assessments, explicit consent for sensitive data, and mandatory breach notification, similar to GDPR.
The practical advice for most organizations is this: if you do any business in Canada or collect data from Canadian visitors, assume PIPEDA applies. Even if a provincial law covers some of your activities, PIPEDA will likely apply to any interprovincial or international data transfers. Building a privacy policy that complies with PIPEDA from the start is the safest approach.
PIPEDA's 10 Fair Information Principles
These 10 principles are the foundation of PIPEDA. Each one translates into specific requirements for your privacy policy. Here is what each principle means and what your policy must say about it.
Accountability
Your organization must designate an individual (a privacy officer) who is responsible for ensuring compliance with PIPEDA. This person is accountable for all personal information under your organization's control, including data transferred to third parties for processing.
Your policy must: Name or describe the role of your privacy officer and provide contact information for privacy inquiries.
Identifying Purposes
You must identify the purposes for collecting personal information before or at the time of collection. You cannot collect data and decide what to do with it later. Each purpose must be documented and communicated to the individual.
Your policy must: List each category of data you collect and the specific purpose for collecting it (e.g., "We collect email addresses to send our weekly newsletter").
Consent
You must obtain meaningful consent for the collection, use, and disclosure of personal information. Consent can be express (opt-in) or implied, depending on the sensitivity of the data and the reasonable expectations of the individual. Sensitive information always requires express consent.
Your policy must: Explain how you obtain consent, what types of consent apply to different data, and how individuals can withdraw consent at any time.
Limiting Collection
You must limit collection to what is necessary for the identified purposes. You cannot collect data "just in case" or for speculative future uses. This is similar to GDPR's data minimization principle.
Your policy must: State that you collect only the personal information necessary for the stated purposes and describe what data is required vs. optional.
Limiting Use, Disclosure, and Retention
Personal information must be used only for the purposes for which it was collected, unless the individual consents to a new use or the use is required by law. Data must be retained only as long as necessary to fulfill those purposes and then securely destroyed.
Your policy must: Describe your data retention periods, explain when and how data is deleted or anonymized, and state that data is not used for purposes beyond those disclosed.
Accuracy
Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is used. You should not use outdated or incorrect data to make decisions about individuals.
Your policy must: Describe how individuals can update or correct their personal information, and state your commitment to keeping data accurate.
Safeguards
Personal information must be protected by security safeguards appropriate to the sensitivity of the data. This includes physical measures (locked offices), organizational measures (access controls, training), and technological measures (encryption, firewalls, secure transmission).
Your policy must: Describe the security measures you use to protect personal information, without revealing specific technical details that could compromise security.
Openness
Your privacy policies and practices must be readily available to the public. This is the principle that directly requires you to have a published, accessible privacy policy. The information must be available in a form that is generally understandable.
Your policy must: Be published on your website (typically linked from the footer), written in plain language, and cover all aspects of your personal information handling practices.
Individual Access
Individuals have the right to access their personal information held by your organization. Upon request, you must inform them of the existence, use, and disclosure of their data, and provide access to it. You must respond to access requests within 30 days.
Your policy must: Explain how individuals can request access to their data, the process for making a request, and the typical response timeframe (within 30 days).
Challenging Compliance
Individuals must be able to challenge your organization's compliance with PIPEDA. You must have a complaint process in place and investigate all complaints. If a complaint is found to be justified, you must take appropriate measures, including amending your policies and practices.
Your policy must: Describe your complaint process, provide contact information for submitting complaints, and reference the OPC as an escalation option.
PIPEDA vs GDPR: Key Differences
Many organizations that serve both Canadian and European users need to comply with both PIPEDA and GDPR. While the two laws share similar goals, there are important differences that affect what your privacy policy must include.
| Aspect | PIPEDA (Canada) | GDPR (EU/UK) |
|---|---|---|
| Consent model | Meaningful consent; implied consent allowed for non-sensitive data in certain commercial contexts | Explicit consent required for most processing; six legal bases available |
| Data breach notification | Mandatory since 2018; report to OPC and notify affected individuals if real risk of significant harm | Mandatory; notify supervisory authority within 72 hours; notify individuals if high risk |
| Privacy officer requirement | Must designate a privacy officer (any title) responsible for compliance | Must appoint a DPO if processing sensitive data at scale or monitoring individuals systematically |
| Maximum fines | Up to $100,000 CAD (current); up to $25M CAD or 5% of revenue (proposed under Bill C-27) | Up to 20 million euros or 4% of global revenue, whichever is higher |
| Extraterritorial reach | Applies to commercial activities involving Canadian residents' data | Applies to any organization processing EU residents' data |
| Right to erasure | Limited; individuals can challenge accuracy and request amendments, but no explicit right to erasure like GDPR Article 17 | Explicit right to erasure (right to be forgotten) under Article 17 |
| Data portability | Not currently required under PIPEDA; proposed in Bill C-27 | Required under GDPR Article 20; data must be provided in machine-readable format |
Did you know?
