What Is PIPEDA? A Plain-English Guide to Canada's Federal Privacy Law

PIPEDA at a Glance

The Personal Information Protection and Electronic Documents Act — universally known as PIPEDA — is Canada's federal privacy law for the private sector. It sets the ground rules for how organisations collect, use, and disclose personal information during commercial activities. The law received Royal Assent in 2000, was fully implemented by 2004, and has been amended several times since, most notably through the Digital Privacy Act in 2015, which introduced mandatory data breach reporting.

PIPEDA applies across the country, but with one significant caveat. Three provinces — British Columbia, Alberta, and Quebec — have enacted their own privacy legislation deemed "substantially similar" to PIPEDA by the federal government. In those provinces, the local law takes precedence for intra-provincial commercial activities. The moment data crosses provincial or national borders, or the organisation operates in a federally regulated sector such as banking, telecommunications, or aviation, PIPEDA steps back in.

If your business collects data from Canadian visitors — even if you are based in the UK, the US, or anywhere else — PIPEDA likely applies to you.

The 10 Fair Information Principles

PIPEDA is built on ten fair information principles laid out in Schedule 1 of the Act. These are not optional guidelines. They form the legal backbone of every compliance obligation under the law.

Every cookie banner, every privacy policy, and every data processing decision your website makes should trace back to one or more of these principles.

Who Must Comply with PIPEDA?

PIPEDA applies to any private-sector organisation that collects, uses, or discloses personal information during commercial activities in Canada. That includes retailers, SaaS companies, e-commerce shops, marketing agencies, and app developers. It also covers employee personal information in federally regulated industries — banking, telecoms, airlines, and interprovincial transport.

Foreign businesses are not exempt. If your website sets cookies on Canadian visitors' browsers, collects their email addresses, or tracks their behaviour for advertising purposes, PIPEDA's consent requirements apply to you regardless of where your servers sit.

Nonprofits and political parties are generally outside PIPEDA's scope — unless they engage in commercial activities such as selling merchandise or running paid events. Provincial health information laws, like Ontario's PHIPA, cover healthcare providers separately.

What Counts as Personal Information?

PIPEDA defines personal information broadly: any information about an identifiable individual. This goes well beyond names and email addresses. IP addresses, device identifiers, cookie IDs, browsing history, purchase records, and location data can all qualify if they can be linked — alone or in combination with other data — to a specific person.

The Federal Court has held that information falls within PIPEDA's definition where there is a "serious possibility" that an individual could be identified through that information, alone or combined with other available data. This interpretation matters enormously for cookies and tracking technologies, which routinely collect data points that can be assembled into identifiable profiles.

Sensitivity is a spectrum, not a binary. Medical records, financial data, and information about sexual orientation are treated as highly sensitive and require express consent. A language preference cookie is on the other end of that scale. Where your data falls on this spectrum shapes which form of consent you need.

Consent Under PIPEDA: Express vs. Implied

Consent is the centrepiece of PIPEDA. Principle 4.3 requires an individual's knowledge and consent for the collection, use, or disclosure of their personal information, with limited exceptions.

PIPEDA recognises two forms of consent. Express consent (opt-in) is required for sensitive information or when the collection would fall outside the individual's reasonable expectations. Implied consent (opt-out) may be acceptable for less sensitive information where the purpose would be obvious to a reasonable person.

The key test is "meaningful consent." The Office of the Privacy Commissioner of Canada (OPC) has published detailed guidelines on this concept, requiring that individuals understand what data is being collected, why, and what happens to it. Pre-ticked boxes, buried privacy policies, and vague language like "we may share data with partners" do not meet the bar.

The 2024 Facebook Ruling: What "Meaningful Consent" Really Means

In September 2024, the Federal Court of Appeal issued a landmark ruling in Privacy Commissioner of Canada v. Facebook, Inc. (2024 FCA 140). The court found that Facebook (now Meta) breached PIPEDA by sharing the data of over 600,000 Canadian users with a third-party app that subsequently sold it to Cambridge Analytica — without obtaining meaningful consent.

