What Is PIPA? Alberta and BC Privacy Law Explained

PIPA — the Personal Information Protection Act — exists in two provincial versions: Alberta's PIPA (in force since January 2004) and BC's PIPA (in force since January 2004). Both have been deemed "substantially similar" to federal PIPEDA, which means provincially regulated private sector organizations in Alberta and BC are governed by their provincial PIPA rather than PIPEDA — though federally regulated businesses (banks, telecoms, airlines, inter-provincial carriers) remain under PIPEDA regardless of location.

How Alberta PIPA and BC PIPA differ from PIPEDA

• Stricter collection limitation — both provincial PIPAs more explicitly limit collection to what is "reasonably required" for the identified purpose; PIPEDA uses a broader standard
• Individual access rights — Alberta PIPA gives individuals broader rights to correct personal information; BC PIPA has slightly different access request timelines (30 vs. PIPEDA's 30 days with possible 30-day extension)
• No mandatory breach reporting regime — unlike PIPEDA (post-2018), Alberta's PIPA does not have a mandatory breach reporting regulation (though an amendment is pending); BC's PIPA also lacks mandatory breach reporting
• Consent for sensitive information — both PIPAs require express (opt-in) consent for sensitive personal information; PIPEDA allows organizations to determine the appropriate form based on sensitivity

Which businesses are covered by PIPA vs. PIPEDA?

Alberta or BC businesses that are provincially regulated use PIPA. Federally regulated businesses in Alberta and BC use PIPEDA. In practice:

• PIPA applies to: most private sector businesses in Alberta or BC — retail, professional services, healthcare (unless PHIPA-equivalent legislation applies), technology companies, and non-federally regulated employers
• PIPEDA applies to: banks, interprovincial transportation, telecommunications companies, and broadcasting — even if operating solely in Alberta or BC
• Both can apply: organizations with operations both within and outside Alberta/BC may be subject to both laws for different aspects of their business

PIPA compliance requirements

Both Alberta and BC PIPA require organizations to:

• Designate a privacy officer responsible for compliance
• Document purposes before or at the time of collection
• Obtain meaningful consent; express consent for sensitive information
• Limit collection to what is reasonably required
• Implement safeguards appropriate to the sensitivity of the information
• Allow individuals to access and correct their personal information
• Respond to access requests within 30 days (with possible extension)

Quebec Law 25 — a different provincial framework

Quebec operates under its own privacy regime — Law 25 (An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information) — which is the strictest Canadian privacy law as of 2026:

• Mandatory privacy impact assessments (PIAs) before launching new systems or transferring personal information outside Quebec
• Mandatory breach notification to the Commission d'accès à l'information (CAI) within 72 hours
• Privacy officer must be registered with the CAI
• Data minimization, right to de-indexing (similar to GDPR's right to be forgotten)
• AI decision-making transparency requirements

Related glossary terms

• PIPEDA — Federal privacy law
• PHIPA — Ontario health privacy law
• FINTRAC Compliance
• vCISO — Virtual CISO
• BDR — Backup and Disaster Recovery

How Outsource IT Canada can help

• Managed IT Services — 24/7 monitoring and flat-rate IT support for Canadian businesses
• Cybersecurity Services — EDR, MDR, dark web monitoring, and incident response
• PIPEDA Compliance — privacy impact assessments and breach notification procedures
• Get a free assessment — call (416) 623-9677