Canada does not have a single, unified privacy law for the private sector. Instead, it has a layered system where the federal Personal Information Protection and Electronic Documents Act (PIPEDA) sets a national baseline, and three provinces - Alberta, British Columbia, and Quebec - enforce their own private-sector privacy statutes that have been formally recognised as providing equivalent protection. These provincial laws are said to be "substantially similar" to PIPEDA, a designation that carries real legal consequences for which rules your organisation must follow.
Getting this wrong is not a theoretical risk. An organisation that assumes PIPEDA covers all its operations may find that a provincial commissioner has jurisdiction over a complaint - or that cross-border data flows trigger federal obligations the organisation thought it had left behind.
What "Substantially Similar" Actually Means
Section 26(2)(b) of PIPEDA gives the Governor in Council the power to exempt organisations from the federal law where a province has enacted legislation that provides comparable privacy protection. The Office of the Privacy Commissioner of Canada (OPC) reports to Parliament annually on which provincial laws meet this threshold.
A provincial law qualifies as substantially similar if it incorporates core protections: rules limiting the collection, use, and disclosure of personal information to appropriate purposes; a requirement for meaningful consent; a right of access for individuals; and an independent oversight body with authority to receive complaints and investigate. The designation does not mean the provincial and federal laws are identical. Significant differences exist in scope, enforcement powers, and specific obligations.
Three comprehensive private-sector statutes currently hold the designation:
| Province | Legislation | Oversight Body | Substantially Similar Since |
|---|---|---|---|
| Alberta | Personal Information Protection Act (PIPA) | Office of the Information and Privacy Commissioner of Alberta | 2004 |
| British Columbia | Personal Information Protection Act (PIPA) | Office of the Information and Privacy Commissioner for British Columbia | 2004 |
| Quebec | Act Respecting the Protection of Personal Information in the Private Sector (as amended by Law 25) | Commission d'acces a l'information du Quebec (CAI) | 2003 |
Four additional provincial health information laws - in Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador - are also deemed substantially similar, but only for personal health information held by health information custodians. They do not replace PIPEDA for general commercial activity.
When Provincial Law Applies Instead of PIPEDA
If your organisation is provincially regulated and operates within Alberta, British Columbia, or Quebec, the provincial privacy statute governs the collection, use, and disclosure of personal information that occurs entirely within that province. A retailer based in Calgary handling only Alberta customers' data follows Alberta's PIPA. A software company in Vancouver processing data solely within British Columbia follows BC's PIPA. A Montreal-based consultancy serving Quebec clients follows Law 25.
This exemption is not absolute. Two categories of activity pull organisations back under PIPEDA regardless of where they sit.
Federal Works, Undertakings, and Businesses (FWUBs)
Banks, airlines, railways, telecommunications companies, broadcasting stations, and other federally regulated entities always fall under PIPEDA - even if they operate exclusively within a province that has substantially similar legislation. A telecom company headquartered in Montreal still complies with PIPEDA, not Law 25, for its core operations.
There is a wrinkle for contractors. If a provincially regulated counselling firm provides employee assistance services under contract to an airline, PIPEDA's consent requirements apply to the airline employees' data. The counselling firm's other clients remain under provincial law.
Cross-Border Data Flows
Personal information that crosses provincial or national borders in the course of commercial activity falls under PIPEDA. This is grounded in the federal government's constitutional authority over inter-provincial and international trade. A British Columbia company that sells a mailing list to a firm in Ontario, or an Alberta business that uses a credit-reporting bureau headquartered in another province, must comply with PIPEDA for those specific transactions.
This means many organisations operating in Alberta, BC, or Quebec are subject to both their provincial law and PIPEDA - provincial rules for intra-provincial activity, and federal rules for anything that moves data beyond provincial borders.
Alberta's PIPA: Current State and Upcoming Changes
Alberta's Personal Information Protection Act came into force on 1 January 2004. It applies to all provincially regulated private-sector organisations in Alberta, including non-profits when they engage in commercial activity. Unlike PIPEDA, which generally does not cover employee information for provincially regulated employers, Alberta's PIPA explicitly governs employee data held by private-sector organisations.
Alberta's PIPA is currently under active review. The Standing Committee on Resource Stewardship began a comprehensive review in January 2024 and published its Final Report in February 2025, containing 12 recommendations for amendment. These include introducing specific protections for minors' personal information, granting the Alberta Information and Privacy Commissioner authority to impose administrative monetary penalties (AMPs), requiring organisations to define and follow anonymisation standards, and harmonising the law with other Canadian and international privacy frameworks.
The recommended changes have not yet been enacted. They now sit with the Alberta Cabinet for decision. Meanwhile, a May 2025 decision by the Alberta Court of King's Bench in Clearview AI Inc. v. Alberta (Information and Privacy Commissioner) declared a portion of PIPA's "publicly available information" exception unconstitutional under the Charter, adding further pressure for legislative reform.
British Columbia's PIPA: Awaiting Modernisation
BC's Personal Information Protection Act also took effect in 2004 and closely mirrors Alberta's statute in structure. It applies to provincially regulated private-sector organisations and, like Alberta's PIPA, covers employee information. BC's PIPA was notably found to apply to federal and provincial political parties operating in the province - a distinction not shared by PIPEDA or Alberta's law.
BC's Special Committee to Review the Personal Information Protection Act reported in December 2021, issuing 34 recommendations to modernise the law. The committee stressed alignment with the evolving federal, provincial, and international privacy landscape, including the GDPR. As of early 2026, legislative amendments based on those recommendations have not been enacted.
Enforcement under BC's PIPA remains complaint-driven, with the BC Information and Privacy Commissioner authorised to investigate, issue orders, and publicly report findings. The law does not currently provide for administrative monetary penalties.
Quebec's Law 25: The Strictest Regime in Canada
Quebec was the first Canadian province to adopt private-sector privacy legislation, and with the passage of Law 25 (formerly Bill 64) in September 2021, it now operates the most demanding privacy regime in the country. Law 25 rolled out in three phases - September 2022, September 2023, and September 2024 - and all provisions are now fully in force.
Law 25 goes well beyond PIPEDA in several respects. It requires organisations to designate a privacy officer, conduct mandatory privacy impact assessments before developing or acquiring systems involving personal information, and notify the Commission d'acces a l'information du Quebec (CAI) of confidentiality incidents that pose a risk of serious injury. Consent must be express, specific, and granular - particularly for sensitive personal information. Privacy settings on technology products must default to the highest level of protection without requiring user intervention.
The penalty regime is substantial. Organisations face fines of up to CAD 25 million or 4% of worldwide turnover, whichever is greater. For individuals, fines range from CAD 5,000 to CAD 100,000. These figures align more closely with GDPR penalty structures than with anything in PIPEDA, which historically relied on complaints and persuasion rather than monetary sanctions.
Quebec's law also introduces a right to data portability (effective September 2024), a right to de-indexation, and rules on automated decision-making that require organisations to inform individuals when automated processing is used in decisions affecting them.
What Happens in Provinces Without Substantially Similar Laws
The remaining seven provinces and three territories do not have general private-sector privacy statutes deemed substantially similar to PIPEDA. In Ontario, Manitoba, Saskatchewan, New Brunswick, Nova Scotia, Prince Edward Island, Newfoundland and Labrador, Yukon, the Northwest Territories, and Nunavut, PIPEDA applies directly to private-sector commercial activity.
Some of these provinces have health-sector privacy laws or public-sector freedom-of-information statutes, but those do not replace PIPEDA for commercial data processing. A SaaS company in Toronto handling customer data follows PIPEDA. A marketing agency in Winnipeg follows PIPEDA.
Cookie Consent Under Provincial vs Federal Rules
For website owners, the layered Canadian framework creates practical compliance questions around cookie categories and consent mechanisms.
Under PIPEDA, the form of consent depends on the sensitivity of the information and the reasonable expectations of the individual. The OPC's guidelines on meaningful consent accept implied consent (opt-out) for less sensitive data collection, including some cookie uses, provided the purpose is clearly disclosed and the individual can easily opt out. Express consent (opt-in) is expected for sensitive information, tracking children, or behavioural advertising that goes beyond reasonable expectations.
Quebec's Law 25 is stricter. It requires express, opt-in consent before collecting personal information through cookies or similar tracking technologies. Privacy settings must be set to the highest level by default. Tracking technologies must be deactivated until the user actively consents. This aligns with the approach under the EU's ePrivacy Directive and is significantly more demanding than PIPEDA's implied-consent model.
Alberta and BC's PIPAs follow a consent framework closer to PIPEDA's, distinguishing between express and implied consent based on context and sensitivity. Neither province mandates a specific cookie banner design, but both require meaningful consent before collecting personal information for commercial purposes.
The practical takeaway: if your website serves visitors in Quebec, build your consent management around Law 25's opt-in standard. If you serve visitors across multiple provinces, the safest approach is to default to the strictest applicable requirement.
The Federal Reform That Stalled
Bill C-27, the Digital Charter Implementation Act, was intended to replace PIPEDA's Part 1 with a modernised Consumer Privacy Protection Act (CPPA). The bill would have introduced administrative monetary penalties, strengthened consent requirements, and established a Personal Information and Data Protection Tribunal.
Parliament was prorogued in January 2025, killing Bill C-27 on the Order Paper. A snap federal election in April 2025 pushed privacy reform further down the agenda. In June 2025, Minister Evan Solomon confirmed that C-27 would not return in its original form. PIPEDA remains in force as Canada's federal private-sector privacy law, and no replacement legislation has been tabled as of early 2026.
This matters for the "substantially similar" framework because existing exemption orders reference PIPEDA specifically. Any future federal law would require new orders to be issued. In the meantime, organisations in Alberta, BC, and Quebec continue to operate under the current dual-law structure.
Practical Compliance: A Decision Framework
Determining which law applies requires answering a short sequence of questions:
| Scenario | Applicable Law |
|---|---|
| Federally regulated organisation (bank, airline, telecom) | PIPEDA - always, regardless of province |
| Provincially regulated, operating only within AB, BC, or QC | Provincial PIPA or Law 25 |
| Provincially regulated in AB/BC/QC, but data crosses borders | Provincial law for intra-provincial activity; PIPEDA for cross-border flows |
| Operating in a province without substantially similar law (e.g., Ontario) | PIPEDA |
| International company processing Canadian personal information | PIPEDA for cross-border; provincial law if operating within AB/BC/QC |
For organisations caught between multiple regimes, the OPC and provincial commissioners have a memorandum of understanding that supports collaboration on joint investigations. Recent examples include coordinated inquiries into OpenAI and TikTok involving the OPC alongside commissioners in Quebec, BC, and Alberta.
Frequently Asked Questions
Does PIPEDA apply in Quebec, Alberta, or British Columbia?
PIPEDA does not apply to provincially regulated organisations for intra-provincial activity in these provinces. It does still apply to federal works, undertakings, and businesses (such as banks and telecom companies) and to any personal information that crosses provincial or national borders during commercial activity.
What makes a provincial privacy law "substantially similar" to PIPEDA?
The Governor in Council evaluates whether the provincial law provides comparable protections: rules limiting collection, use, and disclosure to appropriate purposes; meaningful consent requirements; individual access rights; and an independent oversight body. The OPC reports annually to Parliament on the status of provincial legislation.
Do I need a cookie banner if my website only targets visitors in Alberta or BC?
Alberta and BC's PIPAs require meaningful consent before collecting personal information, including through cookies. While neither mandates a specific banner format, displaying a clear consent mechanism is the most practical way to meet the requirement. If any Quebec visitors reach your site, Law 25's stricter opt-in standard applies to them.
How does Quebec Law 25 differ from PIPEDA on cookie consent?
Law 25 requires express, opt-in consent before any tracking technology is activated. Privacy settings must default to the highest protection level. PIPEDA, by contrast, allows implied consent for less sensitive cookie uses provided the purpose is clearly disclosed and an opt-out mechanism is available.
Will Bill C-27 change the substantially similar framework?
Bill C-27 died on the Order Paper when Parliament was prorogued in January 2025. As of early 2026, no replacement legislation has been tabled. If a new federal privacy law is eventually passed, existing exemption orders for provincial laws would need to be reissued under the new statute.
Can provincial privacy commissioners investigate organisations based in other provinces?
Provincial commissioners have jurisdiction over activity occurring within their province. For cross-border matters, the OPC and provincial offices collaborate under a memorandum of understanding. Joint investigations - such as those into OpenAI and TikTok - are increasingly common.
Which Canadian province has the strictest privacy law?
Quebec. Law 25 imposes mandatory privacy impact assessments, requires express consent for sensitive data, defaults privacy settings to the highest level, and carries fines of up to CAD 25 million or 4% of global turnover. No other Canadian jurisdiction currently matches these requirements.
Protect Your Website Across Canadian Jurisdictions
If your website attracts visitors from multiple Canadian provinces, building a single consent workflow around the strictest applicable standard - currently Quebec's Law 25 - is the most efficient path to compliance. Kukie.io detects visitor location and applies the appropriate consent rules automatically, so your cookie banner adapts whether the visitor is in Montreal, Calgary, or Toronto.