The court established that meaningful consent is judged by an objective "reasonable person" standard. It does not matter whether individual users actually read the Terms of Service. What matters is whether a reasonable person would have understood the nature, purpose, and consequences of the data disclosure. Facebook's Terms of Service and Data Policy — roughly 13,600 words combined — were too lengthy and complex to support meaningful consent.

The ruling sends a clear message: lengthy, jargon-heavy privacy policies do not equal consent. If the reasonable user cannot grasp what happens to their data, consent is not meaningful regardless of how many "I agree" buttons they clicked.

PIPEDA and Cookies: What Your Website Needs to Know

PIPEDA does not contain a standalone "cookie law" equivalent to the EU's ePrivacy Directive. Cookies are governed by the same general consent principles that apply to any collection of personal information. If a cookie collects data that can identify an individual — and most analytics and advertising cookies do — PIPEDA's consent requirements apply.

The OPC's guidance on online behavioural advertising is explicit: any collection or use of an individual's web browsing activity must be done with that person's knowledge and consent. Tracking technologies that offer no viable opt-out mechanism — such as device fingerprinting or so-called "zombie cookies" — should not be used at all, because compliance with PIPEDA is impossible without user control.

Which Cookies Need Consent?

Strictly necessary cookies — session identifiers like PHPSESSID or shopping cart cookies — generally do not require consent because they are essential to deliver the service the user requested. Everything else falls into territory where consent is needed.

Analytics cookies such as _ga or _gid from Google Analytics collect browsing behaviour that, when combined with other identifiers, constitutes personal information. The OPC considers implied consent potentially acceptable for basic, non-sensitive analytics — but only if the user is clearly informed and has a genuine way to opt out.

Advertising and tracking cookies like _fbp, IDE, or any cookie used for cross-site profiling require express opt-in consent. The 2023 Home Depot investigation made this unambiguous: when data is used for purposes the individual would not reasonably expect, express consent is the only lawful basis.

The Home Depot Investigation: A Warning for Every Website

In January 2023, the OPC published its findings on Home Depot of Canada's use of Meta's Offline Conversions tool (PIPEDA Findings #2023-001). Home Depot had been collecting customer email addresses at checkout to send e-receipts. Those hashed email addresses, along with purchase details, were simultaneously sent to Meta for advertising measurement — without informing customers.

The OPC found this violated PIPEDA on multiple grounds. Customers had no reason to expect their receipt data would be shared with a social media platform. Home Depot's privacy statement used language too vague to support meaningful consent. And because the data sharing fell outside reasonable expectations, implied consent was insufficient — express opt-in consent was required.

Home Depot cooperated with the investigation, discontinued the practice, and implemented the OPC's recommendations. The complaint was deemed "well-founded and resolved." But the precedent is clear: sharing user data with advertising platforms without transparent, specific consent violates PIPEDA.

Canada's Anti-Spam Legislation and Cookies

PIPEDA does not operate alone when it comes to cookies and tracking scripts. Canada's Anti-Spam Legislation (CASL) also applies. CASL requires consent before installing software — including tracking scripts and cookies that go beyond basic website functionality — on a person's device.

Under CASL, an organisation can rely on implied consent where the individual's conduct indicates agreement. But marketing cookies, retargeting pixels, and similar technologies fall under CASL's software provisions. A cookie banner that loads tracking scripts before the user makes a choice could violate both PIPEDA and CASL simultaneously.

Provincial Laws: Quebec's Law 25 and Beyond

If your website receives visitors from Quebec, you face stricter requirements under Quebec's Law 25 (formerly Bill 64), which came fully into force in stages between 2022 and 2024. Law 25 is explicitly opt-in for non-essential cookies — no room for implied consent. It also requires privacy impact assessments before transferring personal information outside Quebec, mandates the appointment of a privacy officer, and imposes administrative penalties of up to CAD 10 million or 2% of worldwide turnover.

