What Is Personal Information Protection and Electronic Documents Act?
PIPEDA is Canada's federal private-sector privacy law, in force since January 2001. It is built around 10 fair information principles derived from the CSA Model Code, ranging from accountability and purpose-specification through individual access and challenging compliance. The Office of the Privacy Commissioner of Canada (OPC) is the supervisory authority with investigative and reporting powers. Critically, PIPEDA applies federally across Canada — BUT Alberta (PIPA), British Columbia (PIPA BC), and Quebec (Law 25) have their own private-sector privacy laws that the federal government has recognized as "substantially similar," meaning PIPEDA does not apply to intraprovincial commercial activities in those provinces. Quebec's Law 25 (2021-2023 rollout) is notably stricter than PIPEDA — adding data protection impact assessments, data portability rights, and significant administrative monetary penalties. Bill C-27 (Consumer Privacy Protection Act) passed its second reading but has not yet been enacted as of April 2026. It would replace PIPEDA with a modernized framework including administrative monetary penalties (up to CAD $10M or 3% of global revenue), a new Privacy Tribunal, and private right of action.
At a glance
- Full name
- Personal Information Protection and Electronic Documents Act
- Short code
- PIPEDA
- Jurisdiction
- Canada
- Enacted
- 2000
- Last major update
- Digital Privacy Act 2015 (mandatory breach notification since Nov 2018)
- Regulator
- Office of the Privacy Commissioner of Canada (OPC)
- Private right of action
- Yes
- Statutory citation
- S.C. 2000, c. 5
Scope — who PIPEDA covers
Protected data
Data subject rights
Right to know what personal information an organization holds and how it is being used
Right of access — review your personal information and receive copies
Right to correction — challenge accuracy and completeness, and amend information
Right to withdraw consent (subject to legal or contractual restrictions)
Right to receive an explanation of refused access requests
Right to file a complaint with the Office of the Privacy Commissioner
Right to know how and why information will be shared with third parties
Notable features
PIPEDA's 10 fair information principles (Schedule 1) are its defining feature — principles-based rather than rules-based, giving organizations flexibility but also creating uncertainty. Consent is central: PIPEDA distinguishes between express and implied consent, with the OPC's 2018 Guidelines on Meaningful Consent providing an interpretive framework. Quebec's Law 25 has set a new de facto bar for Canada, often influencing how OPC interprets PIPEDA for cross-border businesses.
Enforcement & penalties
Regulator: Office of the Privacy Commissioner of Canada (OPC)
Penalties: PIPEDA itself has limited fine authority — the OPC issues findings and recommendations but cannot directly levy administrative fines. Organizations may face fines up to CAD $100,000 per offence for violations of breach-notification requirements. Bill C-27 (if enacted) would introduce administrative monetary penalties up to CAD $10M or 3% of global revenue, whichever is higher.
Private right of action: After the OPC issues a report, individuals may apply to the Federal Court (Section 14) for further review, including damages. Courts can award damages including for humiliation. Several notable class-action settlements (Home Depot 2023, Tim Hortons 2022) have proceeded under PIPEDA's private-action framework plus provincial tort claims.
Relevance to data brokers
PIPEDA applies to any data broker that conducts commercial activities in Canada or targets Canadian residents. The OPC has been active on data broker enforcement: the 2018 investigation into Cambridge Analytica found the firm had breached PIPEDA; the Equifax 2019 breach produced one of Canada's largest data protection investigations. Canadian residents can file OPC complaints online at priv.gc.ca. Federal Court actions for damages remain a viable enforcement path.
Exercise your rights
Remove your data from 300+ brokers for $5
OfflistMe drafts opt-out emails citing PIPEDA and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Does PIPEDA apply in Quebec, Alberta, or British Columbia?+
For intraprovincial commercial activities, no — those provinces have substantially similar laws (Quebec's Law 25, Alberta's PIPA, BC's PIPA). For interprovincial or international transfers, or for federally regulated businesses (banks, telecoms, airlines), PIPEDA applies in all provinces.
How do I file a PIPEDA complaint?+
You can file a complaint with the Office of the Privacy Commissioner at priv.gc.ca/en/report-a-concern. The OPC typically expects you to first raise the issue with the organization's privacy officer. If the organization does not resolve it within 30 days, you can submit a written complaint to the OPC.
What is Quebec Law 25?+
Law 25 (formerly Bill 64) is Quebec's private-sector privacy law, substantially amended in September 2022, September 2023, and September 2024. It is stricter than PIPEDA — requiring explicit consent for secondary uses, data portability rights, mandatory privacy officers, and administrative monetary penalties up to CAD $10M or 2% of global revenue.
Is Bill C-27 now in force?+
Not as of April 2026. Bill C-27 (Digital Charter Implementation Act), which would replace PIPEDA with the Consumer Privacy Protection Act and create the AI and Data Act, has cleared second reading in the House of Commons but has not yet received Royal Assent. PIPEDA remains the operative federal law.
Official sources & citations
Other international privacy regimes
PIPEDA sits in a global ecosystem of data-protection laws. Compare with other jurisdictions that shape cross-border data flows: