Personal Information Protection and Electronic Documents Act (PIPEDA)
Canada’s federal privacy law governing how private-sector organizations collect, use, and disclose personal information in commercial activities.
PIPEDA is Canada’s federal private-sector privacy law, in force since 2000 and applying to organizations that collect, use, or disclose personal information in the course of commercial activity. The law is built on ten Fair Information Principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. PIPEDA applies across Canada except in provinces with substantially similar provincial legislation (Quebec, British Columbia, Alberta).
PIPEDA’s consent framework distinguishes between express consent (required for sensitive information) and implied consent (acceptable for non-sensitive information where the purpose would be obvious to a reasonable person). The law has been undergoing significant reform, with proposed replacement legislation aimed at modernizing Canada’s privacy framework. The Office of the Privacy Commissioner of Canada (OPC) oversees compliance, though its enforcement powers have historically been more limited than EU DPAs. The OPC can investigate complaints, conduct audits, and publish findings, but cannot directly impose fines — a limitation that proposed reforms seek to address.