PIPEDA is Canada's federal private-sector privacy law, in force since 2000, governing how organizations collect, use, and disclose personal information during commercial activity. It rests on 10 fair information principles and a consent requirement, and the Office of the Privacy Commissioner of Canada administers it.
This guide covers what PIPEDA requires, who must comply, and how consent, breach reporting, and enforcement work. It also explains how PIPEDA differs from the GDPR and whether reform has changed anything.
What Is PIPEDA?
PIPEDA is the Personal Information Protection and Electronic Documents Act, Canada's federal private-sector privacy law. It sets the ground rules for how organizations collect, use, and disclose personal information during commercial activity, and it has governed Canadian businesses since 2000.
The law took effect in phases. It applied first to federally regulated industries like airlines and banks in 2001, then expanded to the health sector in 2002. By 2004 it covered all organizations collecting personal information in commercial activity. The Digital Privacy Act amended PIPEDA in 2015, adding mandatory breach notification rules that came into force in 2018.
PIPEDA is principles based and technology neutral. It does not name cookies or trackers specifically, unlike the EU's ePrivacy Directive. Instead, it applies whenever a cookie or tracker collects personal information as part of a commercial activity.
See how PIPEDA fits into the broader landscape of data privacy laws that govern businesses handling personal information worldwide.
Who Has to Comply with PIPEDA?
PIPEDA applies to private-sector organizations that collect, use, or disclose personal information anywhere in Canada in commercial activity. It also covers federally regulated businesses for their employees' data.
Commercial activity means any transaction, act, or regular course of conduct that is commercial in character. Selling or trading a membership or donor list counts, even for a non-profit or charity. Federally regulated businesses are always subject to PIPEDA, including for their own employees' personal information. That category includes airports and airlines, banks, inter-provincial or international transportation companies, telecommunications companies, offshore drilling operations, and radio and television broadcasters.
How PIPEDA Works with Provincial Privacy Laws (Quebec, BC, and Alberta)
Quebec, British Columbia, and Alberta each have their own private-sector privacy law that Ottawa has deemed substantially similar to PIPEDA. Organizations operating entirely within those provinces are generally exempt from PIPEDA for that in-province activity.
The exemption has limits. PIPEDA still applies to federally regulated businesses in those provinces, and it still applies whenever personal information crosses a provincial or national border. New Brunswick, Newfoundland and Labrador, Nova Scotia, and Ontario each have their own substantially similar law for health information specifically. This narrows PIPEDA's reach in the health sector without replacing it elsewhere.
Of the three provincial regimes, Quebec's Law 25 goes furthest. It adds requirements PIPEDA does not, including privacy impact assessments for certain projects and a private right of action for residents.
Does PIPEDA Apply to US and Foreign Companies?
Yes. PIPEDA reaches US and other foreign organizations that collect or handle the personal information of people in Canada during commercial activity. The test is whether a real and substantial connection to Canada exists.
Server location does not matter. What matters is whether the business processes Canadians' personal information commercially. Displaying prices in Canadian currency, shipping products to Canadian addresses, or targeting Canadian consumers with marketing can all establish that connection. A US company with no physical presence in Canada can still fall under PIPEDA if it meets this test.
The 10 Fair Information Principles of PIPEDA
PIPEDA is built on 10 fair information principles that every covered organization must follow when handling personal information.
- Accountability: assign a person responsible for the organization's privacy compliance.
- Identifying Purposes: state why you are collecting personal information before or at the time you collect it.
- Consent: obtain meaningful consent before collecting, using, or disclosing personal information.
- Limiting Collection: collect only the information necessary for the purposes you identified.
- Limiting Use, Disclosure, and Retention: use or disclose data only for the purpose it was collected, and dispose of it once that purpose is fulfilled.
- Accuracy: keep personal information as accurate, complete, and current as the purpose requires.
- Safeguards: protect personal information with security measures matched to its sensitivity.
- Openness: make your privacy policies and practices clear, specific, and publicly available.
- Individual Access: let people ask whether you hold their information and give them access to it on request.
- Challenging Compliance: give people a way to challenge your organization's compliance with these principles.
These 10 principles are the compliance backbone of PIPEDA. A website's cookie consent banner, privacy policy, and consent records each map to one or more of them. The Openness principle drives the privacy notice, the Consent principle drives the banner, and the Individual Access principle drives data-request handling.
How Consent Works Under PIPEDA (Express vs Implied)
PIPEDA requires meaningful consent, meaning a person must understand what they are agreeing to before an organization collects, uses, or discloses their personal information. Whether that consent must be express or can be implied depends on the sensitivity of the information and what a reasonable person would expect.
