Many BC businesses also operate in Alberta - through clients, employees, or satellite offices. That creates a compliance split: BC has its own PIPA, Alberta has its own PIPA, and the federal PIPEDA applies when data crosses provincial or national borders. Here is a plain-English breakdown of what differs and what overlaps.
The Short Version
BC PIPA and Alberta PIPA are both 'substantially similar' to PIPEDA, which means businesses in those provinces generally deal with the provincial law rather than the federal one for intra-provincial transactions. When personal information moves interprovincially - say, an Alberta client whose data is processed by a BC company - PIPEDA typically applies.
In practice: if you are a BC business with no Alberta employees or physical presence, you follow BC PIPA for your BC operations. If you have Alberta-based staff or clients whose data you actively manage, you need to understand Alberta PIPA as well.
Breach Notification: The Biggest Difference
Alberta PIPA has mandatory breach notification requirements that predate federal PIPEDA's. Under Alberta rules, if a breach creates a real risk of significant harm to an individual, you must notify the affected person and the Alberta Privacy Commissioner. The threshold is 'real risk of significant harm,' which is the same language used in PIPEDA.
BC PIPA currently does not have equivalent mandatory breach notification - though the OIPC encourages voluntary notification and the law is expected to evolve. If you operate in Alberta, your incident response plan must account for the notification obligation.
Consent Models Compared
All three laws require consent for the collection, use, and disclosure of personal information. The practical difference is in how implied versus express consent is treated and what counts as 'sensitive' information requiring express consent. Health data, financial data, and employee personal data generally require express consent under all three frameworks.
Alberta PIPA puts slightly more emphasis on express consent for sensitive categories. If you are building a consent workflow that needs to satisfy both provinces, design to the more demanding standard and it will cover both.
Enforcement and Penalties
The Alberta Privacy Commissioner can order an organization to comply and can apply to the Court of Queen's Bench to enforce orders. Offences under Alberta PIPA carry fines up to $10,000 for individuals and $100,000 for organizations. BC has similar enforcement mechanisms through the OIPC.
PIPEDA penalties have historically been lower, though the Liberals introduced Bill C-27 to overhaul the federal regime. Watch for changes to federal law that could affect organizations operating nationally.
Practical IT Controls for Both Provinces
The IT controls that satisfy BC PIPA largely satisfy Alberta PIPA: encrypted storage, access controls, retention schedules, vendor agreements, and documented incident response. The gap is mostly in documentation and notification procedures, not the technical controls themselves.
North Star recommends a single unified data governance policy that references both provincial laws and PIPEDA. This eliminates the need to maintain separate compliance programs and makes audits straightforward.