Most website owners have heard of GDPR. Some have heard of CCPA. But PIPEDA — Canada's federal private-sector privacy law — quietly covers a huge portion of the web, and most non-Canadian site owners have no idea it applies to them.
PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada's federal privacy law for commercial organizations. It applies to your website if you collect personal data from Canadian users in the course of commercial activity — regardless of where your business is located. It requires a publicly accessible privacy policy, meaningful consent, and data access rights. Quebec's Law 25 adds stricter requirements including breach notification within 72 hours and privacy impact assessments.
The rule of thumb is simple: if you collect personal information from Canadian visitors and you're doing it in the course of commercial activity, PIPEDA applies. That means analytics tracking, contact forms, email newsletter signups, and cookie-based advertising all potentially bring you under its scope. The law has been in force since 2000 and, unlike GDPR, hasn't received as much mainstream coverage — which is exactly why so many website owners are caught off guard by it.
This guide covers what PIPEDA actually is, exactly who it applies to, the 10 fair information principles it's built on, how it compares to GDPR, what Quebec's stricter provincial law requires, and what your privacy policy needs to include to be compliant. Plus where to generate one for free at the end.
What Is PIPEDA?
PIPEDA stands for the Personal Information Protection and Electronic Documents Act. It is Canada's federal private-sector privacy law, enacted in 2000 and administered by the Office of the Privacy Commissioner of Canada (OPC). It governs how businesses collect, use, and disclose personal information in the course of commercial activities.
Think of PIPEDA as the Canadian equivalent of GDPR — but with some important differences in scope, consent requirements, and penalties. Where GDPR came out of the EU and has a strict opt-in model, PIPEDA was designed with a more flexible consent framework that allows implied consent in many everyday data-collection scenarios.
Personal information under PIPEDA is broadly defined as "any information about an identifiable individual." That includes names, email addresses, IP addresses, location data, purchase history, browsing behavior, and any data that could be used to identify a person. The definition is intentionally wide, which means it covers most data that websites routinely collect.
Every website that collects information from Canadian visitors — through analytics, contact forms, email signups, or cookies — is technically subject to PIPEDA if engaged in commercial activity. The threshold is lower than most people expect.
PIPEDA = Canada's federal private-sector privacy law. In force since 2000. Applies to any commercial organization collecting personal information from Canadians. The proposed replacement (Bill C-27) has not yet passed Parliament as of May 2026.
Who Does PIPEDA Apply To?
PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activities. The law specifically covers federally regulated industries — banks, airlines, telecoms, and interprovincial businesses — but its commercial activity clause extends far beyond those categories in practice.
"Commercial activity" is interpreted broadly by the Privacy Commissioner. Any exchange of money qualifies: selling products, running ads, using affiliate links, charging subscription fees. Even a blog that runs Google AdSense is engaging in commercial activity for PIPEDA purposes. Non-profits that engage in some commercial activity alongside their charitable work can also fall under PIPEDA for those commercial portions of their operations.
PIPEDA also covers the handling of employee personal information in interprovincial contexts, which matters for remote-first companies with employees across provincial borders.
Provincial exceptions matter. Alberta, British Columbia, and Quebec have enacted their own substantially similar privacy laws, which take precedence over PIPEDA within their respective provinces for provincially regulated organizations:
- Alberta: PIPA (Personal Information Protection Act) — applies to private-sector organizations in Alberta
- British Columbia: PIPA — BC's version, similarly structured to Alberta's
- Quebec: Law 25 (Act respecting the protection of personal information in the private sector) — the strictest of the three, with GDPR-like requirements phased in between 2022 and 2023
For federally regulated organizations, PIPEDA applies even in these provinces. For everyone else, being subject to a provincial PIPA doesn't mean PIPEDA disappears entirely — federal PIPEDA still governs interprovincial and international transfers of personal information.
Does PIPEDA apply to US or international websites with Canadian users? Technically, the answer is complicated. But the Office of the Privacy Commissioner has taken the clear position that organizations handling personal information about Canadians should comply with PIPEDA principles regardless of where they are based. In practice, the safest approach is to treat Canadian user data as PIPEDA-covered no matter where your servers or company are located.
The 10 Fair Information Principles Under PIPEDA
PIPEDA is built on 10 fair information principles drawn from the Canadian Standards Association's Model Code for the Protection of Personal Information. These principles are the operational core of the law — the specific obligations every covered organization must meet.
1. Accountability. Organizations must designate an individual or team responsible for PIPEDA compliance. This is effectively a privacy officer requirement, though PIPEDA doesn't use that exact term. The designated person is responsible for ensuring the organization follows all 10 principles and for handling complaints and access requests. Their contact information should be published in your privacy policy.
2. Identifying Purposes. The purposes for which personal information is collected must be identified and documented before or at the time of collection. You can't collect data first and figure out what to do with it later. If you later want to use that data for a new purpose, you need fresh consent. Vague statements like "to improve your experience" are not sufficient — purposes need to be specific enough to be meaningful.