The European Commission has recognized PIPEDA as providing an adequate level of data protection under GDPR. This means personal data can flow from the EU to Canada without additional safeguards, making PIPEDA compliance particularly valuable for organizations that handle data from both Canadian and European users. However, this adequacy decision is subject to periodic review and may be affected by the transition to Bill C-27.
If you serve both Canadian and EU users, the practical approach is to build a privacy policy that meets the stricter GDPR requirements while also addressing PIPEDA-specific elements like the 10 principles and the OPC complaint process. A well-structured policy can satisfy both laws in a single document by including region-specific sections.
Bill C-27 and the Future of Canadian Privacy
Bill C-27, the Digital Charter Implementation Act, is the Canadian government's proposal to modernize privacy law. Its centerpiece is the Consumer Privacy Protection Act (CPPA), which would replace the private-sector provisions of PIPEDA with a significantly strengthened framework. Understanding Bill C-27 is important for organizations that want to be prepared for the future of Canadian privacy law.
Key Changes Under the CPPA
The CPPA would introduce several major changes to Canadian privacy law. First, penalties would increase dramatically. The maximum fine under the CPPA would be the greater of 5% of global revenue or $25 million CAD. This is a massive increase from the current $100,000 CAD maximum under PIPEDA and would bring Canadian penalties in line with GDPR.
Second, the CPPA would create a new Privacy Tribunal with the power to impose administrative monetary penalties directly, without needing to go through Federal Court. This would make enforcement faster and more practical.
Third, the CPPA would introduce new individual rights, including data portability (the right to transfer your data to another organization in a machine-readable format) and algorithmic transparency (the right to an explanation when automated decisions significantly affect you).
Strengthened Consent Requirements
The CPPA would require that consent be "meaningful," and it would define specific criteria for what constitutes meaningful consent. Organizations would need to provide information in plain language, present consent requests prominently, and not bundle consent with other terms. This means privacy policies would need to be clearer and more specific than many current PIPEDA-compliant policies.
What This Means for You Now
While Bill C-27's final passage timeline remains uncertain, organizations should start preparing now. The CPPA's requirements are stricter than current PIPEDA in every area. By building a privacy policy that meets the higher CPPA standard today, you will not need a major overhaul when the new law takes effect. At minimum, ensure your current policy addresses all 10 PIPEDA principles thoroughly, as these will remain the foundation under the CPPA.
Did you know?
Bill C-27 also includes the Artificial Intelligence and Data Act (AIDA), which would be Canada's first standalone AI regulation. AIDA would require organizations to conduct impact assessments for high-impact AI systems and disclose when AI is used to make decisions about individuals. If your website or business uses AI-powered tools (chatbots, recommendation engines, automated decision-making), AIDA could impose additional transparency requirements beyond privacy.
Free PIPEDA Privacy Policy Template Preview
Below is a structured outline of what a PIPEDA-compliant privacy policy should contain. Each section maps to one or more of the 10 fair information principles. Use this as a checklist when reviewing your existing policy or as a starting point for creating a new one.
1. Introduction and Scope
State who you are, what the policy covers, and that you comply with PIPEDA. Identify your organization by name and describe the types of personal information the policy addresses.
