Canada's federal privacy law does not just regulate how organisations use personal data. It also places firm limits on what they collect in the first place and how long they keep it afterwards. These two obligations - found in Principles 4 and 5 of PIPEDA's Schedule 1 - are among the most practically important rules for any business that handles the personal information of Canadians.
Get either one wrong, and the consequences are real. In March 2026, the Office of the Privacy Commissioner (OPC) published findings against Loblaw for retaining purchase history data from deleted PC Optimum loyalty accounts without demonstrating proper anonymisation. The case turned squarely on Principle 4.5.3 and resulted in a conditional resolution requiring a third-party anonymisation audit.
What Principle 4 Requires: Limiting Collection
Clause 4.4 of Schedule 1 states that the collection of personal information must be limited to what is necessary for the purposes identified by the organisation. That single sentence carries three distinct obligations.
First, there is a purpose limitation. Before collecting any personal data, the organisation must have already identified a specific, documented purpose under Principle 2. You cannot collect data speculatively or stockpile it for undefined future use. Second, there is a minimisation requirement. Both the amount and type of information collected must be limited to what is genuinely needed. Third, collection must occur through fair and lawful means. Clause 4.4.2 explicitly prohibits collecting information by misleading or deceiving individuals about why it is being gathered.
The OPC has consistently enforced this principle. In its investigation of Home Depot (PIPEDA Findings #2023-001), the Commissioner found that customers providing email addresses solely to receive e-receipts would not reasonably expect that data to be shared with Meta for advertising measurement. That gap between stated purpose and actual practice is exactly what Principle 4 prevents.
The OPC's guidance on subsection 5(3) also lists "no-go zones" where collection is considered inappropriate regardless of consent - including collecting data in ways that violate other legislation and profiling that leads to discriminatory treatment.
Principle 5: Use, Disclosure, and Retention Limits
Principle 5 (Clause 4.5) builds directly on Principle 4. Once data has been collected for a specific purpose, it may only be used or disclosed for that purpose - unless the individual consents to a new use or an exception under Section 7 of PIPEDA applies.
The retention component sits in Clauses 4.5.2 and 4.5.3. Organisations must develop guidelines with minimum and maximum retention periods. Personal information that is no longer required to fulfil its original purpose must be destroyed, erased, or made anonymous.
That last word carries significant weight. The Loblaw decision (PIPEDA Findings #2026-001) examined this point directly. When members deleted their PC Optimum accounts, Loblaw removed names and email addresses but retained purchase transaction data, loyalty data, IP addresses, and browsing behaviour. Loblaw argued the remaining data was no longer linked to identifiable individuals. The OPC disagreed, finding that the retained data - including public IP addresses that approximate physical location - could still be cross-referenced to create detailed individual profiles.
When Anonymisation Falls Short
The Loblaw case set a higher bar for anonymisation under PIPEDA. Three points matter for website operators.
Removing direct identifiers alone is not sufficient. If the remaining dataset includes IP addresses, device fingerprints, or granular behavioural patterns, re-identification may still be possible. Anonymisation is not a one-time exercise either - re-identification risk changes as new data becomes available and analytical techniques improve. The OPC expects ongoing reassessment.
The burden of proof sits with the organisation. If you choose to anonymise rather than delete, you must be able to demonstrate that the data cannot be re-identified with any serious possibility. A third-party assessment is one way to discharge this burden.
Building a Retention Schedule
PIPEDA does not prescribe specific retention periods. The OPC expects each organisation to develop its own schedule, documented internally and reviewed periodically. The ten fair information principles provide the framework, but the specifics are yours to define.
| Data Category | Typical Purpose | Suggested Retention Approach |
|---|---|---|
| Customer contact details | Service delivery | Duration of relationship plus 30-90 day wind-down |
| Transaction records | Order fulfilment, tax | As required by tax legislation (typically 6-7 years), then destroy |
| Analytics cookie data | Website performance | Aggregate promptly; raw data should not persist beyond 14-26 months |
| Marketing consent records | Proof of valid consent | Retain while consent is relied upon, plus a reasonable defence period |
| Employee records | Employment management | Duration of employment plus statutory requirements |
| Loyalty programme data | Points, rewards | Delete or properly anonymise upon account closure |
How This Applies to Cookies and Online Tracking
Cookies and tracking technologies are subject to the same collection and retention principles as any other form of personal information under PIPEDA. If a cookie collects data about an identifiable individual - and most analytics and marketing cookies do, through IP addresses, device identifiers, or behavioural profiles - Principles 4 and 5 apply in full.
