Request a Consultation

Home Privacy law in Canada

Scope

Does PIPEDA apply to your organization?

Last reviewed 2026-06-29 · Plain-language summary, not legal advice.

Before you worry about how to comply with PIPEDA, settle whether it applies — the answer changes which obligations you carry and which regulator oversees you. The Personal Information Protection and Electronic Documents Act is the federal private-sector baseline, and you can read it in full at laws-lois.justice.gc.ca/eng/acts/P-8.6. Here is how to tell if it reaches you.

The commercial-activity test

PIPEDA applies to organizations that collect, use, or disclose personal information in the course of commercial activity — any transaction, act, or conduct of a commercial character, including selling, leasing, or bartering. This is the central test. If your handling of personal data is tied to a commercial transaction, you are presumptively in scope. There is no small-business exemption: the law looks at the activity, not your headcount or revenue.

The inter-provincial and international flow rule

Even in provinces with their own private-sector law, PIPEDA always governs personal information that crosses a provincial or national border in the course of commercial activity. So if you are based in a province with its own statute but sell to customers in other provinces or countries — or send data to a processor abroad — PIPEDA applies to those flows regardless. In practice this is why most Canadian vendors get questionnaired against PIPEDA even when a provincial law also applies: their data crosses borders.

Federal works, undertakings, and employee data

PIPEDA also covers federal works, undertakings, and businesses — banks, telecommunications and broadcasting, airlines, railways, interprovincial transport, and similar federally-regulated sectors. For these organizations, PIPEDA governs both customer and employee personal information across every province. For most other private-sector employers, PIPEDA does not reach employee data; provincial law does (or, outside the three private-sector provinces, often no statute does).

The provinces where a substantially-similar law displaces PIPEDA

Three provinces have enacted general private-sector privacy laws the federal government has declared substantially similar to PIPEDA. Within those provinces, the provincial law governs personal information handled in intra-provincial commercial activity, and PIPEDA steps back (except for the cross-border flows above):

  • Quebec — the Act respecting the protection of personal information in the private sector, heavily amended by Law 25.
  • British Columbia — the Personal Information Protection Act (PIPA).
  • Alberta — the Personal Information Protection Act (PIPA).

Everywhere else — including Ontario — there is no general provincial private-sector law, so PIPEDA applies directly. (Health information is a separate question, governed by dedicated statutes like Ontario's PHIPA — see provincial health privacy laws.) The full decision path is in federal vs provincial: which privacy law applies?

A quick "does it apply" checklist

  • Do you handle information about identifiable individuals? If no, PIPEDA is not engaged.
  • Is that handling tied to commercial activity? If yes, you are likely in scope.
  • Does any of that data cross a provincial or national border in commerce? If yes, PIPEDA applies to those flows even in a substantially-similar province.
  • Are you a bank, telecom, airline, or other federal undertaking? If yes, PIPEDA covers your customer and employee data nationwide.
  • Do you operate only intra-provincially in Quebec, BC, or Alberta? The provincial law likely governs instead — read that statute.

Once you know PIPEDA applies, start with what PIPEDA requires. When a buyer tests it, our PIPEDA questionnaire guide shows how to answer.

Common questions.

Does PIPEDA apply to small businesses?

Yes — there is no small-business exemption in PIPEDA. The law applies based on the activity (handling personal information in the course of commercial activity), not the size or revenue of the organization. A sole proprietor selling to customers in another province is within scope. Obligations scale with the sensitivity and volume of the data you handle, but the Act does not carve out small organizations.

Does PIPEDA cover employee information?

Only for federally-regulated employers. PIPEDA applies to the personal information of employees of federal works, undertakings, and businesses — banks, telecommunications, airlines, interprovincial transport, and the like. For most other private-sector employers, employee information is governed (if at all) by provincial law, and in Alberta, British Columbia, and Quebec the provincial private-sector statutes cover employee data explicitly.

Does PIPEDA apply to non-profits and charities?

Usually not. PIPEDA hinges on commercial activity, and the core activities of most non-profits, charities, and political associations are not commercial. But a non-profit can still fall within scope for specific commercial activities — for example, selling a membership mailing list or running a paid commercial service. The test is the activity, not the organization's tax status.

Do federally-regulated businesses like banks follow PIPEDA?

Yes. Banks, telecommunications and broadcasting companies, airlines, railways, and other federal works and undertakings are covered by PIPEDA for both their customer and employee personal information, regardless of which province they operate in. Provincial private-sector privacy laws do not displace PIPEDA for these federally-regulated entities.

Not sure which privacy law governs you?

ThinSky maps your data flows to the right Canadian privacy regime — PIPEDA, Law 25, PHIPA — and the controls each demands. Tell us what you handle.

Talk to ThinSky →