Alberta and British Columbia each have their own Personal Information Protection Acts (PIPA). Alberta completed a legislative review of its PIPA in 2025, and amendments are anticipated in 2026 to modernise the law, including specific protections around AI and children's privacy.

The practical takeaway: if you serve visitors across Canada, build your cookie consent to meet the strictest applicable standard. A consent mechanism that satisfies Quebec's Law 25 will generally satisfy PIPEDA and the other provincial laws as well.

Enforcement: How PIPEDA Is Policed

The OPC oversees PIPEDA compliance, but its enforcement model differs significantly from the GDPR's. The OPC cannot directly impose administrative fines. Instead, it investigates complaints (from individuals or on its own initiative), issues findings and recommendations, and works with organisations to implement corrective measures.

In the 2023-2024 fiscal year, the OPC received over 1,200 complaints under PIPEDA and concluded investigations into 47 formal cases with published findings. Recent high-profile investigations have targeted Home Depot's data sharing with Meta, the Cambridge Analytica scandal involving Facebook, and joint investigations with the UK's ICO into the 23andMe data breach.

Penalties and Consequences

PIPEDA's current penalty structure is modest compared to the GDPR. Specific offences — such as failing to report a data breach, failing to maintain breach records, or obstructing an OPC investigation — carry fines of up to CAD 100,000 per violation. The Attorney General of Canada prosecutes these offences, not the OPC.

The bigger risks are reputational and legal. The OPC publishes investigation findings publicly when it deems it in the public interest. Individuals can also bring PIPEDA complaints to Federal Court after the OPC issues its report, where courts have awarded damages for privacy violations. In Chitraker v. Bell TV, the Federal Court awarded CAD 21,000 — including exemplary damages — for a PIPEDA breach involving a credit check without consent.

Class actions are possible too. One PIPEDA-related class action was settled for CAD 2.25 million, though the procedural requirements remain somewhat unsettled in law.

Mandatory Data Breach Reporting

Since November 2018, organisations subject to PIPEDA must report any breach of security safeguards that creates a "real risk of significant harm" to individuals. Reports go to the OPC, affected individuals must be notified as soon as feasible, and organisations must maintain records of all breaches — whether reported or not — for at least 24 months.

"Significant harm" includes financial loss, identity theft, humiliation, reputational damage, and damage to relationships. The OPC considers factors including the sensitivity of the information, the probability of misuse, and whether the breach resulted from a cyberattack.

Knowingly failing to report a qualifying breach, or failing to keep breach records, is an offence under PIPEDA punishable by fines of up to CAD 100,000. The OPC launched an updated online breach-reporting portal in 2024-2025 to streamline submissions from businesses.

PIPEDA vs. GDPR: Key Differences

Many website owners operating internationally need to comply with both PIPEDA and the EU's General Data Protection Regulation. The two laws share a consent-based philosophy, but diverge in important ways.

Canada's EU adequacy status was reaffirmed in 2024, meaning personal data can flow from the EU to Canadian organisations without additional transfer mechanisms — as long as PIPEDA applies to the processing.

The Future: CPPA and Privacy Reform

PIPEDA is widely acknowledged as overdue for modernisation. The federal government's attempt to replace it with the Consumer Privacy Protection Act (CPPA) through Bill C-27 died on the order paper when Parliament was prorogued in January 2025.

The story is not over. The federal government has signalled that new privacy reform legislation will be introduced in late 2025 or early 2026. Based on ministerial statements and budget announcements, the replacement law is expected to include substantially higher penalties — potentially up to CAD 25 million or 5% of gross global revenue — along with direct order-making powers for the OPC, a private right of action for individuals, and specific provisions addressing children's privacy and AI-related harms such as deepfakes.

Until that legislation passes, PIPEDA remains in full force. Organisations that build their compliance programmes around PIP