Private Sector Privacy Laws in Canada
Canadian Privacy Requirements
Any personal data collected, used, shared, or stored by an organization must be protected with appropriate administrative, physical, and technical safeguards to meet Canadian data protection laws.
Federal:
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Applies to every organization that handles personal information in commercial activities unless the province or territory has its own substantially similar private‑sector privacy law.
Provincial (substantially similar to PIPEDA)
- Alberta – Personal Information Protection Act (PIPA)
- British Columbia – Personal Information Protection Act (PIPA)
- Ontario – Personal Health Information Protection Act (PHIPA)
- Quebec – Act Respecting the Protection of Personal Information in the Private Sector (Law 25)
Sector‑Specific
- Federal Bank Act
- Consumer credit‑reporting rules
- Credit Union regulations
Enforcement
Privacy commissioners (or provincial ombudsmen where no commissioner exists) monitor compliance and investigate breaches.
Other Laws to Consider for Compliance
General Data Protection Regulation (GDPR)
As of May 25, 2018, the European Union's GDPR may also apply to your organization, if you:
- have physical or legal presence in the European Union (EU)
- offer goods and services to European citizens
- monitor the behaviour of individuals in the EU (e.g., cookies, analytics, location tracking)
California Consumer Privacy Act (CCPA)
- Enacted 2018; amended and updated 2023.
- Serves as the primary privacy framework in the U.S. (no federal equivalent).