Privacy law in Canada, explained.
One place to understand the laws that govern personal information in Canada — the federal PIPEDA, the provincial private-sector laws in Quebec, British Columbia and Alberta, and the health-information statutes in between. Every page is written in plain language and links straight to the official text of the law. Start with the overview, or jump to your jurisdiction below.
Last reviewed: 2026-06-29 · Educational summary, not legal advice.
The shape of Canadian privacy law
Canada does not have one privacy law — it has a layered system, and which layer applies to you depends on what you do with personal information and where. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) is the baseline for the private sector: it governs personal information collected, used, or disclosed in the course of commercial activity, and it always governs information that crosses a provincial or national border in commerce. You can read the Act in full at the Department of Justice: laws-lois.justice.gc.ca/eng/acts/P-8.6.
On top of that federal baseline sit the provinces. Three of them — Quebec, British Columbia and Alberta — have their own general private-sector privacy laws that the federal government has declared substantially similar to PIPEDA. In those provinces, the provincial law governs activity that stays inside the province, while PIPEDA still governs flows that leave it. Separately, most provinces have a dedicated health-information privacy law — like Ontario's PHIPA — that governs how health custodians handle patient data. And the federal Privacy Act covers federal government institutions, which is a different question entirely.
If you only remember one thing: figure out which law applies first, because the answer changes your obligations. Our guide to federal vs provincial privacy law walks the decision path. Then read the law that governs you — and this hub links the official text of every one.
PIPEDA
Understand PIPEDA.
The federal private-sector law, broken into the questions people actually ask.
What is PIPEDA? The plain-language guide
Canada's federal private-sector privacy law — what it is, the ten principles, breach duties, and how it fits with provincial law.
ScopeDoes PIPEDA apply to your organization?
Commercial activity, the inter-provincial flow rule, federal works, employees, and the provinces where a substantially-similar law displaces PIPEDA.
PrinciplesPIPEDA's ten fair information principles
Accountability through challenging compliance — Schedule 1's ten obligations, explained one at a time with what each requires in practice.
ConsentConsent and meaningful consent under PIPEDA
Express vs implied consent, the OPC's meaningful-consent guidelines, withdrawal, and the limited exceptions to the consent rule.
BreachPIPEDA breach reporting and the breach register
Real risk of significant harm, reporting to the OPC and individuals as soon as feasible, and the 24-month record-keeping duty.
AccessAccess to personal information under PIPEDA
How individuals request their own data, your 30-day response clock, the fee rules, and the grounds you can refuse on.
TransfersCross-border data transfers under PIPEDA
Why PIPEDA permits US-cloud hosting, the accountability and transparency obligations that attach, and where data-residency is contractual.
ComparisonPIPEDA vs GDPR: the practical differences
Consent models, penalties, breach clocks, DPO and lawful-basis gaps — what a GDPR program still has to add to satisfy PIPEDA.
By jurisdiction
Privacy law by province.
The provincial private-sector laws, the health statutes, and the federal Privacy Act.
Quebec Law 25 (the Private Sector Act)
The most demanding private-sector regime in Canada: person-in-charge, PIAs, transfer assessments, the confidentiality-incident register, and real fines.
B.C.British Columbia's PIPA
BC's substantially-similar private-sector law — how it differs from PIPEDA on consent, employee information, and access.
AlbertaAlberta's PIPA
Alberta's private-sector law, its mandatory breach-notification rule to the Commissioner, and how it overlaps with PIPEDA.
OntarioOntario PHIPA (health information)
Ontario has no general private-sector law — PIPEDA applies — but PHIPA governs health information custodians and their service providers.
HealthProvincial health privacy laws across Canada
PHIPA, HIA, HIPA, PHIA and PHIPAA — the health-information statute for every province, with the official text linked.
Public sectorThe federal Privacy Act (government data)
The other federal law: how the Privacy Act governs federal institutions, and why it is not the same thing as PIPEDA.
Context
How it fits — and what's changing.
Federal vs provincial: which privacy law applies?
The substantially-similar mechanism, health-information carve-outs, and a decision path for working out which statute governs you.
ReformBill C-27 and the CPPA: where reform stands
The Consumer Privacy Protection Act died on the Order Paper in 2025. What was proposed, what happened, and what governs you today.
From understanding the law to answering for it
Understanding the law is one job; proving your compliance to a buyer is another. When a customer sends a privacy questionnaire built on these statutes, our practical answering guides pick up where this hub leaves off — the PIPEDA questionnaire guide, the Quebec Law 25 questionnaire guide, and the Ontario PHIPA questionnaire guide. Or browse all questionnaire guides.
Common questions.
What is the main privacy law in Canada?
For private-sector organizations, the baseline federal law is the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs personal information collected, used, or disclosed in the course of commercial activity. Alberta, British Columbia, and Quebec have their own substantially-similar private-sector laws that apply to organizations operating within those provinces. Health information is governed by separate provincial statutes in most provinces, and federal government institutions are covered by the Privacy Act, not PIPEDA.
Is PIPEDA a federal or provincial law?
PIPEDA is a federal law. It applies across Canada to commercial handling of personal information, and to all personal information that crosses provincial or national borders in the course of commercial activity. Where a province has enacted a private-sector privacy law the federal government has declared substantially similar — Alberta, British Columbia, and Quebec — that provincial law applies to intra-provincial activity instead, while PIPEDA continues to govern inter-provincial and international flows.
Which provinces have their own private-sector privacy laws?
Three provinces have general private-sector privacy laws declared substantially similar to PIPEDA: Quebec (the Act respecting the protection of personal information in the private sector, heavily amended by Law 25), British Columbia (PIPA), and Alberta (PIPA). Ontario has no general private-sector law, so PIPEDA applies there — but Ontario, like most provinces, has a dedicated health-information privacy statute (PHIPA).
Does PIPEDA apply to small businesses?
There is no small-business exemption in PIPEDA. It applies based on the activity — collecting, using, or disclosing personal information in the course of commercial activity — not the size of the organization. A two-person company selling to customers in another province is within scope. The practical obligations scale with the sensitivity and volume of the information you handle, but the law itself does not carve out small organizations.
Is this hub legal advice?
No. This hub is plain-language education that links directly to the official text of each statute so you can read the primary source yourself. It is not legal advice, and privacy law changes — every page shows when it was last reviewed. For a decision that turns on your specific facts, consult a qualified privacy lawyer in the relevant jurisdiction.
Need this turned into a compliance program?
ThinSky helps Canadian businesses map PIPEDA, Law 25 and PHIPA obligations to real controls — and answer the buyer questionnaires that test them. Tell us what you're facing.
Talk to ThinSky →