PIPEDA, the Personal Information Protection and Electronic Documents Act, is Canada's federal private sector privacy law. It governs how organisations collect, use, store, and disclose personal information in the course of commercial activity. If your business operates across provincial lines, is federally regulated, or has not been superseded by a provincial equivalent, PIPEDA applies to you.
PIPEDA applies to any private sector organisation that collects, uses, or discloses personal information in the course of commercial activity. There is no employee or revenue threshold. If you collect customer names and email addresses to send invoices, PIPEDA applies.
Exceptions:
Any information about an identifiable individual: names, email addresses, phone numbers, purchasing history, financial details, health information, IP addresses, and more. Business contact information (a person's business phone number and title in their professional capacity) is generally excluded.
PIPEDA is built on ten Fair Information Principles from the Canadian Standards Association:
A privacy breach is any unauthorised access, use, or disclosure of personal information, or the loss of personal information where there is a risk of unauthorised access. PIPEDA's breach notification rules apply when a breach poses a real risk of significant harm (RROSH) to individuals.
RROSH factors include: the sensitivity of the information, the probability that information will be misused, the number of individuals affected, and whether the information is in the hands of someone with malicious intent.
If RROSH is present, you must:
The OPC can investigate, issue findings, and seek Federal Court orders. Penalties for knowingly contravening PIPEDA can reach $100,000 per violation. The Digital Charter Implementation Act (Bill C-27), if passed, would significantly increase penalties. Class action lawsuits for privacy breaches are also an increasing risk in Canada.
Provincially regulated private sector organisations in BC (BC PIPA), Alberta (Alberta PIPA), and Quebec (Law 25 / Law 64) are governed by their provincial laws for intra-provincial activity. However, PIPEDA still governs:
Is PIPEDA the same as GDPR? No. PIPEDA is Canada's federal privacy law. GDPR is the European Union's regulation. They share similar principles but differ in scope, enforcement, penalties, and specific requirements.
Do I need a privacy policy if I am a small business? Yes. PIPEDA's accountability principle requires you to be open about your privacy practices. A privacy policy is the standard mechanism.
What if I use a US-based SaaS provider? You are responsible for personal information you transfer to third parties, including US service providers. Your contracts should include data handling clauses, and you should inform individuals that their data may be processed outside Canada.
When must I report a breach to the OPC? As soon as feasible after you determine that a breach poses a real risk of significant harm.
Can North Star IT help with PIPEDA compliance? Yes. North Star runs PIPEDA readiness assessments, drafts policies, implements technical safeguards, and trains staff for Canadian SMBs.
Not sure whether your business is PIPEDA-compliant? Call 672-983-1174 or book a free compliance review at northstarit.ca.
Quick answers.
What is PIPEDA?
PIPEDA is Canada's federal privacy law for private sector organizations. It governs how businesses collect, use, store, and disclose personal information about individuals.
Does PIPEDA apply to my small business?
Yes, if you collect, use, or disclose personal information in the course of commercial activity. Even employee data is covered if you operate across provincial lines or with federal works.
What is a PIPEDA breach?
A breach is any unauthorized access, use, or disclosure of personal information. If the breach poses a real risk of significant harm to individuals, it must be reported to the Privacy Commissioner of Canada.
What is the PIPEDA penalty for non-compliance?
Penalties range from public findings of non-compliance to fines up to 100,000 dollars per violation under the proposed Digital Charter Implementation Act.
Does PIPEDA apply if I am in BC, AB, or QC?
Provincial privacy laws (BC PIPA, Alberta PIPA, Quebec Law 25) cover provincially regulated businesses. They are largely equivalent to PIPEDA but with provincial nuances. North Star helps map the right framework.
Have a specific situation in mind?
Book a free 30-minute scoping call with a Northstar IT engineer. We will walk through your environment, your questions, and what good looks like for your team.
Get a Free Assessment More guides