Canada Data Privacy Laws: PIPEDA & Provincial Guide (2026)

Canada's data privacy framework centers on PIPEDA (SC 2000, c 5) for federal private-sector and cross-border activity, with Quebec Law 25, Alberta PIPA (SA 2003, c P-6.5), and BC PIPA (SBC 2003, c 63) applying within their respective provinces, each enforced by a separate regulator with its own penalty structure.

Canada's approach to data privacy is deliberately layered: federal legislation, provincial statutes, and sector-specific rules operate simultaneously, and organizations must navigate whichever combination applies to their activities and geography. Unlike jurisdictions with a single comprehensive data protection law, Canada requires compliance officers to identify which of several parallel regimes governs each category of data they handle.

This guide covers the complete Canadian privacy landscape as it stands in May 2026, from the federal PIPEDA framework and Quebec's GDPR-comparable Law 25, to recent landmark enforcement decisions, the death of Bill C-27, the passage of Bill C-15, and the 45th Parliament's reform agenda.

For Canadian laws on audio and video recording consent, see our companion article on Canada recording laws.

Jurisdiction scope: This article addresses Canada's federal private-sector privacy law (PIPEDA, SC 2000, c 5), the federal public-sector Privacy Act (RSC 1985, c P-21), the provincial private-sector statutes in Quebec, Alberta, and British Columbia, and recent federal legislative developments. It does not address provincial health information acts (PHIPA, HIA, etc.) or sector-specific federal privacy regimes (PIPEDA financial sector rules under the Bank Act). Statutes cited reflect their in-force versions as of May 19, 2026.

Quick Answer: Which Privacy Law Applies to You?

Canadian privacy law does not follow a single statute. Whether PIPEDA or a provincial equivalent governs your organization depends on two factors: what sector you operate in, and where your data-handling activity takes place.

Federal PIPEDA applies to every private-sector organization that collects, uses, or discloses personal information in the course of commercial activity across provincial or national borders, plus all federally regulated industries (banking, telecommunications, interprovincial transportation, broadcasting) regardless of province.

Quebec's Law 25 applies instead of PIPEDA for private-sector intra-provincial activity in Quebec. PIPEDA still applies to federally regulated entities and cross-border transfers even in Quebec.

Alberta's PIPA and BC's PIPA apply instead of PIPEDA for private-sector intra-provincial activity in those provinces. PIPEDA still governs federally regulated sectors and cross-provincial data flows.

The federal Privacy Act governs the approximately 265 federal government institutions: departments, agencies, Crown corporations, and agents of Parliament. It does not apply to private-sector entities.

All other provinces and territories have no substantially similar private-sector law; PIPEDA governs by default.

PIPEDA: Canada's Federal Private-Sector Privacy Law

The Personal Information Protection and Electronic Documents Act (PIPEDA), SC 2000, c 5, has governed Canada's private sector since it took full effect in 2004. PIPEDA applies to the collection, use, and disclosure of personal information in the course of commercial activity. It defines "personal information" broadly as any information about an identifiable individual (s. 2(1)), a definition courts and the OPC have interpreted to capture not only names and contact details but also IP addresses, device identifiers, and behavioural profiles.

PIPEDA covers every private-sector organization handling personal information as part of commercial activity in Canada, including businesses operating across provincial borders, all federally regulated industries, and any organization transferring personal information across provincial or national borders for processing. It does not apply to provincial or federal government institutions.

The 10 Fair Information Principles

PIPEDA is built on 10 Fair Information Principles set out in Schedule 1 of the Act. These principles form the backbone of every compliance obligation under the law:

1. Accountability. An organization is responsible for personal information under its control. It must designate a privacy officer and remain accountable for data transferred to third-party processors through contractual or other means.

2. Identifying Purposes. The purposes for collecting personal information must be identified at or before the time of collection.

3. Consent. The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except in specific circumstances defined by the Act.

4. Limiting Collection. The collection of personal information must be limited to what is necessary for the identified purposes.

5. Limiting Use, Disclosure, and Retention. Personal information must not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law. It must be retained only as long as necessary.

