What is PIPEDA?
What is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial activities.
Enacted in 2000 and fully in effect since January 1, 2004, PIPEDA established Canada as one of the first countries in the world to create comprehensive private-sector privacy legislation. It is administered by the Office of the Privacy Commissioner of Canada (OPC).
Why PIPEDA Exists
Before PIPEDA, there was no federal law governing how businesses handled personal information. The Canadian Standards Association (CSA) had developed a voluntary Model Code for the Protection of Personal Information in 1996, but compliance was optional. PIPEDA made the core principles of this code legally binding.
PIPEDA was also designed to support international trade. The European Union's data protection directive required that countries receiving EU citizens' data have "adequate" privacy protections. PIPEDA helped Canada achieve this adequacy status — a critical advantage for Canadian businesses operating internationally.
Who Does PIPEDA Apply To?
PIPEDA applies to every private-sector organization in Canada that collects, uses, or discloses personal information in the course of commercial activity. This includes:
- Businesses of all sizes (there is no small business exemption)
- Non-profits and charities engaged in commercial activity
- Federal works, undertakings, and businesses (banks, airlines, telecommunications, railways, inter-provincial transportation)
Provincial exemptions: Three provinces have enacted "substantially similar" private-sector privacy legislation:
| Province | Law | Year |
|---|---|---|
| Quebec | Law 25 | 2022–2024 (phased) |
| British Columbia | PIPA BC | 2004 |
| Alberta | PIPA AB | 2004 |
Even in these provinces, PIPEDA still applies to:
- Federally regulated industries — banks (RBC, TD, BMO), airlines (Air Canada, WestJet), telecommunications (Bell, Rogers, Telus)
- Interprovincial and international data transfers
- Federal government employee personal information
Health information has additional substantially similar laws in several provinces:
| Province | Health Privacy Law |
|---|---|
| Ontario | PHIPA |
| New Brunswick | PHIPAA |
| Nova Scotia | PHIA |
| Manitoba | PHIA |
| Saskatchewan | HIPA |
| Alberta | HIA |
What is "Personal Information"?
Under PIPEDA, personal information means any factual or subjective information about an identifiable individual. This is intentionally broad.
| Category | Examples |
|---|---|
| Identity | Name, age, date of birth, weight, height |
| Government IDs | SIN, driver's licence, passport, health card |
| Contact | Home address, phone number, personal email |
| Financial | Income, purchases, credit history, bank accounts |
| Health | Medical records, diagnoses, prescriptions |
| Digital | IP address, device identifiers, browsing history |
| Sensitive | Race, ethnic origin, religion, sexual orientation |
What is NOT personal information under PIPEDA:
- Business contact information used for business purposes
- Information about organizations (not individuals)
- Information rendered truly anonymous (cannot be re-identified)
Real-World Example
Scenario: A law firm in Toronto collects a client's SIN, home address, phone number, and medical history for a personal injury case.
Result: PIPEDA applies. The firm must comply with all 10 Fair Information Principles. Ontario does not have substantially similar general private-sector privacy legislation — PHIPA only covers health information custodians.
Why PIPEDA Matters to You
- 1Legal compliance — The OPC investigates hundreds of complaints per year. Breach notification failures can result in fines up to $100,000.
- 2Client trust — 92% of Canadians express concern about their privacy (OPC survey).
- 3Professional obligations — Lawyers, doctors, accountants have additional duties. PIPEDA is the baseline.
- 4AI and technology — Using AI tools (ChatGPT, Claude, Copilot) with client data raises significant PIPEDA concerns. Understanding the law is the first step to using AI safely.
Module Quiz
1. PIPEDA applies to which type of organizations?
2. In provinces with "substantially similar" legislation, does PIPEDA still apply to banks?
3. Which of the following is NOT considered personal information under PIPEDA?
4. How many provinces have "substantially similar" private-sector privacy legislation?
5. A Toronto law firm collecting a client's SIN for a personal injury case — does PIPEDA apply?
All Modules