Personal Information Protection and Electronic Documents Act

PIPEDA

Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. Based on 10 fair information principles. Applies to businesses that collect personal information from Canadian residents.

Effective Date

2000-01-01

Enforcement

Office of the Privacy Commissioner of Canada (OPC)

Consumer Threshold

No threshold

Revenue Threshold

No threshold

Key Requirements

Accountability: designate individual responsible for compliance

Identifying purposes: document why data is collected before or at time of collection

Meaningful consent: obtain knowledge and consent for collection, use, and disclosure

Limiting collection: collect only what is necessary for identified purposes

Limiting use, disclosure, and retention: use data only for stated purposes

Accuracy: keep personal information accurate, complete, and up-to-date

Safeguards: protect personal information with appropriate security

Openness: make privacy policies readily available

Individual access: right to access and challenge accuracy of personal information

Challenging compliance: provide mechanism to address complaints

Mandatory breach reporting to OPC and affected individuals

Penalties

OPC can seek Federal Court orders. Non-compliance with orders can result in fines up to $100,000 CAD per violation. Individuals can sue for damages.

Cure Period

OPC investigates complaints and typically recommends remediation before enforcement

E-commerce Relevance

Applies to any business collecting personal information from Canadian customers. Consent requirements are less strict than GDPR but stricter than most US state laws. Quebec has its own provincial law (Law 25) with GDPR-like requirements.

Back to All Privacy Laws Scan Your Site