Consent should generally be express for sensitive information, such as financial or health data. The same applies to any use that falls outside what the person would reasonably expect. Implied consent can be acceptable for clearly non-sensitive information collected for an obvious purpose, such as basic contact details given to complete an order. A person can withdraw consent at any time, subject to legal or contractual restrictions, and an organization must tell them how.
For cookies and trackers specifically, the safer default is express, opt-in consent before anything non-essential loads. Most tracking and advertising cookies process information in ways a visitor would not automatically expect.
What PIPEDA Means for Cookies and Your Website
PIPEDA has no cookie-specific rule, but any cookie or tracker that collects personal information during commercial activity falls under PIPEDA's consent, identifying-purposes, and openness principles.
For a website, that translates into four concrete actions.
- Disclose what you collect. Tell visitors what personal data your cookies and trackers gather and why, in a clear privacy or cookie notice. This satisfies the Openness and Identifying Purposes principles.
- Get meaningful consent first. Load non-essential tracking that processes personal information only after a visitor consents, and use express consent where the data is sensitive.
- Let visitors control their data. Give people a way to access, correct, or withdraw consent for the personal information you hold.
- Keep your practices current. Review and update your privacy notice as your cookies, vendors, or data practices change.
Many Canadian sites adopt a GDPR-style consent banner as a practical baseline. The GDPR's cookie consent rules already cover most of what PIPEDA's principles expect from a banner.
One misconception is worth correcting directly: PIPEDA does not require you to store data in Canada. The law governs how you handle and account for personal information, including when you transfer it to a third party for processing. It does not govern where your servers physically sit.
PIPEDA's Breach Reporting Rules
PIPEDA requires organizations to report data breaches that pose a real risk of significant harm to the individuals affected.
When that threshold is met, an organization has three obligations.
- Report to the OPC as soon as feasible after determining a breach occurred.
- Notify affected individuals directly, with enough detail for them to understand the risk and take steps to protect themselves.
- Keep a record of every breach, reportable or not, for two years.
"Real risk of significant harm" turns on two factors. The first is the sensitivity of the information involved, and the second is the probability it has been, is being, or will be misused. The statute defines significant harm to include:
- Bodily harm
- Humiliation or damage to reputation
- Loss of employment or business opportunities
- Financial loss and identity theft
- Negative effects on a person's credit record
- Damage to or loss of property
This mandatory breach-reporting regime has been in force since November 1, 2018. The 2015 Digital Privacy Act added it to PIPEDA.
Who Enforces PIPEDA? (The Privacy Commissioner and Its Limited Powers)
The Office of the Privacy Commissioner of Canada enforces PIPEDA, but it works on an ombudsman model, which means its powers are deliberately limited.
The Commissioner investigates complaints and issues a report with recommendations, but that report is not legally binding. The Commissioner cannot order an organization to comply, award damages to a complainant, or levy a fine for most violations of the 10 principles. A binding remedy or damages requires the complainant to take the matter to the Federal Court of Canada. That court can order the organization to correct its practices, publicize those corrections, and award damages.
PIPEDA does carry a narrow set of statutory offences with real penalties. Knowingly committing one of them is punishable by a fine. That fine reaches up to 10,000 dollars on summary conviction, or up to 100,000 dollars on indictment. The offences are:
- Failing to report a breach that poses a real risk of significant harm
- Failing to keep required breach records
- Retaliating against a whistleblowing employee
- Obstructing a Commissioner investigation or audit
These are narrow, prosecuted offences, not a GDPR-style administrative penalty applied to every violation.
This limited enforcement model is the reason critics describe PIPEDA as having "no teeth" compared with regimes that carry direct fining power. It was also a central reason lawmakers repeatedly tried to modernize the law.
Is PIPEDA Being Replaced? (Bill C-27 and the CPPA)
Nothing has replaced PIPEDA. It remains Canada's federal private-sector privacy law as of 2026.
Parliament has twice tried to modernize it and failed both times. Bill C-11, introduced in 2020, died when Parliament was prorogued in 2021. Its successor, Bill C-27, would have replaced PIPEDA with the Consumer Privacy Protection Act. It also would have added an enforcement tribunal with real fining power and introduced a separate artificial intelligence law. Bill C-27 died on the Order Paper when Parliament was prorogued on January 6, 2025, along with every other bill still before it. Until new legislation passes, PIPEDA and its current rules continue to apply in full.
How Is PIPEDA Different from the GDPR?