6. Accuracy. Personal information must be as accurate, complete, and up to date as necessary for the purposes for which it is to be used.

7. Safeguards. Personal information must be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness. An organization must make its policies and practices regarding the management of personal information readily available to individuals.

9. Individual Access. Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information, with the right to challenge its accuracy.

10. Challenging Compliance. An individual must be able to challenge an organization's compliance with these principles by contacting the designated privacy officer or the Office of the Privacy Commissioner of Canada.

The Appropriate Purposes Test (PIPEDA s. 5(3))

Section 5(3) of PIPEDA establishes a separate, foundational obligation that operates alongside the 10 Principles: an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. This is the "appropriate purposes" test.

The test is not the same as consent. Even where an individual has given consent, collection or use for an inappropriate purpose violates s. 5(3). The OPC has applied this test in numerous investigations to strike down purposes that, while technically consented to, were found to be disproportionate to the legitimate organizational need.

The appropriate-purposes test gained new prominence in May 2026 when the OPC and three provincial regulators applied it in their joint investigation of OpenAI's ChatGPT. The regulators found that training a large language model could, in principle, constitute an "appropriate purpose" under PIPEDA. However, they held that OpenAI failed to obtain valid consent for scraping publicly accessible personal information and for using user interactions to fine-tune its models. The finding establishes that "publicly available" information online does not, under PIPEDA, automatically become available for commercial AI training without satisfying the consent principles.

Consent Framework Under PIPEDA

Consent under PIPEDA must be meaningful. Organizations must explain in plain language what personal information they collect, why they collect it, and how it will be used or disclosed. The OPC's guidelines require consent to be:

• Informed. Individuals must understand what they are agreeing to.
• Voluntary. Consent cannot be bundled as a condition of service unless the information is genuinely required to provide that service.
• Specific. Blanket consent covering unlimited future uses is not valid.

Consent can be express (written or oral affirmation) or implied (where the purpose would be obvious to a reasonable person), depending on the sensitivity of the information and the reasonable expectations of the individual. Sensitive information, such as health records, financial data, or information about minors, almost always requires express consent.

Individuals have the right to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice from the organization about the implications of withdrawal.

The Office of the Privacy Commissioner of Canada

The Office of the Privacy Commissioner of Canada (OPC) is the federal body responsible for overseeing compliance with both PIPEDA and the Privacy Act. The Privacy Commissioner is an independent Officer of Parliament.

The OPC's enforcement powers under PIPEDA include:

• Investigating complaints filed by individuals about organizational practices.
• Initiating investigations on its own where there are reasonable grounds.
• Conducting audits of organizational privacy practices.
• Issuing reports of findings with recommendations.
• Entering into compliance agreements with organizations.
• Applying to the Federal Court for an order to enforce recommendations.

A significant limitation of the OPC's current authority is that it cannot directly impose fines. For criminal penalties under PIPEDA, the OPC must refer matters to the Attorney General of Canada, who may direct the Director of Public Prosecutions to initiate proceedings. This enforcement gap has been a central argument for legislative reform.

In its 2024-25 Annual Report, the OPC noted an organizational restructuring implemented in May 2025 that combines proactive engagement and formal investigative functions into a single compliance sector to improve efficiency.

Bill C-27: Why Canada's Privacy Reform Failed

Bill C-27, the Digital Charter Implementation Act, 2022, was introduced in June 2022 as the most ambitious overhaul of Canada's privacy framework in two decades. It contained three parts:

• The Consumer Privacy Protection Act (CPPA): Would have replaced PIPEDA Part 1, introducing administrative monetary penalties up to 3% of global revenue or CAD $10 million, direct order-making powers for the Privacy Commissioner, and a private right of action.
• The Personal Information and Data Protection Tribunal Act: Would have created an independent tribunal to hear appeals and impose the new penalties.
• The Artificial Intelligence and Data Act (AIDA): Canada's first legislative attempt to regulate high-impact AI systems.

