enactedCAEffective April 13, 2000

Personal Information Protection and Electronic Documents Act (PIPEDA)

Complete compliance guide for companies with <200 employees. Everything you need to know about PIPEDA requirements, deadlines, and penalties.

DSAR Deadline

30 calendar days

+ 30 days extension

Max Penalty

CAD 100,000/violation

Up to CAD $100,000 per violation for offences under PIPEDA. The OPC can issue compliance orders and recommend court remedies. Provincial laws (Alberta PIPA, BC PIPA, Quebec Law 25) may apply instead in certain provinces.

Threshold

No threshold

Est. Cost

$5,000 – $20,000

6-14 weeks

Mid-Market Compliance Guide

PIPEDA applies to private-sector organizations across Canada that collect, use, or disclose personal information in the course of commercial activity. Companies operating in Quebec, Alberta, or BC may be subject to provincial laws instead. The 30-day deadline with 30-day extension is more lenient than many newer laws.

Key Requirements

Meaningful consent for collection, use, and disclosure
Limit collection to purposes identified at time of collection
Accountability principle — designate a privacy officer
Safeguard personal information with appropriate security
Mandatory breach notification to OPC and affected individuals
Individual access to personal information upon request

Enforced by: Office of the Privacy Commissioner of Canada (OPC)Official site

Consumer Rights

Right of Access to Personal Information

Right to Correction

Right to Withdraw Consent

Right to Challenge Compliance

Right to File Complaint with OPC

Business Obligations

1.Designate a privacy officer accountable for compliance
2.Respond to access requests within 30 days
3.Report breaches posing real risk of significant harm to OPC
4.Obtain meaningful consent (not buried in terms)
5.Retain information only as long as necessary

Exemptions

•Federal government institutions (covered by Privacy Act)
•Provincial organizations where substantially similar provincial law applies
•Personal or household use
•Journalistic, artistic, or literary purposes

Related Privacy Laws

LGPD

Lei Geral de Proteção de Dados

Recommended Compliance Tools

Osano

Easy-to-use privacy compliance for mid-market companies

PIPEDA consent management support

BigID

AI-powered data intelligence for privacy and security

PIPEDA data mapping and subject access support

TrustArc

Enterprise privacy management with built-in regulatory intelligence

PIPEDA privacy program management

Securiti

AI-powered data command center for privacy, security, and governance

PIPEDA privacy program automation

DataGrail

DSAR automation platform that connects directly to your data systems

PIPEDA access request automation

Ketch

Programmatic privacy platform for responsible data use

PIPEDA consent collection and management

Ethyca (Fides)

Open-source privacy engineering infrastructure

PIPEDA access and deletion via fideslang

Mine (SayMine)

AI-powered DSAR automation and data minimization

PIPEDA access request automation

Didomi

Consent management platform for global privacy compliance

PIPEDA consent collection

Usercentrics

Enterprise consent management with Google-certified CMP status

PIPEDA consent collection support

CookieYes

Affordable cookie consent and compliance for small businesses

PIPEDA cookie consent

Browse all compliance tools

Get a mid-market compliance checklist for PIPEDA

We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.

See how DPAs enforce PIPEDA in practice

Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under PIPEDA.

Browse Enforcement Actions

Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/27/2026.

Read the official text of PIPEDA