PIPEDA Privacy Policy Requirements for Canadian Businesses (2024 Guide)

1. Does PIPEDA apply to your business?

PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activity. There is no revenue threshold, no employee count threshold, and no small-business exemption. A sole proprietor running an e-commerce store that collects customer email addresses is subject to PIPEDA in the same way a national retailer is.

Three provinces have enacted substantially similar legislation that replaces PIPEDA for provincially regulated activities: Quebec (Law 25, the most stringent), Alberta (Personal Information Protection Act, PIPA), and British Columbia (PIPA BC). If you operate exclusively within one of these provinces and collect information only from residents of that province, the provincial law governs. If you collect information across provincial lines — including from customers in other provinces, or through a website accessible nationally — PIPEDA applies to those cross-border collections.

PIPEDA does not apply to: federal government institutions (covered by the Privacy Act), non-commercial activities of non-profit organizations, and personal information collected, used, or disclosed for personal or journalistic purposes. Employee information in federally regulated industries (banking, telecommunications, airlines) is covered by PIPEDA. Employee information in provincially regulated industries is covered by provincial privacy legislation where it exists, or by PIPEDA where it does not.

2. The 10 fair information principles your policy must address

PIPEDA is built around 10 fair information principles drawn from the Canadian Standards Association Model Code for the Protection of Personal Information. Your privacy policy must address all 10. The following table summarizes each principle and its practical implication for a typical small business.

3. What your privacy policy must include (mandatory elements)

A PIPEDA-compliant privacy policy is not a generic template downloaded from a US legal website. It must be specific to your business, accurate about your actual data practices, and written in plain language that an ordinary person can understand. The Office of the Privacy Commissioner of Canada (OPC) has published guidance that a compliant policy should address the following elements.

What personal information you collect. List the categories of information you collect — name, email, phone, address, payment information, IP address, cookies and tracking data, and any other identifiable information. Be specific. "We collect information you provide" is not sufficient.

Why you collect it. State the purpose for each category of information. "We collect your email address to send you order confirmations and, with your consent, marketing communications" is the correct level of specificity.

How you use and share it. Identify any third parties that receive personal information — payment processors, email marketing platforms, analytics providers, cloud storage providers, and any others. Name them where possible. State whether any information is transferred outside Canada, and if so, to which countries.

How long you retain it. State your retention periods for each category of information, or the criteria used to determine retention periods. "We retain your purchase history for 7 years for tax compliance purposes" is the correct approach.

How you protect it. Describe your security safeguards in general terms — encryption in transit, access controls, secure hosting, and any relevant certifications. You do not need to disclose specific security architecture.

Individual rights. Explain how individuals can access their personal information, request corrections, withdraw consent, and file a complaint. Provide contact information for your Privacy Officer.

Cookies and tracking. If your website uses cookies, pixels, or other tracking technologies, your privacy policy must disclose this and explain what data is collected, why, and how users can opt out. This is required under PIPEDA and reinforced by CASL.

4. Consent: what it means and when you need it

Consent under PIPEDA must be meaningful — the individual must understand what they are consenting to. The form of consent can be express (a checkbox, a signature, an explicit verbal agreement) or implied (providing an email address to receive a newsletter implies consent to use that address for the newsletter). However, implied consent is only appropriate for less sensitive information and less sensitive uses. For sensitive personal information — health data, financial data, government identifiers — express consent is required.

The OPC has identified several practices that do not constitute valid consent under PIPEDA. Pre-checked boxes that opt users into data collection or marketing are not valid consent. Consent buried in terms and conditions that are not brought to the user's attention is not valid. Consent obtained as a condition of receiving a product or service — where the collection is not necessary for that service — is not valid.

Individuals have the right to withdraw consent at any time, subject to legal or contractual restrictions. Your privacy policy must explain how to withdraw consent and what the consequences of withdrawal are (for example, that withdrawing consent to receive marketing emails will result in removal from your mailing list, but will not affect your ability to receive transactional emails related to your account).

There are limited exceptions where PIPEDA permits collection, use, or disclosure without consent — including for law enforcement purposes, in emergencies, for journalistic purposes, and in certain business transaction contexts. These exceptions are narrow and should not be relied upon as a substitute for a proper consent framework.

