Request a Consultation

Home Privacy law in Canada

PIPEDA

What is PIPEDA? Canada's federal privacy law, explained

Last reviewed 2026-06-29 · Plain-language summary, not legal advice.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law. It sets the rules organizations must follow when they collect, use, or disclose personal information in the course of commercial activity. It has been in force since 2000, and you can read the entire Act on the Department of Justice site: Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5). This page is the plain-language overview; each section links to a deeper guide.

What PIPEDA is — and what "personal information" means

Personal information under PIPEDA is information about an identifiable individual. That is deliberately broad: name, email, IP address, purchase history, location, and any data that could identify someone on its own or combined with other data. PIPEDA governs that information when an organization handles it in the course of commercial activity — buying, selling, leasing, bartering, or any transaction of a commercial character. Whether the law reaches your organization is a question worth getting right; we cover it in detail in does PIPEDA apply to your organization?

The ten fair information principles

PIPEDA's substantive obligations live in Schedule 1 as ten fair information principles. They are the core of the law, and most privacy programs — and most Canadian buyer questionnaires — are organized around them. The Office of the Privacy Commissioner publishes the canonical list: PIPEDA fair information principles.

  • Accountability — designate someone responsible; stay responsible for data you transfer to processors.
  • Identifying purposes — state why you collect, at or before collection.
  • Consent — obtain knowledge and consent for collection, use, and disclosure.
  • Limiting collection — collect only what the stated purposes require.
  • Limiting use, disclosure, and retention — no repurposing; delete when the purpose is spent.
  • Accuracy — keep information accurate, complete, and current as needed.
  • Safeguards — protect information with security appropriate to its sensitivity.
  • Openness — make your policies and practices readily available.
  • Individual access — let people see and correct their information.
  • Challenging compliance — give people a way to complain to your designated person.

Each principle carries real operational weight. We unpack all ten, with what each requires in practice, in the ten fair information principles, explained. The consent principle in particular has its own detailed OPC guidance and is worth reading on its own.

Breach reporting: the duty most organizations underestimate

Since 2018, PIPEDA has required mandatory breach reporting. Where a breach of security safeguards creates a real risk of significant harm, you must report it to the OPC and notify affected individuals as soon as feasible. You must also keep a record of every breach — including those that did not meet the harm threshold — for a minimum of 24 months. The mechanics are set out in the Breach of Security Safeguards Regulations (SOR/2018-64), and we walk through them in PIPEDA breach reporting and the breach register.

Individual access and cross-border data

PIPEDA gives individuals the right to ask what personal information you hold about them and to have it corrected — generally within 30 days. See access to personal information under PIPEDA. The Act also permits sending personal information across borders to processors, subject to accountability and transparency — a frequent question for anyone on US cloud infrastructure, covered in cross-border data transfers under PIPEDA.

Who enforces PIPEDA, and what the penalties are

The Office of the Privacy Commissioner of Canada (OPC) oversees PIPEDA. Its model is investigative: individuals complain, the OPC investigates and issues findings and recommendations, and unresolved matters can go to the Federal Court, which can order remedies and award damages. Knowingly breaking the breach-reporting and record-keeping rules, or obstructing an OPC investigation, is an offence with fines up to CAD $100,000. Notably, the OPC currently cannot impose administrative monetary penalties itself — stronger enforcement powers were part of the Bill C-27 reform that stalled in 2025.

PIPEDA and the provinces

PIPEDA is the federal baseline, but it is not the only privacy law in Canada. Quebec, British Columbia, and Alberta have their own substantially-similar private-sector laws that govern activity within those provinces, and most provinces have separate health-information statutes. Working out which law governs you is the essential first step — start with federal vs provincial: which privacy law applies? and the privacy-law hub for the full map. When a buyer tests your PIPEDA posture with a questionnaire, our PIPEDA questionnaire guide shows how to answer it.

Common questions.

What does PIPEDA stand for?

PIPEDA stands for the Personal Information Protection and Electronic Documents Act. It is Canada's federal private-sector privacy law, in force since 2000 (S.C. 2000, c. 5). The name reflects its two original parts: rules for protecting personal information, and provisions giving electronic documents and signatures legal status.

What does PIPEDA actually require organizations to do?

PIPEDA requires organizations to obtain meaningful consent for the collection, use, and disclosure of personal information; to collect only what they need for clearly identified purposes; to safeguard it with security appropriate to its sensitivity; to keep it accurate; to let individuals access and correct their own information; to be open about their practices; and to be accountable through a designated Privacy Officer. These obligations are set out as ten fair information principles in Schedule 1 of the Act.

What are the penalties for breaking PIPEDA?

PIPEDA's enforcement is complaint-and-investigation based: the Office of the Privacy Commissioner of Canada (OPC) investigates and issues findings and recommendations, and matters can proceed to the Federal Court, which can order remedies and award damages. Separately, knowingly contravening the breach-reporting and record-keeping rules — or obstructing an investigation — is an offence carrying fines up to CAD $100,000. The OPC cannot itself levy administrative monetary penalties under the current law; that was one of the changes proposed in the stalled Bill C-27 reform.

Does PIPEDA apply if my data is stored in the United States?

Yes. PIPEDA does not prohibit storing or processing personal information outside Canada. It makes you accountable for that information wherever it goes, and the OPC expects you to be transparent that data may be processed in a foreign jurisdiction and could be accessible to that country's courts and law enforcement. Data-residency requirements — keeping data in Canada — usually come from a contract or a specific sectoral rule, not from PIPEDA itself.

Turn PIPEDA into a program, not a panic.

ThinSky maps PIPEDA's ten principles to controls you actually run, and answers the buyer questionnaires that test them. Tell us where you are.

Talk to ThinSky →