2. Privacy Officer Contact Information
Name or describe the role of your designated privacy officer. Provide an email address, phone number, or mailing address for privacy inquiries. (Principle 1: Accountability)
3. Personal Information We Collect
List every category of personal information you collect: names, emails, phone numbers, payment info, IP addresses, device data, cookies, analytics data. Be specific and comprehensive. (Principle 4: Limiting Collection)
4. Purposes for Collection
For each category of data, explain why you collect it. Purposes might include providing services, processing payments, sending marketing communications, improving website performance, or complying with legal obligations. (Principle 2: Identifying Purposes)
5. Consent
Explain how you obtain consent (express or implied) for each type of data collection. Describe how users can withdraw consent and what happens when they do. Address cookie consent separately if applicable. (Principle 3: Consent)
6. Use, Disclosure, and Retention
Describe how you use personal information, who you share it with (third-party processors, service providers, legal authorities), and how long you retain data before deletion or anonymization. (Principle 5: Limiting Use, Disclosure, and Retention)
7. Data Accuracy
Explain how individuals can update or correct their personal information. Describe your process for keeping data accurate and current. (Principle 6: Accuracy)
8. Security Safeguards
Describe the security measures you use to protect personal information. Mention encryption, access controls, employee training, and secure data storage without revealing specific technical implementations. (Principle 7: Safeguards)
9. Individual Access Rights
Explain how individuals can request access to their personal information, the process for submitting a request, and the 30-day response timeframe. Describe any exceptions to access rights under PIPEDA. (Principle 9: Individual Access)
10. Data Breach Notification
Describe your process for handling data breaches, including when and how you will notify affected individuals and the OPC. Explain the criteria for determining whether a breach poses a real risk of significant harm.
11. Complaints and Challenging Compliance
Provide a clear process for filing privacy complaints with your organization. Include the privacy officer's contact information and reference the OPC as an escalation option if the individual is not satisfied. (Principle 10: Challenging Compliance)
12. Changes to This Policy
Explain how and when you will update the policy, how users will be notified of changes, and that continued use after notification constitutes acceptance of the updated policy. (Principle 8: Openness)
Common PIPEDA Mistakes
Here are the five most common misconceptions about PIPEDA compliance, and why each one can leave your organization exposed to enforcement action.
Mistake: "PIPEDA only applies to Canadian companies."
Reality: PIPEDA applies to any organization that collects, uses, or discloses personal information of Canadian residents in the course of commercial activities. If you are a US-based or European company with a website that collects data from Canadian visitors (through analytics, forms, or cookies), PIPEDA can apply to you. This extraterritorial reach is similar to GDPR's application to non-EU organizations.
Mistake: "GDPR compliance means PIPEDA compliance."
Reality: While GDPR and PIPEDA share similar goals, they have different structures and requirements. GDPR compliance gets you most of the way to PIPEDA compliance, but there are PIPEDA-specific elements you may be missing. PIPEDA requires a designated privacy officer (not the same as a DPO), a specific complaint process referencing the OPC, and adherence to the 10 fair information principles as a framework. A GDPR-only policy may not address these Canadian-specific requirements.
Mistake: "There are no real fines under PIPEDA."
Reality: While current PIPEDA fines are lower than GDPR (up to $100,000 CAD for certain offenses), the OPC can refer cases to Federal Court, which can order damages and require organizations to change their practices. More importantly, the proposed CPPA under Bill C-27 would increase maximum penalties to $25 million CAD or 5% of global revenue. The reputational damage from an OPC finding of non-compliance can also be significant, as findings are publicly published.
Mistake: "I only need English."
Reality: Canada is officially bilingual. While PIPEDA does not explicitly require bilingual privacy policies for private-sector organizations, federal institutions must communicate in both English and French. If you serve customers in Quebec, Law 25 (Quebec's provincial privacy law) and the Charter of the French Language may require that your privacy policy be available in French. Providing a bilingual policy is a best practice for any organization serving Canadian consumers nationwide.
Mistake: "My website is too small for PIPEDA."
Reality: PIPEDA has no revenue threshold, no employee count threshold, and no website traffic threshold. If you are a private-sector organization engaged in commercial activity and you collect personal information from Canadian residents, PIPEDA applies to you regardless of size. A one-person online business selling products to Canadian customers is just as subject to PIPEDA as a large corporation. The OPC has investigated and published findings against small businesses.
How to Create a PIPEDA-Compliant Privacy Policy (6 Steps)
Follow these steps to create a privacy policy that meets PIPEDA requirements and prepares you for the stricter standards expected under Bill C-27.
Designate a privacy officer and document accountability
PIPEDA Principle 1 requires you to designate someone responsible for your organization's privacy compliance. This can be you (if you are a sole proprietor), a specific employee, or an external consultant. Document this person's title and contact information. They will be the point of contact for privacy inquiries, access requests, and complaints. Include their contact details in your privacy policy.
Audit all personal information collection
Document every type of personal information your organization collects: form data (names, emails, phone numbers), payment information, analytics data (IP addresses, device info), cookie data, and any information from third-party integrations. For each data type, record the purpose of collection, the method (active vs. passive), and the retention period. This audit forms the basis of your privacy policy disclosures.