After three years of committee study, including a detailed clause-by-clause review in the Standing Committee on Industry and Technology, Bill C-27 died on the Order Paper on January 6, 2025, when the Governor General prorogued Parliament on the advice of Prime Minister Trudeau following his announced resignation. Nearly three years of amendments and stakeholder consultation were lost.

The prevailing view among commentators is that bundling AI regulation with privacy reform slowed both files. The proposed tribunal model also attracted substantial criticism as an unnecessary layer between the OPC and enforcement. These lessons are expected to shape the architecture of the replacement legislation.

Current status as of May 2026: PIPEDA remains in force. No replacement legislation has been tabled. Bill C-15 added a data mobility framework to PIPEDA (see below). The Carney government has signalled comprehensive privacy reform as a priority but no bill has been introduced as of this writing.

What Replaced It: The 45th Parliament Reform Agenda

Following the federal election that brought the Carney government to power, privacy reform returned as a legislative priority in the 45th Parliament. Key signals from the government and the Privacy Commissioner indicate:

Separate AI legislation. The consensus from C-27's failure is that AI regulation should proceed as a standalone bill rather than being bundled with privacy reform. This allows each file to move at its own pace.

Direct OPC enforcement powers. The proposed tribunal model from C-27 may be dropped in favour of giving the Privacy Commissioner direct order-making and penalty-imposing authority, similar to the model in Quebec and the EU.

Higher penalty ceilings. Commentators have reported that the incoming legislation may set penalties as high as the greater of CAD $25 million or 5% of gross global revenue -- a more severe threshold than Bill C-27 proposed and comparable to the EU's GDPR.

Data sovereignty. Prime Minister Carney emphasized data sovereignty in November 2025 as a framework priority, signalling that the new law will address government and corporate obligations to keep certain categories of data within Canadian jurisdiction.

Children's privacy and deepfakes. Both the OPC and parliamentary advocates have identified these as standalone priority areas distinct from the broader reform package.

Until new legislation passes and takes effect, PIPEDA governs private-sector activity and organizations must comply with its existing requirements.

Bill C-15: Data Mobility Now in Force

While comprehensive reform remains pending, Bill C-15 (Budget 2025 Implementation Act, No. 1) made an immediate change. The bill passed third reading on February 26, 2026, adding a new Division 1.2 to PIPEDA establishing a data mobility framework.

Under the new provisions, an organization must, upon an individual's request, disclose that individual's personal information to another designated organization, provided both organizations are subject to a data-mobility framework established by regulation. The Governor in Council is empowered to prescribe the safeguards, technical parameters, and interoperability standards through regulations. The OPC testified before the Standing Committee on Industry and Technology in January 2026 supporting the framework while recommending robust regulatory safeguards.

This makes federal data portability a legal right for the first time, though the effective date for most organizations will be determined by when the underlying regulations come into force.

Quebec Law 25: North America's Strongest Privacy Regime

Quebec Law 25 (originally Bill 64, formally known as An Act to modernize legislative provisions as regards the protection of personal information) amended the Act respecting the protection of personal information in the private sector (CQLR c P-39.1) and the public-sector access act. Adopted in 2021, its provisions took effect in three phases: September 2022, September 2023, and September 2024. All provisions are now fully in force.

The result is a privacy regime frequently compared to the EU's GDPR in scope and severity. It is enforced by the Commission d'accès à l'information du Québec (CAI).

Key Provisions of Law 25

Privacy Officer Requirement. Every organization must designate a person responsible for the protection of personal information. By default, this role falls to the person with the highest authority within the enterprise.

Privacy Impact Assessments (PIAs). PIAs are mandatory before any project involving personal information collection, use, or disclosure. They are required when transferring personal information outside Quebec and when using a third-party processor.

Mandatory Cookie Consent. Quebec is the only North American jurisdiction requiring explicit opt-in consent for tracking technologies including cookies, comparable to the GDPR. Organizations must obtain clear, free, and informed consent before deploying any technology that collects personal information through tracking.

