Does PIPEDA Apply to Your Business? [2026 Guide]
Free applicability checker with statutory citations — covers PIPEDA scope, obligations, and penalties.
About PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private sector privacy law. It governs how private sector organisations collect, use, and disclose personal information in the course of commercial activity.
Who it applies to: PIPEDA applies to private sector organisations that collect, use, or disclose personal information in the course of commercial activity — including commercial activities that cross provincial or national borders. It also applies to the personal information of employees in federally regulated organisations. Note: Quebec, Alberta, and British Columbia have substantially similar provincial legislation for provincially regulated organisations, but federal PIPEDA still applies to interprovincial and international activities.
Quebec users: Individuals located in Quebec are additionally protected by Quebec Law 25, which came fully into force in September 2023 and is considerably stricter than PIPEDA, with penalties up to CAD $25 million or 4% of global revenue.
PIPEDA is built around 10 fair information principles set out in Schedule 1. These cover: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.
Key obligations under PIPEDA
Frequently asked questions
Does PIPEDA apply to US companies doing business in Canada?
Yes. If a US company collects, uses, or discloses personal information of Canadian residents in the course of commercial activity, PIPEDA applies. This includes US e-commerce businesses selling to Canadian customers, US SaaS companies with Canadian subscribers, and US businesses with Canadian employees in federally regulated industries.
Does PIPEDA apply to non-profits?
Generally, non-profits are not subject to PIPEDA unless they carry out commercial activities. However, fundraising activities may constitute commercial activity in some circumstances. Non-profits that operate commercial subsidiaries or carry out activities that compete commercially with for-profit entities may be subject to PIPEDA for those activities.
Is PIPEDA being replaced?
Yes. Bill C-27, which includes the Consumer Privacy Protection Act (CPPA) as a replacement for PIPEDA, has been progressing through Parliament. Until CPPA receives royal assent and comes into force, PIPEDA remains the operative federal law. The CPPA would significantly increase penalties and introduce new obligations. Always check the current status of C-27.
What is the difference between PIPEDA and Quebec Law 25?
PIPEDA is the federal law that applies to interprovincial and international commercial activities involving personal information. Quebec Law 25 applies to all organisations that collect, use, or communicate personal information about Quebec residents — with no commercial activity threshold. Quebec Law 25 has much higher penalties (up to CAD $25M or 4% of global revenue vs PIPEDA's CAD $100,000) and stricter requirements including mandatory Privacy Impact Assessments.
What is PIPEDA's breach notification requirement?
Under PIPEDA s.10.1 and the Breach of Security Safeguards Regulations (SOR/2018-64), organisations must report breaches of security safeguards that create a real risk of significant harm to individuals to the Privacy Commissioner of Canada. Affected individuals must also be notified. A record of all breaches must be maintained for 24 months. Notification must be made as soon as feasible after the organisation determines a breach has occurred.
Not sure if PIPEDA applies?
Run the full assessment — covers all major privacy laws with exact statutory citations. Free, no account required.
Start free assessment →Not legal advice — educational information only