Canada

International Regulations

Canada Personal Information Protection and Electronic Documents Act (PIPEDA)

S.C. 2000, c.5

Highlights

Applicability:

PIPEDA applies to private-sector organizations that collect, use, or disclose Personal Information in the course of a Commercial Activity. It also applies to federally regulated organizations (e.g., airports, aircraft, and airlines; banks and authorized foreign banks; telecommunications companies; etc.).

However, PIPEDA does not apply to organizations subject to provincial laws deemed substantially similar to PIPEDA with respect to the collection, use, or disclosure of Personal Information that occurs within the relevant province. Provinces with substantially similar privacy laws include Alberta, British Colombia, and Quebec.1 Additionally, PIPEDA does not apply to not-for-profits, charity groups, or political parties and associations, unless they engage in Commercial Activities (e.g., selling or leasing membership lists).

PIPEDA also does not apply to certain types of Personal Information, including:

  • Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession.
  • Personal Information an organization collects, uses, or discloses solely for personal, domestic, journalistic, artistic, or literary purposes.

Business Obligations:

PIPEDA requires organizations to follow ten “fair information principles” when processing Personal Information:

  • Principle 1 – Accountability
  • Principle 2 – Identifying Purposes
  • Principle 3 – Consent
  • Principle 4 – Limiting Collection
  • Principle 5 – Limiting Use, Disclosure, and Retention
  • Principle 6 – Accuracy
  • Principle 7 – Safeguards
  • Principle 8 – Openness
  • Principle 9 – Individual Access
  • Principle 10 – Challenging Compliance

As part of an organization’s compliance with the fair information principles, organizations must (among other requirements):

  • Collect, use, and disclose Personal Information only for purposes that a reasonable person would consider appropriate in the circumstances
  • Not collect, use, or disclose Personal Information in the following ways:
    • Collection or use that is otherwise unlawful.
    • Profiling or categorization that leads to unfair, unethical, or discriminatory treatment contrary to human rights law.
    • Collection, use, or disclosure for purposes known or likely to cause significant harm.
    • Publishing Personal Information for purposes of charging individuals for its removal.
    • Requiring passwords to social media accounts for employee screening.
    • Surveillance of the individual's own device through audio or video functionality.
  • Use contractual or other means to provide a comparable level of protection to Personal Information it transfers to a service provider
  • Inform individuals when disclosing Personal Information to a service provider located outside of Canada that their information may be processed in a foreign country; and that their Personal Information may be accessible to the law enforcement and national security authorities of that jurisdiction.
  • Inform individuals during collection how the organization will use and disclose their Personal Information
  • Obtain consent for the collection, use, or disclosure of Personal Information unless an exception applies.
  • Not collect more Personal Information than is necessary to fulfill the purposes the organization identifies.
  • Collect Personal Information by fair and lawful means.
  • Protect Personal Information with appropriate security safeguards.
  • Maintain appropriate privacy policies and practices.
  • Fulfill data subject requests.

Individuals’ Rights:

Organizations must respond within 30 days to individuals’ requests regarding the processing of Personal Information, including individuals’:

  • Right to access
  • Right to correct inaccuracies

Organizations may require an individual to provide sufficient information to permit the organization to identify the individual and respond to the request, provided such information is used solely for responding to the request.

More Details

Definitions:

  • Business Contact Information: Any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business, or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic address.
  • Controller: A person that, alone or jointly with others, determines the purposes and means for processing Personal Data.
  • Commercial Activity: Any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership, or other fundraising lists.
  • Personal Information: Information about an identifiable individual. Personal Information includes employee information only where collected, used, and disclosed by a federally regulated organization.

Penalties:

Violations of PIPEDA may be enforced solely by the Office of the Privacy Commissioner (OPC). The OPC cannot make orders or impose fines. Instead, it can apply to the Federal Court of Canada to hear the matter or refer matters to the Attorney General of Canada for prosecution. The Federal Court can order an organization to (i) correct its practices, (ii) publish a corrective notice, or (iii) pay damages to a complainant. Fines for violations range from a maximum of $10,000 to $100,000 CAD depending on the violation.

Private Action:

No

Associated Regulations:

  • The Digital Privacy Act; Canada’s anti-spam legislation (CASL)

Effective Date:

January 1, 2001

1These provincial laws do not apply in lieu of PIPEDA with respect to: international or interprovincial transactions which include Personal Information (for example, the transfer of Personal Information outside of the province); and the Personal Information of employees and candidates for employment of federally regulated organizations.

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek