Privacy Laws in Canada: Federal, Provincial, and Sector-Specific Guide

Canada Has One of the Most Layered Privacy Frameworks in the World

If you do business in Canada or handle the personal information of Canadians, you are dealing with a privacy landscape that is more complex than most. Canada does not have a single privacy law. It has a federal law, multiple provincial laws, sector-specific regulations, and employee privacy rules that vary by province. Understanding which laws apply to your business — and where they overlap — is not optional.

This guide covers the major layers: the federal framework, provincial laws, sector-specific rules, employee privacy, and the reforms that are reshaping the landscape.

Federal Privacy Law: PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law. It governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities.

Who PIPEDA Applies To

PIPEDA applies to:

• Private-sector organizations operating in provinces that do not have their own substantially similar privacy law (more on this below)
• Federally regulated businesses regardless of which province they operate in — this includes banks, airlines, telecommunications companies, and inter-provincial transportation companies
• All organizations when personal information crosses provincial or national borders in the course of a commercial transaction

The 10 Fair Information Principles

PIPEDA is built around 10 principles set out in Schedule 1 of the Act. These are not aspirational guidelines — they are legally binding:

1. Accountability — an organization is responsible for personal information under its control and must designate an individual to be accountable for compliance
2. Identifying Purposes — the purposes for which personal information is collected must be identified before or at the time of collection
3. Consent — the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information (with limited exceptions)
4. Limiting Collection — the collection of personal information must be limited to what is necessary for the identified purposes
5. Limiting Use, Disclosure, and Retention — personal information must not be used or disclosed for purposes other than those for which it was collected, and must be retained only as long as necessary
6. Accuracy — personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is used
7. Safeguards — personal information must be protected by appropriate security safeguards
8. Openness — an organization must make information about its policies and practices relating to personal information management readily available
9. Individual Access — upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to it
10. Challenging Compliance — an individual must be able to challenge an organization's compliance with these principles to the designated individual accountable

Access Rights Under PIPEDA

Under Principle 9, individuals have the right to request access to their personal information held by an organization. The organization must respond within 30 days and must provide the information at minimal or no cost. If the organization refuses access, it must explain why and inform the individual of their right to complain to the Office of the Privacy Commissioner of Canada (OPC).

For a detailed guide to PIPEDA requirements, see our PIPEDA jurisdiction guide.

Provincial Privacy Laws

Three provinces have enacted their own private-sector privacy laws that have been declared "substantially similar" to PIPEDA by the federal government. In these provinces, the provincial law generally applies instead of PIPEDA for matters within the province.

Quebec: Law 25 (Act to Modernize Legislative Provisions as Regards the Protection of Personal Information)

Quebec's privacy framework underwent a major overhaul with the passage of Law 25 (formerly Bill 64), which has been rolling out in phases since September 2022, with full implementation completed in September 2024.

Key features of Quebec Law 25:

• Privacy officer requirement — every organization must designate a person responsible for the protection of personal information; by default, this is the highest authority within the organization
• Privacy impact assessments — required for any project involving personal information, including technology acquisitions and major system changes
• Consent requirements — consent must be clear, free, and informed; consent obtained through "dark patterns" or deceptive practices is invalid
• Right to data portability — individuals can request their personal information in a structured, commonly used technological format
• Mandatory breach notification — organizations must notify the Commission d'acces a l'information (CAI) and affected individuals of any confidentiality incident posing a risk of serious injury
• Significant penalties — administrative monetary penalties of up to 10 million dollars or 2% of worldwide turnover; penal fines of up to 25 million dollars or 4% of worldwide turnover
• Private right of action — individuals can seek punitive damages of at least 1,000 dollars for intentional or gross negligent violations

Quebec Law 25 is the most GDPR-like privacy law in Canada, and its enforcement framework is significantly stronger than PIPEDA's. If you do business in Quebec, this law deserves careful attention.

For full details, see our Quebec Law 25 guide.

Alberta: Personal Information Protection Act (PIPA)

Alberta's PIPA governs the collection, use, and disclosure of personal information by private-sector organizations operating in Alberta. Key characteristics:

• Broad application — applies to all organizations that collect, use, or disclose personal information in Alberta, not just commercial activities
• Consent model — includes deemed consent (opt-out) for certain purposes, which is broader than PIPEDA in some areas
• Access and correction rights — individuals have the right to access their personal information and request correction of errors
• Breach notification — mandatory notification to the Alberta Information and Privacy Commissioner and affected individuals when there is a real risk of significant harm
• Enforcement — the Alberta Commissioner can order compliance, conduct investigations, and recommend changes, though direct fine-issuing power is more limited than under Quebec Law 25

British Columbia: Personal Information Protection Act (PIPA)

BC's PIPA is similar in structure to Alberta's:

• Applies to private-sector organizations operating in British Columbia
• Consent framework — allows deemed consent in certain circumstances
• Access rights — individuals have the right to request access to their personal information
• Breach notification — mandatory notification to the BC Commissioner when there is a real risk of significant harm to individuals
• Commissioner's powers — the BC Commissioner can order compliance and conduct investigations

Which Law Applies?

The interaction between PIPEDA and provincial laws can be confusing. Here is the general rule:

• If a transaction is entirely within a province that has a substantially similar law (Quebec, Alberta, or British Columbia), the provincial law applies
• If a transaction crosses provincial or national borders, PIPEDA applies
• Federally regulated organizations (banks, telecoms, airlines, etc.) are always subject to PIPEDA, regardless of which province they operate in
• For employee personal information, the picture is different (see below)

In practice, many organizations operating across Canada need to comply with both PIPEDA and one or more provincial laws simultaneously.

Sector-Specific Privacy Rules

Beyond the general private-sector laws, certain sectors in Canada have additional privacy obligations.

Health Information

Several provinces have enacted specific health information privacy legislation:

• Ontario: Personal Health Information Protection Act (PHIPA)
• Alberta: Health Information Act (HIA)
• Manitoba: Personal Health Information Act (PHIA)
• Saskatchewan: Health Information Protection Act (HIPA)
• New Brunswick: Personal Health Information Privacy and Access Act (PHIPAA)
• Newfoundland and Labrador: Personal Health Information Act (PHIA)

These laws govern how health information custodians (hospitals, doctors, pharmacies, health authorities) collect, use, and disclose personal health information. They typically include stricter consent requirements and access rights than general privacy laws.

Financial Services

Federally regulated financial institutions are subject to PIPEDA, but they also face additional obligations under sector-specific regulations, including requirements from the Office of the Superintendent of Financial Institutions (OSFI) and anti-money laundering legislation under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). These regulations impose additional data collection, retention, and security requirements.

Telecommunications

Telecommunications companies are federally regulated and subject to PIPEDA, as well as additional rules enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), including anti-spam legislation under Canada's Anti-Spam Legislation (CASL), which governs electronic messages and includes its own consent framework.

Employee Privacy

Employee privacy is one of the most complex areas of Canadian privacy law, because the rules depend on which province the employee works in and whether the employer is federally or provincially regulated.

The General Rule

PIPEDA does not generally apply to employee personal information for provincially regulated employers. This creates a patchwork:

• Quebec, Alberta, and British Columbia — provincial PIPAs include provisions governing employee personal information
• Other provinces — there is no comprehensive private-sector law covering employee personal information for provincially regulated employers in these provinces, though some protections exist under employment standards legislation, human rights legislation, and common law
• Federally regulated employers (banks, telecoms, airlines, etc.) — PIPEDA applies to employee personal information

What This Means in Practice

If you are a provincially regulated employer in Ontario, for example, there is no single comprehensive privacy law governing how you handle employee personal information. You still have obligations under employment standards, human rights legislation, and common law, but there is no equivalent of PIPEDA specifically covering employee data.

This gap has been widely criticized and is one of the areas that proposed federal reforms aim to address.

Upcoming Reforms

Canada's federal privacy landscape is in the process of significant reform. The proposed legislation that has been under discussion would replace PIPEDA with a modernized framework. While specific legislative proposals have gone through various iterations (including the Consumer Privacy Protection Act, which was part of Bill C-27), the direction of reform includes:

• Stronger enforcement — including the power for the Privacy Commissioner to issue binding orders and impose administrative monetary penalties
• Enhanced individual rights — including data portability and the right to request deletion of personal information
• Algorithmic transparency — requirements for organizations to explain automated decision-making systems that have a significant impact on individuals
• Children's privacy protections — enhanced protections for personal information of minors
• Expanded application — potentially extending coverage to employee personal information at the federal level

The timeline for federal reform has been uncertain, with multiple legislative proposals stalling or being reintroduced. Organizations should monitor developments but should not wait for reform to ensure their current compliance. The existing laws — PIPEDA and the provincial statutes — are fully in force and actively enforced.

Practical Takeaways for Businesses

If You Operate Across Canada

You likely need to comply with multiple laws simultaneously. At minimum:

• Map which provinces your customers and employees are in
• Determine whether you are federally or provincially regulated
• If you operate in Quebec, Alberta, or BC, know the provincial law as well as PIPEDA
• Build your privacy program to the highest applicable standard — if you comply with Quebec Law 25 (the strictest), you will likely meet the requirements of all other Canadian privacy laws

If You Are Based Outside Canada

If you collect personal information from Canadian individuals in the course of commercial activities, PIPEDA likely applies to you. If you specifically target Quebec consumers, Quebec Law 25 likely applies as well. Canadian privacy laws have extraterritorial reach when it comes to the personal information of Canadian residents.

Key Compliance Steps

1. Designate a privacy officer — required under Quebec Law 25 and good practice everywhere
2. Map your data flows — know what personal information you collect, where it goes, and why
3. Review your consent mechanisms — ensure consent is meaningful and not obtained through deceptive design
4. Establish an access request process — be ready to respond to access requests within 30 days
5. Implement breach notification procedures — mandatory under PIPEDA, Quebec Law 25, Alberta PIPA, and BC PIPA
6. Document your practices — maintain records of your privacy policies, procedures, and compliance activities

References

• PIPEDA: Full text of the Personal Information Protection and Electronic Documents Act. Justice Laws
• Quebec Law 25: An Act to modernize legislative provisions as regards the protection of personal information. Quebec National Assembly
• Alberta PIPA: Personal Information Protection Act. Alberta Queen's Printer
• BC PIPA: Personal Information Protection Act. BC Laws
• Office of the Privacy Commissioner of Canada: Guidance and resources. OPC website

Related Guides

• PIPEDA Jurisdiction Guide — detailed federal law breakdown
• Quebec Law 25 Jurisdiction Guide — Quebec-specific requirements
• HIPAA vs. PIPEDA — comparing US and Canadian health data rules