The Ultimate Guide to Canada PIPEDA Compliance in 2020
In this article we cover the basics for PIPEDA Compliance.
If your business operates in Canada, PIPEDA oversees what you can do with the personal data you collect from consumers.
Primarily, the Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal regulation that covers companies operating in the private sector. It controls how;
- Companies gather personal and sensitive information
- Companies use the personal data they collect
- Companies operating in Canada disclose personal information.
Who Needs to Comply with PIPEDA
Canada’s data privacy law applies to:
- organizations that collect, use, or disclose personal information for commercial purposes
- Foreign organizations that collect, use, or disclose personal information of Canadian citizens for commercial purposes.
It is important to highlight the fact that PIPEDA does not explicitly outline its applicability in relation to foreign companies.
Nonetheless, some international firms have been penalized for violating PIPEDA requirements, which sets a clear precedent for foreign organizations to become compliant or face similar consequences.
What is Personal Information of PIPEDA?
Under PIPEDA, personal information refers to ‘any information about an identifiable individual.’
The categories of data considered personal information under PIPEDA include;
- Age, name, ID number, financial data
- Race, nationality, or ethnicity
- Blood type
- DNA
- Marital status
- Opinions, assessments, comments, social status, disciplinary actions
- Medical, education, and employment records
- Social insurance number or driver’s license
- Employee files, credit history, and loan details
However, there are specific categories of data that do not fall under the scope of PIPEDA. They include;
- Personal information processed by federal authorities that are listed under the Privacy Act.
- Provincial or territorial administrations and their agents
- Company contact data such as an employee’s name, profession, corporate address, phone number, or email address that is gathered, processed or shared primarily for communicating with the individual in question in connection to their profession or occupation.
- A person’s gathering, processing, or sharing of personal data for individual use strictly
- A company’s gathering, utilization, or transfer of personal data for journalistic, artistic, or literary purposes solely
Which Consumer Rights does PIPEDA Protect?
Canada’s data privacy law grants consumers the right to;
- Know the purposes a business is collecting, using, or sharing their information
- Expect organizations to gather, process, or share information with accountability and not for any other reason other than what they consented to
- Access their personal data maintained by a company without restrictions and make modifications where needed.
- Lodge complaints about a company’s use of their data if they sense that a business is violating their privacy.
- Expect that their personal information is precise, complete, and updated at all times
Apart from guaranteeing consumer rights, PIPEDA outlines the responsibility of businesses in protecting personal data. Essentially, businesses are expected to;
- Seek clear, express consent from users before the gathering, processing, or transferring their personal information
- Make sure that users have access to products or services even when they do not reveal their personal data unless the information is not necessary for the transaction
- Only gather data using legitimate ways
- Generate clear, easy to understand, and legible privacy notices
What are the Penalties for Non-Compliance?
The latest amendments to PIPEDA now come with fines of up to $100,000 for companies that fail to meet data protection obligations.
While this isn't nearly as onerous as GDPR, it's likely to be only the start for more stringent enforcement of PIPEDA.
What Do the Latest Amendments Mean for Data Breach Notification Rules?
As of November 1, 2018, organizations subject to PIPEDA that experience a data breach need to determine whether the access or loss of personal information can cause a "risk of significant harm" to individuals.
The new provisions were approved back in 2015 as part of S-4, the nation's Digital Privacy Act
Under the new amendments, in order to comply with PIPEDA, organizations must:
- Notify the Privacy Commissioner of Canada concerning breaches of personal data safety arrangements that significantly endanger individuals
- Inform affected persons about the breaches in question
- Alert any other body that can alleviate harm to affected persons; and
- Track and maintain a database of all breaches for at least 24 months following the date it determined that a breach occurred
For additional queries or concerns, book a call with us today for personalized support on how to make your company and website compliant with PIPEDA. Check out how to have a PIPEDA-compliant cookie banner.
Check out the 10 PIPEDA Principles here.
Learn about the Bristish Columbia Personal Information Privacy Act, Quebec's Bill 64, and the newly proposed Consumer Privacy Protection Act - CPPA.

GDPR and Marketing: Complete Compliance Guide
The General Data Protection Regulation (GDPR) has fundamentally changed how businesses handle digital marketing across all channels. GDPR and marketing go hand in hand for any company that wants to reach customers in Europe. Since its enforcement began in May 2018, these comprehensive privacy rules have made marketing teams worldwide rethink their data collection and communication strategies completely.
- Legal & News
- Data Protection
- Cookie Consent

Terms of Service vs Privacy Policy: What's the Difference?
You're launching a new website or app, and everyone's telling you that you need legal documents. But when you start researching terms of service vs privacy policy requirements, the distinctions blur together into confusing legal jargon.
- Legal & News

Cross-Domain Cookie Consent: Complete Implementation Guide
Cross-domain cookie consent is a vital solution for companies managing multiple websites, subdomains, or digital properties under one corporate umbrella. Without proper implementation, users face repetitive consent banners as they move between related sites, creating friction and potentially exposing organizations to compliance risks.
- Legal & News
- Data Protection
- Cookie Consent