Personal Information Protection and Electronic Documents Act.
Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. Based on 10 fair information principles. Applies to businesses that collect personal information from Canadian residents.
/ Diagnostic check ClearConsent scans your storefront for signals related to this law — consent banner state, GPC support, Do Not Sell links, privacy policy disclosures, cookies, and trackers.
What the law requires.
- 01Accountability: designate individual responsible for compliance
- 02Identifying purposes: document why data is collected before or at time of collection
- 03Meaningful consent: obtain knowledge and consent for collection, use, and disclosure
- 04Limiting collection: collect only what is necessary for identified purposes
- 05Limiting use, disclosure, and retention: use data only for stated purposes
- 06Accuracy: keep personal information accurate, complete, and up-to-date
- 07Safeguards: protect personal information with appropriate security
- 08Openness: make privacy policies readily available
- 09Individual access: right to access and challenge accuracy of personal information
- 10Challenging compliance: provide mechanism to address complaints
- 11Mandatory breach reporting to OPC and affected individuals
Penalties & cure period.
OPC can seek Federal Court orders. Non-compliance with orders can result in fines up to $100,000 CAD per violation. Individuals can sue for damages.
OPC investigates complaints and typically recommends remediation before enforcement
Office of the Privacy Commissioner of Canada (OPC)
What this means for
your store.
Applies to any business collecting personal information from Canadian customers. Consent requirements are less strict than GDPR but stricter than most US state laws. Quebec has its own provincial law (Law 25) with GDPR-like requirements.