Biometric Data. Organizations must notify the CAI at least 60 days before collecting or using biometric data. Biometric identification requires express consent, and organizations must offer a non-biometric alternative.

Data Portability. Since September 22, 2024, individuals have the right to request transfer of their personal information to another organization in a structured, commonly used technological format.

Anonymization. Law 25 permits anonymization as an alternative to destruction of personal information, but only according to generally recognized best practices and criteria set by government regulation.

Sensitive Personal Information. The law establishes a category of sensitive information, including health data, biometrics, and information with a strong expectation of privacy, that attracts heightened obligations.

Quebec Law 25 Penalties

Law 25 introduced a two-tier penalty structure:

Administrative monetary penalties: Up to CAD $10 million or 2% of the enterprise's worldwide turnover for the preceding fiscal year, whichever is greater. For individuals, the cap is CAD $50,000.

Penal fines: Up to CAD $25 million or 4% of worldwide turnover, whichever is greater. For individuals, the penal cap is CAD $100,000. The CAI can initiate penal proceedings within five years of the commission of an offence.

Law 25 also created a private right of action. Individuals may claim punitive damages of at least CAD $1,000 for intentional or grossly negligent interference with their privacy rights.

CAI Enforcement: First Actions Under Law 25

The CAI issued its first enforcement decision under the Law 25 penalty regime in 2024-25 following a self-initiated investigation into biometric practices at a Quebec printing company. The CAI ordered the company to cease using facial recognition technology to control employee access, finding that the technology was being used without meeting the required disclosure and consent obligations under Law 25. Osler's commentary on the decision confirms that Quebec regulators are setting a high bar for biometric data processing.

This was the first concrete demonstration that the Law 25 enforcement machinery is operational and that the CAI is prepared to use its order-making powers.

Alberta and British Columbia: Provincial PIPAs

Alberta and British Columbia each enacted their own Personal Information Protection Acts (PIPA), both declared substantially similar to PIPEDA by the Governor in Council. When a provincial law is deemed substantially similar, it displaces PIPEDA for intra-provincial private-sector activity in that province. PIPEDA continues to apply to federally regulated organizations and to cross-border data transfers.

Alberta PIPA

Alberta's PIPA (SA 2003, c P-6.5) has been in effect since 2004. It applies to private-sector organizations collecting, using, or disclosing personal information in Alberta. The Office of the Information and Privacy Commissioner of Alberta (OIPC-AB) oversees compliance.

Alberta's PIPA reform is advancing more quickly than the federal file. The Standing Committee on Resource Stewardship completed its statutory review and issued a Final Report on February 21, 2025, containing 12 recommendations including:

• Specific provisions governing the collection, use, and disclosure of minors' personal information.
• Authority for the OIPC-AB to impose administrative monetary penalties, with clear criteria and an appeal mechanism.
• Updated requirements to address emerging technologies and alignment with evolving federal and global standards.

In Spring 2026, the Alberta government is conducting further public consultation on PIPA modernization, including an online survey that ran from February 2 to February 17, 2026. PIPA has not undergone major revision since 2010; the current reform process is expected to produce a modernized Act over the next legislative cycle.

British Columbia PIPA

British Columbia's PIPA (SBC 2003, c 63) governs private-sector personal information handling within BC. The Office of the Information and Privacy Commissioner for BC (OIPC-BC) oversees the Act.

A Special Committee of the Legislative Assembly completed a comprehensive review and published 34 recommendations in December 2021 to modernize BC's PIPA. Key recommendations included: introducing meaningful consent, mandatory breach notification, enhanced OIPC-BC audit and enforcement powers including administrative monetary penalties, and alignment with GDPR standards. As of 2026, the BC government has not formally responded to the report or introduced amending legislation.

Both provincial PIPAs share PIPEDA's core principles around consent, purpose limitation, and individual access rights. The practical differences for organizations lie in which regulator they report to, which specific procedural requirements apply, and the pace of reform in each jurisdiction.

Mandatory Breach Notification Under PIPEDA

Since November 1, 2018, organizations subject to PIPEDA must comply with mandatory breach notification requirements established by the Breach of Security Safeguards Regulations (SOR/2018-64).