3. Consent. Meaningful consent must be obtained for the collection, use, or disclosure of personal information. PIPEDA allows both express consent (explicit opt-in) and implied consent depending on the sensitivity of the information and the context. Sensitive information — health data, financial records, religious beliefs — requires express consent. Less sensitive data collection, like recording a name and email for a newsletter, can rely on implied consent where the purpose is obvious. Consent must be informed; collecting data without the person understanding what they're agreeing to is not valid consent.
4. Limiting Collection. Organizations should collect only the personal information that is necessary for the stated purposes. You cannot collect "just in case" data. If you only need an email address to send a newsletter, you cannot require a phone number and birthdate as mandatory fields. Data minimization is not a GDPR-only concept — PIPEDA requires it too.
5. Limiting Use, Disclosure, and Retention. Personal information must not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law. It must not be retained longer than necessary to fulfill those purposes. This means you need a retention schedule — not just a vague "we keep data as long as needed" statement, but actual timelines tied to specific data categories.
6. Accuracy. Personal information must be accurate, complete, and up to date. This is relevant whenever you are making decisions about individuals based on their data. If you are using customer data to make product recommendations, credit decisions, or marketing targeting, keeping that data current is a legal obligation, not just good practice.
7. Safeguards. Personal information must be protected by security safeguards appropriate to the sensitivity of the information. This covers physical, organizational, and technical measures — encryption, access controls, secure deletion procedures, and staff training. There is no prescriptive list of required security measures under PIPEDA; the standard is proportionality to risk.
8. Openness. Organizations must be transparent about their policies and practices regarding personal information. This principle is what mandates a publicly available privacy policy. Your policy needs to be easy to find, written in plain language, and genuinely informative — not buried in legalese that nobody can parse. A link in your site footer to a clear privacy page is the standard implementation.
9. Individual Access. Upon request, individuals must be informed of the existence, use, and disclosure of their personal information, and must be given access to that information within 30 days. They also have the right to challenge the accuracy of their information and request corrections. This is PIPEDA's version of a subject access right — narrower than GDPR's but real and enforceable.
10. Challenging Compliance. Individuals must be able to address a challenge concerning compliance with the above principles to the designated individual accountable for the organization's compliance. In practice, this means having a clear complaints process and a mechanism for individuals to escalate unresolved complaints to the Office of the Privacy Commissioner of Canada.
PIPEDA vs GDPR: Key Differences
PIPEDA and GDPR are often compared because they cover similar ground, but the differences matter — especially for organizations that need to decide which compliance framework to prioritize or how to handle both simultaneously.
| Aspect | PIPEDA | GDPR |
|---|---|---|
| Consent model | Opt-in or opt-out depending on data sensitivity | Explicit opt-in for most processing |
| Fines | Up to CAD $100,000 | Up to €20M or 4% of global annual turnover |
| Data breach notification | Mandatory for breaches posing significant risk | Within 72 hours to supervisory authority |
| Right to erasure | Limited; not a standalone right | Yes (right to be forgotten) |
| DPO required | No formal DPO requirement | Yes for certain controllers and processors |
| Coverage | Commercial organizations handling Canadian data | All organizations processing EU residents' data |
The practical takeaway: GDPR-compliant organizations are generally well-positioned for PIPEDA compliance, because GDPR's consent and disclosure requirements exceed PIPEDA's minimums in most respects. If you are already GDPR-compliant, you need relatively few additions to also satisfy PIPEDA — primarily the 10 fair information principles framing and the individual access mechanism. See our guide on what GDPR requires for a full breakdown of those obligations.
Quebec's Law 25: Canada's Strictest Privacy Law
Quebec's Law 25 — officially the Act respecting the protection of personal information in the private sector, previously known as Bill 64, and sometimes referred to as Act 25 — is the most GDPR-like privacy law in Canada. It applies to any organization that collects, holds, uses, or communicates personal information about Quebec residents, regardless of where the organization is based.
The key requirements that set Law 25 apart from PIPEDA include:
- Mandatory privacy officer: Organizations must designate a person in charge of the protection of personal information. For legal persons (corporations), this defaults to the CEO unless another person is formally designated.
- Privacy impact assessments (PIAs): Required for any project involving the collection of personal information, and mandatory for cross-border transfers of personal information outside Quebec.
- Privacy by default: Technology products and services must be configured with the highest level of privacy protection by default — users should not have to opt out of data collection; protection should be the starting state.
- Explicit consent for sensitive information: Quebec's definition of sensitive information is broader than PIPEDA's, and the consent threshold is higher.
- 72-hour breach notification: Serious privacy incidents must be reported to the Commission d'acces a l'information (CAI) within 72 hours — matching GDPR's timeline and stricter than PIPEDA's "as soon as feasible" standard.
- Right to erasure and data portability: Individuals have the right to request deletion of personal information and to receive their data in a structured, commonly used format — rights that do not exist in PIPEDA.
- AI and automated decision-making disclosure: Organizations using personal information to render automated decisions must inform individuals and allow them to be informed of the personal information used.
Law 25 was phased in over 2022 and 2023 and is now fully in force. If you have any meaningful volume of Quebec-based users, compliance is not optional. The CAI has enforcement powers and can impose significant administrative monetary penalties.
