Privacy law in Canada, explained.

One place to understand the laws that govern personal information in Canada — the federal PIPEDA, the provincial private-sector laws in Quebec, British Columbia and Alberta, and the health-information statutes in between. Every page is written in plain language and links straight to the official text of the law. Start with the overview, or jump to your jurisdiction below.

Last reviewed: 2026-06-29 · Educational summary, not legal advice.

The shape of Canadian privacy law

Canada does not have one privacy law — it has a layered system, and which layer applies to you depends on what you do with personal information and where. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) is the baseline for the private sector: it governs personal information collected, used, or disclosed in the course of commercial activity, and it always governs information that crosses a provincial or national border in commerce. You can read the Act in full at the Department of Justice: laws-lois.justice.gc.ca/eng/acts/P-8.6.

On top of that federal baseline sit the provinces. Three of them — Quebec, British Columbia and Alberta — have their own general private-sector privacy laws that the federal government has declared substantially similar to PIPEDA. In those provinces, the provincial law governs activity that stays inside the province, while PIPEDA still governs flows that leave it. Separately, most provinces have a dedicated health-information privacy law — like Ontario's PHIPA — that governs how health custodians handle patient data. And the federal Privacy Act covers federal government institutions, which is a different question entirely.

If you only remember one thing: figure out which law applies first, because the answer changes your obligations. Our guide to federal vs provincial privacy law walks the decision path. Then read the law that governs you — and this hub links the official text of every one.

PIPEDA

Understand PIPEDA.

The federal private-sector law, broken into the questions people actually ask.

From understanding the law to answering for it

Understanding the law is one job; proving your compliance to a buyer is another. When a customer sends a privacy questionnaire built on these statutes, our practical answering guides pick up where this hub leaves off — the PIPEDA questionnaire guide, the Quebec Law 25 questionnaire guide, and the Ontario PHIPA questionnaire guide. Or browse all questionnaire guides.

Common questions.

What is the main privacy law in Canada?

For private-sector organizations, the baseline federal law is the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs personal information collected, used, or disclosed in the course of commercial activity. Alberta, British Columbia, and Quebec have their own substantially-similar private-sector laws that apply to organizations operating within those provinces. Health information is governed by separate provincial statutes in most provinces, and federal government institutions are covered by the Privacy Act, not PIPEDA.

Is PIPEDA a federal or provincial law?

PIPEDA is a federal law. It applies across Canada to commercial handling of personal information, and to all personal information that crosses provincial or national borders in the course of commercial activity. Where a province has enacted a private-sector privacy law the federal government has declared substantially similar — Alberta, British Columbia, and Quebec — that provincial law applies to intra-provincial activity instead, while PIPEDA continues to govern inter-provincial and international flows.

Which provinces have their own private-sector privacy laws?

Three provinces have general private-sector privacy laws declared substantially similar to PIPEDA: Quebec (the Act respecting the protection of personal information in the private sector, heavily amended by Law 25), British Columbia (PIPA), and Alberta (PIPA). Ontario has no general private-sector law, so PIPEDA applies there — but Ontario, like most provinces, has a dedicated health-information privacy statute (PHIPA).

Does PIPEDA apply to small businesses?

There is no small-business exemption in PIPEDA. It applies based on the activity — collecting, using, or disclosing personal information in the course of commercial activity — not the size of the organization. A two-person company selling to customers in another province is within scope. The practical obligations scale with the sensitivity and volume of the information you handle, but the law itself does not carve out small organizations.

Is this hub legal advice?

No. This hub is plain-language education that links directly to the official text of each statute so you can read the primary source yourself. It is not legal advice, and privacy law changes — every page shows when it was last reviewed. For a decision that turns on your specific facts, consult a qualified privacy lawyer in the relevant jurisdiction.

Need this turned into a compliance program?

ThinSky helps Canadian businesses map PIPEDA, Law 25 and PHIPA obligations to real controls — and answer the buyer questionnaires that test them. Tell us what you're facing.

Talk to ThinSky →