PIPEDA
Canadian federal law on the protection of personal information in the private sector, in force since 2000. Governs the collection, use and disclosure of personal data by private commercial organisations in Canada, in complement to provincial-specific laws.
What PIPEDA is
PIPEDA (Personal Information Protection and Electronic Documents Act) is the Canadian federal reference law for the protection of personal information in the private sector. Enacted in 2000, it applies to organisations that collect, use or disclose personal information in the course of commercial activities on Canadian soil or involving Canadian residents.
The regulator is the Office of the Privacy Commissioner of Canada (OPC).
Ten founding principles
PIPEDA rests on ten principles inspired by OECD guidelines:
- Accountability — designation of a compliance officer.
- Identifying purposes.
- Consent.
- Limiting collection.
- Limiting use, disclosure and retention.
- Accuracy.
- Safeguards.
- Openness.
- Individual access to personal information.
- Challenging compliance.
Interplay with provincial laws
Quebec, Alberta and British Columbia have their own provincial laws considered “essentially similar” to PIPEDA. For those provinces, the provincial law generally prevails in domestic situations — for example Law 25 in Quebec. PIPEDA still applies to interprovincial and international exchanges.
Breach notification
Since 2018, PIPEDA mandates notification to the OPC and to affected individuals as soon as there is a real risk of significant harm. Organisations must also maintain a breach record for 24 months.
PIPEDA at Hexceos
Our Canadian offering covers PIPEDA and Law 25 compliance under the same contract. Our Montréal SOC operates in respect of both regimes. See audit & compliance services and the Montréal office.
Last updated: 19 May 2026