When a breach of security safeguards occurs involving personal information under an organization's control, the organization must:

1. Assess the breach. Determine whether it creates a real risk of significant harm (RROSH) to any individual. Factors include the sensitivity of the information, the probability that it has been or will be misused, and the potential consequences for affected individuals.

2. Report to the OPC. If the breach poses a RROSH, the organization must report it to the Privacy Commissioner as soon as feasible using the prescribed form.

3. Notify affected individuals. Notification must be given directly to affected individuals as soon as feasible, describing the breach, the information involved, steps the organization is taking, and steps the individual can take to reduce risk of harm.

4. Notify third-party organizations. If another organization or government institution could reduce the risk of harm, they must also be notified.

5. Maintain records. Organizations must keep a record of every breach of security safeguards, whether or not it triggered reporting, for a minimum of 24 months. The OPC can request access to these records at any time.

Organizations that knowingly fail to report, notify, or maintain breach records face fines of up to CAD $100,000 per offence under PIPEDA s. 28.

PIPEDA Penalties and Enforcement

PIPEDA's penalty framework is modest compared to Quebec's Law 25 or the EU's GDPR, and this gap is the primary driver of the reform agenda:

Summary conviction: Fines up to CAD $10,000 per offence.

Indictable offence: Fines up to CAD $100,000 per offence.

These penalties apply under s. 28 of PIPEDA for knowingly violating breach notification requirements, obstructing the Privacy Commissioner during an investigation, or contravening specific provisions of the Act.

The OPC does not directly issue fines. Enforcement depends on referral to the Attorney General and prosecution by the Director of Public Prosecutions, a process that has been used rarely. Organizations found to have violated PIPEDA may face Federal Court orders requiring correction of practices, publication of notice of actions taken, and payment of damages to complainants including damages for humiliation.

Individual Rights Under Canadian Privacy Law

Canadians have a core set of privacy rights that vary in mechanism by applicable law:

Right to Access. Individuals can request access to any personal information an organization holds about them. Organizations must respond within 30 calendar days under PIPEDA, at minimal or no cost.

Right to Correction. If personal information is inaccurate or incomplete, individuals can request amendments. Where the organization disagrees, the individual's objection must be recorded.

Right to Withdraw Consent. Individuals can withdraw consent for the collection, use, or disclosure of their personal information at any time, subject to reasonable notice and legal or contractual restrictions.

Right to Complain. Individuals can file complaints with the OPC (for PIPEDA matters), the relevant provincial commissioner, or the CAI in Quebec.

Right to Data Portability. Available under Quebec Law 25 (since September 2024) and now federally under the PIPEDA amendments introduced by Bill C-15 (passed February 26, 2026, subject to regulations).

Right to De-indexing. Quebec Law 25 provides a right to de-indexing. PIPEDA does not provide an explicit GDPR-style right to erasure, though the OPC's Google delist finding (PIPEDA Findings #2025-002, August 27, 2025) confirmed a limited right to delist under PIPEDA in circumstances where a reasonable person would find it inappropriate for a search engine to continue returning personal information.

Cross-Border Data Transfers

PIPEDA does not prohibit cross-border transfers of personal information. Instead, it relies on the accountability principle: the transferring organization remains responsible for the protection of personal information regardless of where it is processed.

Organizations must:

• Use contractual or other means to ensure the recipient provides a comparable level of protection.
• Be transparent with individuals about the possibility that their data may be processed in another jurisdiction.
• Assess the risks that foreign laws (including national security and law enforcement access laws) could affect the integrity, security, or confidentiality of the data.

No contract can override the laws of the receiving country. Organizations must weigh the practical reality that transferring data to a jurisdiction with weaker protections or broad government access powers creates residual risk.

Quebec Law 25 imposes stricter requirements, mandating a Privacy Impact Assessment before any transfer of personal information outside the province.