5. Data breach notification obligations

Since November 1, 2018, PIPEDA has included mandatory breach notification requirements. If your organization experiences a breach of security safeguards involving personal information, and the breach creates a real risk of significant harm to an individual, you must: (1) notify the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible, (2) notify affected individuals directly as soon as feasible, and (3) notify any other organizations that may be able to reduce the risk of harm.

"Real risk of significant harm" is assessed based on the sensitivity of the information involved and the probability that the information will be misused. Significant harm includes bodily harm, humiliation, damage to reputation, loss of employment, financial loss, identity theft, and negative effects on a credit record. A breach involving encrypted data with no evidence of access may not trigger notification. A breach involving unencrypted customer payment information almost certainly does.

You must also maintain a record of every breach of security safeguards for 24 months from the date you became aware of the breach — even breaches that do not trigger notification. The OPC can request access to this record at any time. Failure to maintain the record or to report a qualifying breach can result in fines up to $100,000 per violation.

Practically, this means every business subject to PIPEDA should have a written incident response plan that identifies who is responsible for breach assessment, what the notification timeline is, and how records will be maintained. This does not need to be a lengthy document — a one-page checklist is sufficient for most small businesses.

6. Provincial privacy laws: Quebec Law 25, Alberta PIPA, BC PIPA

Three provinces have enacted substantially similar legislation that replaces PIPEDA for provincially regulated activities. If you operate in these provinces, you need to understand how the provincial law differs from PIPEDA — particularly for Quebec, where Law 25 is significantly more stringent.

Quebec — Law 25 (An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information). Law 25 was phased in over 2022–2023 and is now fully in force. It is the most demanding privacy law in Canada. Key requirements beyond PIPEDA include: mandatory Privacy Impact Assessments (PIAs) before implementing any new technology that processes personal information; a designated Privacy Officer whose name must be published; explicit consent for sensitive personal information; the right to data portability (individuals can request their data in a structured, commonly used format); the right to be forgotten (individuals can request deletion of their information); and breach notification to the Commission d'accès à l'information (CAI) within 72 hours of becoming aware of a breach that presents a risk of serious injury.

Alberta — Personal Information Protection Act (PIPA). Alberta's PIPA is similar to PIPEDA but applies to all provincially regulated organizations in Alberta, including employee information. Key differences: PIPA requires notification to the Office of the Information and Privacy Commissioner of Alberta for breaches that create a real risk of significant harm; there is no equivalent to PIPEDA's implied consent for less sensitive information — PIPA requires express or implied consent based on the circumstances; and PIPA has specific rules for employee monitoring.

British Columbia — Personal Information Protection Act (PIPA BC). BC's PIPA is substantially similar to Alberta's PIPA. It applies to provincially regulated organizations in BC. Key differences from PIPEDA include specific rules for employee information and a requirement to notify the Office of the Information and Privacy Commissioner of BC for qualifying breaches.

7. CASL: the email marketing layer on top of PIPEDA

Canada's Anti-Spam Legislation (CASL) operates alongside PIPEDA and imposes additional requirements for commercial electronic messages (CEMs) — any electronic message that encourages participation in a commercial activity, including promotional emails, newsletters, and marketing SMS messages. CASL applies to any CEM sent to or from a Canadian electronic address.

Under CASL, you must obtain express or implied consent before sending a CEM. Express consent requires an affirmative opt-in — a pre-checked box does not qualify. Implied consent exists in limited circumstances: if you have an existing business relationship with the recipient (they purchased from you in the last 2 years, or made an inquiry in the last 6 months), or if the recipient has conspicuously published their electronic address without indicating they do not wish to receive CEMs.

Every CEM must include: the sender's name and contact information, a physical mailing address (a PO box is acceptable), and a functional unsubscribe mechanism that processes the request within 10 business days. Unsubscribed recipients must not receive further CEMs.

CASL penalties are severe: up to $1 million per violation for individuals and up to $10 million per violation for organizations. The CRTC has issued fines in the millions of dollars against Canadian businesses for CASL violations. Your privacy policy should reference your CASL compliance and explain how individuals can unsubscribe from marketing communications.

Frequently asked questions