For analytics cookies such as _ga, collection must be limited to what is genuinely needed for website performance analysis. Retaining raw, user-level analytics data indefinitely violates Principle 5. Google Analytics 4 defaults to a 14-month data retention period for user-level data, which aligns more closely with PIPEDA's expectations than older defaults - but even that may be excessive if aggregated metrics would serve the same purpose.
Marketing cookies raise sharper questions. The Home Depot case demonstrated that sharing cookie-related data with third parties for advertising requires express opt-in consent when the sharing falls outside reasonable expectations. A cookie consent banner that explains what cookie categories are active, who receives the data, and how long it persists is a practical necessity for compliance.
Enforcement and Consequences
PIPEDA enforcement starts with the OPC. The Commissioner investigates complaints, publishes findings, and can refer matters to the Federal Court for binding orders and damages. The current maximum penalty is CAD 100,000 per offence, though class actions have reached higher amounts - one was settled for CAD 2.25 million.
In 2023-2024, the OPC received over 1,200 complaints and concluded 47 formal investigations. Recent priorities include data breach notification failures, consent violations, and - as the Loblaw case shows - retention practices. The proposed Consumer Privacy Protection Act (CPPA), part of Bill C-27, would significantly increase penalties if passed.
The joint OPC-ICO investigation into 23andMe (PIPEDA Findings #2025-001) reinforced that the Commissioner scrutinises the full data lifecycle. That case found deficiencies in security safeguards, breach notification, and data handling practices for genetic information - among the most sensitive data categories imaginable.
Frequently Asked Questions
Does PIPEDA specify exact retention periods for personal data?
No. Principle 5 requires organisations to develop their own retention guidelines with minimum and maximum periods tied to the purpose of collection. Other Canadian laws (tax, employment) may mandate specific timeframes for particular records.
Can I keep personal data indefinitely if I anonymise it?
Only if the anonymisation is genuine. The OPC's 2026 Loblaw finding established that organisations must demonstrate there is no serious possibility of re-identification from the retained data, either alone or combined with other available information.
Do analytics cookies fall under PIPEDA's retention rules?
Yes, if they collect information about an identifiable individual. Most analytics cookies capture IP addresses or create behavioural profiles that meet this threshold. The data they generate must be subject to defined retention periods.
What happens if I collect more personal data than I need?
Collecting excessive data breaches Principle 4. The OPC expects organisations to limit collection to what is genuinely necessary. If you collect unnecessary data inadvertently, dispose of it securely.
How does PIPEDA's data minimisation compare to the GDPR?
The concepts are closely aligned. GDPR Article 5(1)(c) requires data to be adequate, relevant, and limited to what is necessary. PIPEDA's Principle 4 similarly restricts collection to what is needed for identified purposes.
What should a PIPEDA-compliant retention schedule include?
It should map each data category to a collection purpose, define maximum retention periods, identify legal requirements for longer retention, specify destruction methods, and assign responsibility for disposal.
Is implied consent enough for collecting cookie data under PIPEDA?
It depends on context. For essential cookies, implied consent may suffice. For analytics and marketing cookies - especially where data is shared with third parties - the OPC has indicated that express opt-in consent is more likely required when data use falls outside visitors' reasonable expectations.
Take Control of Your Cookie Compliance
If you collect data from Canadian visitors through cookies or tracking technologies, PIPEDA's collection and retention rules apply to every piece of information those tools gather. Kukie.io scans your website, categorises every cookie, and gives visitors a clear, documented choice about what data they share.