EU Adequacy for Canada

The European Commission renewed Canada's adequacy status on January 15, 2024, confirming that PIPEDA provides a level of protection essentially equivalent to the EU's GDPR. This allows personal data to flow from the EU to PIPEDA-covered Canadian organizations without standard contractual clauses or other supplementary safeguards.

The adequacy finding applies only to commercial organizations subject to PIPEDA. It does not cover:

• Canadian government institutions (governed by the Privacy Act).
• Organizations in provinces where a substantially similar provincial law applies (Quebec, Alberta, BC) -- those transfers remain covered for organizations subject to federal PIPEDA jurisdiction, but provincial law may require independent analysis.

In its renewal decision, the European Commission explicitly noted that some protections developed at sub-legislative level (through OPC guidelines and practices) should be enshrined in statute to enhance legal certainty, and called on Canada to advance legislative reform. The Commission's next four-year review will take place in or around 2028.

The Federal Privacy Act: Public Sector

The Privacy Act (RSC 1985, c P-21) covers the approximately 265 federal government institutions. Federal institutions may only collect personal information directly related to an operating program or activity, and may only use or disclose it for the purpose for which it was collected or a consistent purpose, absent consent.

The Privacy Act grants individuals the right to access their personal information held by government institutions, request corrections, and file complaints with the Privacy Commissioner about government handling of their data.

The Privacy Act has not been significantly updated since 1983. It lacks mandatory breach notification for government institutions and meaningful enforcement mechanisms. Modernization of the Privacy Act is a separate file from private-sector reform; the 45th Parliament reform agenda primarily targets PIPEDA's replacement, though the Privacy Commissioner's 2024-25 Annual Report called for both tracks to advance simultaneously.

Recent Enforcement Highlights

OpenAI ChatGPT: Joint Investigation (May 2026)

On May 6, 2026, the OPC, the CAI, the OIPC-BC, and the OIPC-AB jointly released PIPEDA Findings #2026-002, the results of a multi-year investigation into OpenAI's compliance with federal and provincial privacy legislation in relation to ChatGPT.

Key findings:

• Scraping personal information from the internet does not constitute collection of "publicly available" information exempt from PIPEDA or the provincial PIPAs.
• Building a large language model can in principle constitute an "appropriate purpose" under PIPEDA s. 5(3), but purpose alone does not satisfy the consent requirement.
• OpenAI failed to obtain valid consent for collecting personal information through scraping and through user interactions used to fine-tune models.
• The OPC found the complaint well-founded and conditionally resolved under PIPEDA. The OIPC-BC and OIPC-AB found the complaint well-founded but unresolved, concluding that OpenAI's models are based on scraped data for which valid consent was not and cannot be obtained.

The finding is the most significant Canadian privacy enforcement action involving AI to date.

Google Search: Right to Delist (August 2025)

In PIPEDA Findings #2025-002 (August 27, 2025), the OPC investigated whether Google contravened PIPEDA by returning links to outdated and misleading articles about an individual when their name was searched. The OPC found there are limited circumstances in which a reasonable person would consider it inappropriate for a search engine to return personal information, and confirmed a right to delist under PIPEDA. The decision establishes a Canadian analogue to the EU's "right to be forgotten," though with a narrower scope.

CAI Biometric Enforcement (2024-25)

The CAI issued its first enforcement decision under the Law 25 penalty framework, ordering a Quebec printing company to cease using facial recognition for employee access control after finding the company failed to satisfy the mandatory 60-day advance notification to the CAI and obtain express consent as required under Law 25. This decision signals that the CAI intends to enforce the biometric provisions actively.

World Anti-Doping Agency: Compliance Agreement (2026)

The OPC reached a compliance agreement with the World Anti-Doping Agency in 2026, resolving an investigation into WADA's handling of personal information. The agreement reflects the OPC's increasing willingness to use compliance agreements as an alternative to Federal Court proceedings.

Loblaw PC Optimum Program (2026)

PIPEDA Findings #2026-001 involved an investigation into Loblaw's personal information retention practices for the PC Optimum loyalty program, reflecting continued OPC attention to retail sector data handling.