Implement proper consent mechanisms
Determine whether express or implied consent is appropriate for each type of data collection. Sensitive information (health, financial, children's data) always requires express consent. For website analytics and basic cookies, implied consent may be sufficient in some contexts, but express consent is safer and will be the standard under Bill C-27. Add consent checkboxes to forms and implement a cookie consent banner for analytics and advertising cookies.
Draft sections covering all 10 principles
Using the template preview above as your guide, write each section of your privacy policy to address the corresponding PIPEDA principle. Be specific about your actual practices. Name the third-party services you use (Google Analytics, Stripe, Mailchimp), describe your actual retention periods, and explain your real security measures. Generic language weakens your compliance position.
Include breach notification procedures
Since 2018, PIPEDA requires mandatory data breach notification. Your privacy policy should describe your breach notification process: how you assess whether a breach poses a real risk of significant harm, how you notify the OPC and affected individuals, and what information the notification will contain. You are also required to maintain records of all breaches (whether or not they required notification) for at least two years.
Publish prominently and review annually
Link your privacy policy from the footer of every page on your website. PIPEDA's Openness Principle requires that your practices be readily available. Use plain language that an average person can understand. Review your policy at least annually, and update it whenever your data practices change. If you also serve EU users, add GDPR-specific sections. If you serve Quebec residents, ensure compliance with Law 25 as well.
Shortcut: A privacy policy generator automates the entire process. You answer questions about your data practices, select that you need PIPEDA compliance, and the generator produces a complete policy covering all 10 principles, breach notification, consent mechanisms, and individual rights. Takes under five minutes. Generate your PIPEDA-compliant policy.
Frequently Asked Questions
What is PIPEDA and who does it apply to?
PIPEDA is Canada's federal privacy law governing private-sector organizations that collect personal information during commercial activities. It applies to any organization, Canadian or foreign, that collects data from Canadian residents in the course of commercial activity. It also applies to interprovincial and international data transfers.
Does PIPEDA apply if I am not based in Canada?
Yes. If your website collects data from Canadian visitors through analytics, forms, cookies, or any other means, and you engage in commercial activities, PIPEDA can apply. This extraterritorial reach is similar to GDPR's application to non-EU organizations. If you have Canadian users, it is safest to assume PIPEDA applies.
What are the 10 fair information principles?
They are: Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use/Disclosure/ Retention, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance. Each principle requires specific disclosures and practices that must be reflected in your privacy policy. Together, they form the complete framework for handling personal information under Canadian law.
How is PIPEDA different from GDPR?
Key differences include: PIPEDA allows implied consent in some situations while GDPR generally requires explicit consent; PIPEDA fines are currently lower ($100K CAD vs. 20M euros); PIPEDA requires a privacy officer while GDPR requires a DPO in certain cases; GDPR includes a right to erasure that PIPEDA currently lacks. Both have extraterritorial reach and require transparency about data practices.
What is Bill C-27 and how will it change things?
Bill C-27 proposes to replace PIPEDA's private-sector provisions with the Consumer Privacy Protection Act (CPPA). The CPPA would bring dramatically higher fines (up to $25M CAD or 5% of revenue), new individual rights like data portability, algorithmic transparency requirements, and a new Privacy Tribunal for direct enforcement. While the timeline is uncertain, organizations should start preparing by strengthening their current compliance.
Does my website need a privacy policy under PIPEDA?
Yes. PIPEDA's Openness Principle (Principle 8) requires that your privacy policies and practices be readily available. For a website, this means having a publicly accessible privacy policy linked from your site. The policy must describe what data you collect, your purposes, consent mechanisms, security measures, access rights, and complaint process.
What are the penalties for non-compliance with PIPEDA?
Currently, the OPC can investigate complaints, publish findings, and refer cases to Federal Court. Fines for certain offenses reach up to $100,000 CAD. The Federal Court can order damages and practice changes. Under the proposed CPPA (Bill C-27), penalties would increase to up to $25 million CAD or 5% of global revenue. Published OPC findings also cause significant reputational damage.
Related Resources
GDPR Privacy Policy Template
Compliant GDPR template with all required disclosures
CCPA Privacy Policy Example
What a compliant California privacy disclosure looks like
Privacy Policy for Websites
A comprehensive guide for standard website operators
Privacy Policy for Small Business
Tailored guidance for small business owners
What Happens Without a Privacy Policy
The real consequences of operating without one
Privacy Policy vs Terms and Conditions
How these two documents differ and which you need
How Often to Update Your Privacy Policy
When and why to review your privacy disclosures
Cookie Policy for Websites
Everything you need to know about cookie disclosures