Privacy law is not just for large corporations. If you run a Canadian business website that collects personal information from visitors - through contact forms, newsletter signups, checkout pages, or even anonymous analytics - federal privacy law applies to you.
Understanding your obligations under PIPEDA is not about legal compliance for its own sake. It is about building the kind of trust with Canadian customers that keeps them coming back.
What Is PIPEDA?
PIPEDA stands for the Personal Information Protection and Electronic Documents Act. It is Canada's federal private-sector privacy law, enacted in 2000 and updated periodically since. PIPEDA governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity.
In November 2018, the mandatory breach notification provisions came into force, requiring organizations to report significant privacy breaches to the Office of the Privacy Commissioner (OPC) and notify affected individuals.
Note: PIPEDA is being replaced by the Consumer Privacy Protection Act (CPPA) through Bill C-27, which was introduced in 2022 and is progressing through Parliament. The broad principles described here will carry forward under the new legislation.
Who Does PIPEDA Apply To?
PIPEDA applies to private-sector organizations in Canada that collect, use, or disclose personal information in the course of commercial activity. This includes:
- Most businesses operating federally across provincial borders
- Businesses in provinces without substantially similar provincial privacy legislation (Ontario, Manitoba, Saskatchewan, and the Atlantic provinces)
Businesses operating entirely within Alberta, British Columbia, or Quebec may be subject to substantially similar provincial legislation instead of PIPEDA - though PIPEDA can still apply to interprovincial or international data transfers.
If you are a sole proprietor with a small local business and a website, PIPEDA very likely applies to you.
What Counts as Personal Information?
Personal information is broadly defined as information about an identifiable individual. This includes:
- Name, address, email address, phone number
- IP addresses and device identifiers (yes, even from anonymous website analytics)
- Financial information, credit card numbers
- Health information
- Opinions, evaluations, and comments about a person
If your analytics tool collects IP addresses and associates them with page views, that data is personal information under PIPEDA.
Key Obligations for Businesses
Consent. You must obtain meaningful consent from individuals before collecting, using, or disclosing their personal information. The form of consent can be express (opt-in) or implied depending on the sensitivity of the information and the nature of the use.
Purpose limitation. You must identify why you are collecting information before you collect it, collect only what you need for that purpose, and use it only for the purpose it was collected. You cannot collect an email address "just in case."
Data access requests. Individuals have the right to access their own personal information held by your organization and to correct inaccuracies. You must respond to access requests within 30 days.
Breach notification. If you experience a breach of personal information that poses a real risk of significant harm to affected individuals, you must notify the OPC and the affected individuals. Failure to report a qualifying breach carries penalties.
Safeguards. You must protect personal information with security safeguards appropriate to the sensitivity of the information. For a small business website, this means at minimum: SSL encryption, strong passwords, limited access, and regular backups.
Practical Steps for Websites
Write and publish a privacy policy. Your privacy policy must explain what information you collect, why you collect it, how you use it, who you share it with, and how individuals can access or correct their information. Free privacy policy generators exist, but legal counsel can ensure yours accurately reflects your actual practices.
Add cookie consent. If your website uses cookies for analytics, advertising, or tracking purposes, you need to inform visitors and obtain appropriate consent. A simple cookie banner is the minimum; more detailed cookie management controls are becoming standard.
Minimize data collection. Only collect information you actually need. If you only need an email address to send a newsletter, do not require a full name, phone number, and postal code on your signup form.
Secure your contact forms. Use SSL (HTTPS) on every page that collects personal information - which means your entire site should be on HTTPS.
Quebec Law 25: A Stricter Standard
Quebec passed its own privacy law modernization through Law 25 (formally An Act to modernize legislative provisions as regards the protection of personal information), which came into force in stages between 2022 and 2023. Law 25 is considered stricter than PIPEDA and aligns more closely with the European GDPR.
If you serve Quebec residents, Law 25 requirements apply, including mandatory privacy impact assessments for certain high-risk processing activities, explicit consent for sensitive information, and stricter rules around the communication of personal information outside Quebec.
Where to Get More Information
The Office of the Privacy Commissioner of Canada (OPC) at opc.gc.ca is the authoritative source for PIPEDA guidance. The OPC publishes plain-language resources for small businesses, including checklists and guidance specific to common business activities.
For legal advice specific to your situation, consult a lawyer with privacy law experience. Privacy non-compliance carries both regulatory penalties and reputational risks that are worth the investment to avoid.