Comparison: PIPEDA vs. Quebec Law 25

Business Compliance Checklist

Organizations operating in Canada should verify the following obligations depending on which law applies:

Under PIPEDA:

• Designate a privacy officer accountable for compliance.
• Identify purposes for every category of personal information collected, at or before collection.
• Obtain meaningful consent (express for sensitive information; implied where purpose would be obvious and information is not sensitive).
• Limit collection to what is necessary for identified purposes.
• Implement security safeguards appropriate to information sensitivity.
• Post a publicly accessible privacy policy.
• Respond to access requests within 30 days.
• Assess every security incident for real risk of significant harm; report RROSH breaches to the OPC and affected individuals as soon as feasible.
• Maintain records of all security incidents for 24 months.

Additional obligations under Quebec Law 25:

• Conduct a Privacy Impact Assessment before any new project involving personal information.
• Conduct a PIA before transferring personal information outside Quebec.
• Obtain express opt-in consent before deploying tracking technologies (cookies, pixels, etc.).
• Notify the CAI 60 days before collecting or using biometric data.
• Honour data portability requests (transfer to another organization in structured format).

Additional considerations for Alberta and BC:

• Report RROSH breaches to the relevant provincial commissioner (OIPC-AB or OIPC-BC) rather than the OPC for intra-provincial activity.
• Monitor provincial reform developments: Alberta is in active consultation; BC amendments remain pending.

Watch out: Organizations operating in multiple provinces must often comply with multiple regimes simultaneously. A national retailer with customers in Quebec, Alberta, BC, and Ontario must comply with Law 25 for Quebec customers, Alberta PIPA and BC PIPA for customers in those provinces, and PIPEDA for customers elsewhere. Cross-border transfers to the US trigger PIPEDA accountability obligations even where provincial law applies to in-province collection.

The Privacy Act: Federal Public Sector

The Privacy Act (RSC 1985, c P-21) covers the approximately 265 federal government institutions. Federal institutions may only collect personal information directly related to an operating program or activity, and may only use or disclose it for the purpose for which it was collected or a consistent purpose, absent consent.

Individuals have the right to access their personal information held by government institutions, request corrections to inaccurate information, and file complaints with the Privacy Commissioner about government handling of their data.

The Privacy Act has not been significantly updated since 1983. It lacks mandatory breach notification for government institutions and meaningful enforcement mechanisms comparable to PIPEDA's. The Privacy Commissioner's 2024-25 Annual Report called for modernization of the Privacy Act to proceed in parallel with private-sector reform.

Disclaimer

This article presents general legal information about Canadian data privacy laws. It does not constitute legal advice and does not create a solicitor-client relationship. The laws described -- including PIPEDA (SC 2000, c 5), the Privacy Act (RSC 1985, c P-21), Quebec Law 25 (CQLR c P-39.1), Alberta PIPA (SA 2003, c P-6.5), and BC PIPA (SBC 2003, c 63) -- are presented as of their in-force versions on May 19, 2026. Laws change; readers should verify current requirements before relying on any information in this article. Organizations with compliance obligations under Canadian privacy law should consult a lawyer licensed in the relevant Canadian jurisdiction for advice on their specific situation.