PIPEDA and the GDPR both protect personal data, but they diverge sharply on consent and enforcement.
| PIPEDA | GDPR | |
|---|---|---|
| Consent model | Meaningful consent, express or implied depending on sensitivity | Explicit, affirmative opt-in; implied consent is not accepted |
| Scope | Private-sector organizations handling personal data in commercial activity in Canada | Any organization worldwide that offers goods or services to, or monitors, EU residents |
| Enforcement | Ombudsman model; the OPC cannot order compliance or levy general fines; narrow statutory offences up to 100,000 dollars | Supervisory authorities can levy direct administrative fines up to 20 million euros or 4 percent of global annual turnover |
| Breach reporting | Mandatory when there is a real risk of significant harm; report to the OPC and notify individuals | Mandatory within 72 hours of becoming aware, to the relevant supervisory authority |
The GDPR is the stricter, opt-in-by-default standard, and its regulators can fine a company directly. PIPEDA leans on principles and an ombudsman rather than administrative penalties. That difference is the single biggest reason the two regimes feel so different in practice. A Canadian business serving EU visitors needs both: PIPEDA-style disclosure for its Canadian operations, and the GDPR compliance opt-in banner for its EU traffic.
How Consently Helps You Meet PIPEDA's Consent and Notice Requirements
Consently supports the consumer-facing side of PIPEDA compliance: the consent banner your visitors see and the notice that explains what you collect.
Consently shows Canadian visitors a branded cookie consent banner. Its region-based display presents the right consent experience by geography, so non-essential tracking that processes personal information loads only after a visitor consents. That directly supports PIPEDA's Consent principle.
Two more features back the Openness and Individual Access side of the law. The cookie, privacy, and terms and conditions policy generators produce the clear, public privacy notice that PIPEDA's Openness and Identifying Purposes principles call for. No lawyer is required to draft it from scratch. Consent logs with export give you a timestamped record of who consented and when. That record is useful evidence if the Privacy Commissioner investigates a complaint or an individual makes an access request.
Consently supports these specific consent and disclosure tasks. It does not make a site legally "PIPEDA compliant" on its own. The policy generators are assistance, not legal advice, so overall compliance remains the business's responsibility. Consently also does not require Canadian data storage: PIPEDA does not mandate it, and Consently hosts its infrastructure in the EU.
Consently's cookie-consent tools show your visitors a branded consent banner and generate the privacy notice PIPEDA expects. Try Consently free for 14 days, no credit card required.
FAQs
What is PIPEDA in simple terms?
PIPEDA is Canada's federal privacy law that makes private-sector businesses get consent and protect the personal information they collect during commercial activity.
Who does PIPEDA apply to?
PIPEDA applies to private-sector organizations across Canada that handle personal information in commercial activity, plus federally regulated businesses and foreign companies serving Canadians. Alberta, British Columbia, and Quebec carve out most in-province activity under their own substantially similar provincial laws.
Does PIPEDA require a cookie banner?
PIPEDA does not name cookies specifically, but cookies that collect personal information need meaningful consent and a clear notice under its Consent and Openness principles. A consent banner is the practical way most sites meet that requirement.
Does PIPEDA apply to US companies?
Yes, where a US business handles Canadians' personal information commercially and has a real and substantial connection to Canada. Targeting Canadian consumers or shipping to Canadian addresses can establish that connection. Server location does not change the answer.
What are the penalties for violating PIPEDA?
The Privacy Commissioner cannot fine an organization for most violations of the 10 principles. A complainant must go to the Federal Court of Canada for a binding remedy or damages. A narrow set of offences, such as failing to report a breach, carries fines up to 10,000 dollars on summary conviction. Prosecuted as an indictable offence, the fine can reach 100,000 dollars.
Who enforces PIPEDA?
The Office of the Privacy Commissioner of Canada enforces PIPEDA on an ombudsman model. The Federal Court of Canada is the body that can issue binding orders and award damages.
Is PIPEDA the same as GDPR?
No. PIPEDA uses sensitivity-driven express or implied consent, with an ombudsman regulator that carries no general administrative fines. The GDPR requires opt-in consent by default and lets regulators fine companies directly, up to 4 percent of global annual turnover.
Is PIPEDA like HIPAA or CCPA?
No. HIPAA is a US law that protects health information specifically, while PIPEDA is a general Canadian law covering all personal information in commercial activity. CCPA is a California opt-out privacy law, whereas PIPEDA applies across Canada and leans on consent and its 10 principles.
Has PIPEDA been replaced by the CPPA?
No. Bill C-27 and its proposed Consumer Privacy Protection Act died when Parliament was prorogued in January 2025. PIPEDA remains in force with no replacement enacted.
Does PIPEDA require data to be stored in Canada?
No. PIPEDA governs how you handle and account for personal information, including transfers to third parties for processing. It does not mandate that data be stored inside Canada.