Law 25 applies to you regardless of where you're incorporated. The standard for "handling Quebec residents' data" is low — basic analytics that identify Quebec-based sessions counts. If you run any commercial website with Canadian traffic, assume Law 25 applies to Quebec users and plan accordingly.
Bill C-27: The Future of Canadian Privacy Law
Bill C-27, formally the Consumer Privacy Protection Act (CPPA), is the proposed federal legislation that would modernize and replace PIPEDA. It was introduced in June 2022 and has been working its way through Parliament since then.
If passed, Bill C-27 would bring Canadian federal privacy law significantly closer to GDPR in both scope and teeth. Key changes include GDPR-style fines of up to 5% of global annual revenue (a dramatic increase from PIPEDA's CAD $100,000 cap), significantly strengthened consent requirements, enhanced individual rights including data portability and deletion rights, a new Artificial Intelligence and Data Act (AIDA) governing AI systems, and mandatory privacy management programs for organizations.
As of May 2026, Bill C-27 is still working through Parliament and has not yet passed or taken effect. PIPEDA remains the operative federal private-sector privacy law. Organizations should continue to build PIPEDA compliance programs now, while also monitoring C-27's progress — its final form and timeline will determine how much additional work will be required when it does pass.
The current privacy landscape for websites with Canadian traffic is covered more broadly in our 2026 privacy law updates guide.
What Your Privacy Policy Needs for Canadian Compliance
A PIPEDA-compliant privacy policy is not the same as a generic privacy policy template. It needs to address the 10 fair information principles in a way that is clear, specific, and actionable. Here is a practical checklist of what it must include:
- ☐ Organization name and privacy contact: Identify who is responsible for PIPEDA compliance and provide contact information for privacy inquiries and complaints
- ☐ Categories of personal information collected: Be specific — email addresses, IP addresses, payment information, browsing behavior, location data, etc.
- ☐ Purposes for collection: State the specific reason for each type of data collected, before or at the time of collection
- ☐ Third-party sharing: Disclose whether personal information is shared with third parties, who those parties are (or their categories), and why
- ☐ Retention periods: State how long each category of personal information is kept and the criteria used to determine retention periods
- ☐ Individual access rights: Explain how individuals can request access to their personal information and the 30-day response timeline
- ☐ Consent withdrawal and deletion: Describe how individuals can withdraw consent and request deletion or correction of their information
- ☐ Security safeguards: Describe the technical and organizational measures used to protect personal information
- ☐ Cross-border data transfers: If personal information is transferred outside Canada (e.g., US-based cloud services), disclose this and explain what protections apply
- ☐ For Quebec sites — additional disclosures: AI or automated decision-making disclosure, privacy impact assessment notice for high-risk data uses, and data portability and erasure rights
The GDPR privacy policy generator on FreeTOS covers a large portion of PIPEDA's requirements, since GDPR's consent and disclosure standards exceed PIPEDA's in most respects. You can use the GDPR generator as a strong base and supplement it with PIPEDA-specific language, or use the standard privacy policy generator which includes Canadian compliance clauses.
Generate a PIPEDA-Compliant Privacy Policy Free
Get a complete privacy policy covering PIPEDA's 10 fair information principles, consent requirements, individual access rights, and third-party disclosure requirements. No signup. No paywall. Done in two minutes.
Generate Privacy Policy Free GDPR Generator (Strong PIPEDA Overlap)Frequently Asked Questions
The Privacy Commissioner of Canada has indicated that PIPEDA principles should apply to organizations handling Canadian personal information, regardless of where they're based. Best practice is to include PIPEDA disclosures in your privacy policy if you have Canadian traffic, even if your business is incorporated in the US or elsewhere.
GDPR is stricter: it requires explicit opt-in consent for most data processing, imposes fines up to 4% of global annual turnover or €20 million, and grants broader individual rights including the right to erasure. PIPEDA uses a more flexible consent model that allows implied consent in some cases, and its maximum penalties are CAD $100,000 — significantly lower than GDPR's potential fines.
Yes. Bill C-27 (the Consumer Privacy Protection Act, which would replace PIPEDA) has not yet passed Parliament as of May 2026. PIPEDA remains Canada's operative federal private-sector privacy law for commercial activities.
Quebec's Law 25 (officially the Act respecting the protection of personal information in the private sector, formerly Bill 64) is a provincial privacy law much closer to GDPR in its requirements. It applies to all organizations handling Quebec residents' data and includes mandatory breach notification within 72 hours, a privacy officer requirement, privacy by default, enhanced consent rules, and rights to erasure and data portability. It was phased in between 2022 and 2023 and is now fully in force.
Your PIPEDA-compliant privacy policy must state what personal information you collect, the purposes for which it is collected, whether it is shared with third parties and why, how long you retain it, and how individuals can access, correct, or request deletion of their information. You must also identify a privacy officer or contact point for complaints and describe the security safeguards you use to protect personal data.
Written by
Abd ShantiBuilding FreeTOS.org. Writing about website compliance, legal documents, and making legal tools accessible to everyone. Connect on LinkedIn.