Authorities Cited

1. Personal Information Protection and Electronic Documents Act (PIPEDA), SC 2000, c 5. https://laws-lois.justice.gc.ca/eng/acts/p-8.6/
2. PIPEDA Fair Information Principles -- Schedule 1. Office of the Privacy Commissioner of Canada. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/
3. OPC Guidelines for Obtaining Meaningful Consent (2018). https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/
4. Privacy Act, RSC 1985, c P-21. https://laws-lois.justice.gc.ca/eng/acts/p-21/fulltext.html
5. Department of Justice Canada -- Privacy Act overview. https://www.justice.gc.ca/eng/csj-sjc/pa-lprp/pa-lprp.html
6. Act respecting the protection of personal information in the private sector, CQLR c P-39.1, as amended by Law 25 (2021). https://www.legisquebec.gouv.qc.ca/en/document/cs/p-39.1
7. Commission d'accès à l'information du Québec (CAI). https://www.cai.gouv.qc.ca/english
8. Osler -- Law 25 enforcement scheme for protection of personal information in Quebec. https://www.osler.com/en/insights/updates/law-25-a-new-enforcement-scheme-for-protection-of-personal-information-in-the-private-sector-in-que/
9. Osler -- Quebec privacy commissioner sets high bar for biometric data processing (2025). https://www.osler.com/en/insights/updates/high-bar-for-biometric-data-processing/
10. Personal Information Protection Act (Alberta), SA 2003, c P-6.5. https://www.alberta.ca/personal-information-protection-act
11. OPC Issue Sheets -- Review of Alberta PIPA (September 2024). https://www.priv.gc.ca/en/privacy-and-transparency-at-the-opc/proactive-disclosure/opc-parl-bp/ab_20240924/is_ab_20240924/
12. Personal Information Protection Act (BC), SBC 2003, c 63. https://www.bclaws.gov.bc.ca/civix/document/id/complete/statreg/03063_01
13. OPC -- Provincial Laws Deemed Substantially Similar to PIPEDA. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/prov-pipeda/
14. Breach of Security Safeguards Regulations, SOR/2018-64. https://www.priv.gc.ca/en/privacy-topics/business-privacy/breaches-and-safeguards/privacy-breaches-at-your-business/gd_pb_201810/
15. OPC Guidelines for Cross-Border Data Transfers. https://www.priv.gc.ca/en/privacy-topics/airports-and-borders/gl_dab_090127/
16. European Commission adequacy decision renewal -- Canada (January 15, 2024). https://ec.europa.eu/commission/presscorner/detail/en/ip_24_161
17. Bill C-27 (44th Parliament, 1st Session) -- LEGISinfo. https://www.parl.ca/legisinfo/en/bill/44-1/c-27
18. Fasken -- Prorogation's Digital Impact: Canada's Digital Bills Die on the Order Paper (January 2025). https://www.fasken.com/en/knowledge/2025/01/prorogations-digital-impact
19. IAPP -- What 2026 May Bring for Canada's Privacy Reform Efforts. https://iapp.org/news/a/what-2026-may-bring-for-canadas-privacy-reform-efforts
20. Bill C-15 (45th Parliament, 1st Session) -- Budget 2025 Implementation Act, No. 1 (Royal Assent path). https://www.parl.ca/DocumentViewer/en/45-1/bill/C-15/first-reading
21. OPC -- Statement on Bill C-15 to House of Commons Standing Committee on Industry and Technology (January 2026). https://www.priv.gc.ca/en/opc-actions-and-decisions/advice-to-parliament/2026/parl_260126/
22. OPC 2024-25 Annual Report -- Prioritizing Privacy in a Data-Driven World. https://www.priv.gc.ca/en/opc-actions-and-decisions/ar_index/202425/ar_202425/
23. PIPEDA Findings #2026-002 -- Joint Investigation of OpenAI OpCo, LLC. https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2026/pipeda-2026-002/
24. PIPEDA Findings #2025-002 -- Google Search Engine / Right to Delist (August 27, 2025). https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/
25. OPC Compliance Agreement -- World Anti-Doping Agency (2026). https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2026/2026-wada-ca/
26. Osler -- Canada's 2026 Privacy Priorities: Data Sovereignty, Open Banking and AI. https://www.osler.com/en/insights/reports/2025-legal-outlook/canadas-2026-privacy-priorities-data-sovereignty-open-banking-and-ai/

Related Articles

• Canada Recording Laws: One-Party Consent Under the Criminal Code
• World Data Privacy Laws: Global Overview
• US Data Privacy Laws: State and Federal Guide

---

Last updated: 2026-05-19. Statutes cited reflect their in-force versions as of 2026-05-19.

Related Canadian Guides

• Canadian law by province and topic
• Recording laws in Canada
• Hit and Run laws in Canada
• Child Support laws in Canada
• Slip and Fall laws in Canada