What are the penalties for violating PIPEDA?

Current penalties under PIPEDA are up to $100,000 per conviction in Federal Court. Proposed Bill C-27 would increase penalties to the greater of $10 million or 3% of global annual revenue for serious violations.

Does PIPEDA require breach notification?

Yes. Since November 2018, PIPEDA requires organizations to report breaches creating a real risk of significant harm to the OPC and notify affected individuals without unreasonable delay. All breaches must be recorded for 24 months.

What Is PIPEDA? Canada's Federal Privacy Law Explained

Q: What does PIPEDA stand for?

PIPEDA stands for the Personal Information Protection and Electronic Documents Act, Canada's federal privacy law enacted in 2000 and administered by the Office of the Privacy Commissioner of Canada.

PIPEDA — the Personal Information Protection and Electronic Documents Act — is Canada's federal privacy law governing how private sector organizations collect, use, and disclose personal information in the course of commercial activities. As of 2026, non-compliance can result in fines up to $100,000 per complaint, and proposed Bill C-27 (the Consumer Privacy Protection Act) would increase penalties to the greater of $10 million or 3% of global annual revenue.

What does PIPEDA stand for?

PIPEDA stands for the Personal Information Protection and Electronic Documents Act, enacted in 2000 and administered by the Office of the Privacy Commissioner of Canada (OPC). It applies to private sector organizations engaged in commercial activities across Canada, except in provinces that have enacted substantially similar legislation (Alberta, BC, and Quebec for provincially regulated organizations).

PIPEDA's 10 fair information principles

Accountability — designate a privacy officer responsible for compliance
Identifying purposes — document why personal information is collected before or at the time of collection
Consent — obtain meaningful consent for collection, use, and disclosure; implied consent for low-risk purposes, express consent for sensitive information
Limiting collection — collect only what is necessary for identified purposes
Limiting use, disclosure, and retention — use personal information only for identified purposes; retain only as long as needed
Accuracy — keep personal information accurate, complete, and up-to-date
Safeguards — implement security measures appropriate to the sensitivity of the information
Openness — make privacy policies readily available
Individual access — allow individuals to access their personal information upon request
Challenging compliance — provide a process for individuals to challenge your compliance

PIPEDA mandatory breach reporting requirements

Since November 2018, PIPEDA requires organizations to:

Report breaches that create a "real risk of significant harm" to the OPC
Notify affected individuals without unreasonable delay
Maintain a record of every breach (even if no report was required) for 24 months
Provide records to the OPC upon request

"Significant harm" includes bodily harm, humiliation, damage to reputation, financial loss, identity theft, and loss of employment. If in doubt, report — the OPC takes a broad interpretation.

PIPEDA penalties and enforcement

The OPC can investigate complaints and issue findings, but cannot impose fines directly — fines are applied by Federal Court. Maximum penalties are $100,000 per conviction for knowingly contravening the Act. Proposed Bill C-27 would dramatically increase penalties to the greater of $10 million or 3% of global annual revenue for the most serious violations, bringing Canada closer to GDPR-level enforcement.

PIPEDA vs. provincial privacy laws

Alberta PIPA — substantially similar; applies to provincially regulated Alberta businesses; stricter on limiting collection
BC PIPA — substantially similar; applies to provincially regulated BC businesses
Quebec Law 25 — stricter; mandatory PIAs for new systems; enhanced consent; mandatory breach reporting to Commission d'accès à l'information; privacy officer registration requirement
PHIPA (Ontario) — healthcare-specific; stricter than PIPEDA for personal health information; different breach notification rules

What Canadian businesses must do to comply with PIPEDA

Appoint a privacy officer and document their responsibilities
Create and publish a privacy policy
Implement a consent management process for personal information collection
Conduct privacy impact assessments (PIAs) for new systems and processes
Implement technical safeguards: encryption at rest and in transit, access controls, audit logging
Create a breach detection and notification process
Train staff on privacy obligations annually
Review vendor contracts — PIPEDA holds you responsible for third-party handling of personal information

PIPEDA and cloud services

PIPEDA does not prohibit storing personal information outside Canada, but requires that you obtain appropriate contractual protections from foreign cloud providers (e.g., US-based vendors). The safest approach for sensitive Canadian personal information is to use cloud services with Canadian data residency — Microsoft 365 and Azure offer Canadian data centres in Toronto (Canada Central) and Quebec City (Canada East).

Related glossary terms

How Outsource IT Canada can help

Managed IT Services — 24/7 monitoring and flat-rate IT support for Canadian businesses
Cybersecurity Services — EDR, MDR, dark web monitoring, and incident response
PIPEDA Compliance — privacy impact assessments and breach notification procedures
Get a free assessment — call (416) 623-9677

Ready to transform your IT? Call (416) 623-9677 for a free assessment.