Data Protection Laws Overview

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a principle-based law that generally requires consent to the collection, use or disclosure of personal information in the course of a commercial activity. It also applies to personal information about the employees of federally-regulated organizations, or personal information that is transferred by private organizations across provincial or national borders for consideration.


PIPEDA does not apply to personal information collected, used or disclosed by federal, provincial or municipal governments and their agencies: there are separate federal and provincial public sector privacy laws that applies to these entities. 

PIPEDA applies only with respect to commercial activities, so does not apply to most charitable or non-profit organizations, except to the extent that they engage in commercial activities.  In this regard, fundraising is not considered to be a commercial activity, nor is collecting membership fees; however, selling, renting or bartering a membership list or list of donors would be considered to be a commercial activity.


At its core, PIPEDA provides for a consent-based framework for handling personal information.  Subject to certain explicit exceptions, the Act provides that an individual’s consent must always be obtained for the collection, use or disclosure of personal information.  Explicit consent is required for more sensitive forms of personal information (such as financial and health-related information) but implied consent is acceptable for less sensitive types of personal information, and is common in marketing contexts. 

The collection of personal information must be carried out by fair and lawful means and be limited to that which is necessary for the purposes identified by the organization.


Central to the PIPEDA framework is the concept of accountability, through which an organization is responsible for all personal information in its control, including information that has been transferred to a third party for processing.  Organizations must use contractual and other means to provide a comparable level of protection while the information is being processed by the third party.

Information must be accurate, complete, and up-to-date, and it must be retained as long as is necessary for the fulfilment of those purposes.


Individuals have the right to access the personal information that an organization holds about them and may challenge its accuracy and request deletion of the data, subject to restrictions set out in law.

Organizations must protect personal information under their control using security safeguards appropriate to the circumstances and the sensitivity of the personal information in question.

Organizations must notify both the Office of the Privacy Commissioner of Canada and the affected individuals where there has been a data breach likely to give rise to a real risk of significant harm to an individual

For general guidance on complying with PIPEDA, the Office of the Privacy Commissioner of Canada has published Privacy Toolkit: A guide for Businesses and Organisations.

Please visit:


Note: A significant percentage of the personal information handled in Canada may not be subject to PIPEDA, but rather to similar laws enacted at the provincial level. 

  • PIPEDA applies to personal information that organizations collect, use and disclose in the course of their commercial activities, unless such activities are regulated by provincial legislation declared ‘substantially similar to PIPEDA’.
  • The provinces of British Columbia, Alberta and Québec (together, representing approximately half of the Canadian population) have enacted their own privacy laws, which are substantially similar to PIPEDA.