Privacy law is increasingly complex for Canadian businesses operating online. Two frameworks dominate the conversation: PIPEDA, Canada's federal private-sector privacy law, and GDPR, the European Union's sweeping data protection regulation. Understanding which one applies to your business - and how they interact - is essential for operating legally and building customer trust.
PIPEDA: Canada's Federal Privacy Baseline
The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations in Canada collect, use, and disclose personal information in the course of commercial activity. If you run a business in Canada and collect any personal information from customers - names, email addresses, purchase history, IP addresses - PIPEDA applies to you by default.
Key requirements under PIPEDA include:
- Obtaining meaningful consent before collecting personal information
- Using information only for the purposes it was collected for
- Allowing individuals to access and correct their own information
- Implementing reasonable security safeguards
- Notifying the Office of the Privacy Commissioner of Canada (OPC) and affected individuals in the event of a breach that poses a "real risk of significant harm"
Breach notification timelines under PIPEDA require reporting to the OPC "as soon as feasible" after determining a breach has occurred - there is no fixed number of hours specified, which gives some flexibility but also creates ambiguity.
GDPR: European Law With Global Reach
The General Data Protection Regulation applies to any organization that processes the personal data of people located in the European Union - regardless of where that organization is based. If you sell products to EU customers, have EU subscribers to your newsletter, or use analytics that track EU visitors, GDPR likely applies to your business.
GDPR is significantly more prescriptive than PIPEDA:
- Consent must be freely given, specific, informed, and unambiguous - pre-ticked boxes do not qualify
- Breach notification must occur within 72 hours of becoming aware of a breach (far stricter than PIPEDA's "as soon as feasible" standard)
- Right to erasure (the "right to be forgotten") requires you to delete a person's data upon request, subject to certain exceptions
- Data portability - individuals can request their data in a machine-readable format
- Fines can reach €20 million or 4% of global annual revenue, whichever is higher
Which Law Applies to Your Canadian Business?
The short answer: probably both, and they are not mutually exclusive.
If you operate primarily in Canada and serve Canadian customers, PIPEDA is your baseline requirement. If you have EU customers - even a handful - GDPR layers on top. The practical compliance overlap is substantial: if you build your privacy practices to meet GDPR standards, you will generally satisfy PIPEDA as well, since GDPR is the stricter of the two.
The main area where this matters practically is breach notification. Under GDPR, you have 72 hours to notify authorities. Under PIPEDA, you report "as soon as feasible." If you have EU customers affected by a breach, the 72-hour GDPR clock governs.
Quebec's Law 25: Canada's Closest GDPR Equivalent
Alberta and British Columbia have their own provincial privacy laws substantially similar to PIPEDA. But Quebec went further. Law 25 (formally An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information) introduced GDPR-like requirements for Quebec-based businesses:
- A mandatory Privacy Officer designation for organizations
- Privacy Impact Assessments (PIAs) for high-risk data projects
- A 72-hour breach notification window - matching GDPR's timeline
- Explicit consent requirements and the right to data portability
- Significant fines (up to $25 million or 4% of worldwide turnover)
If your business collects personal information from Quebec residents, Law 25 applies regardless of where your company is headquartered.
Practical Steps for Canadian Businesses
You do not need to become a privacy lawyer, but you do need a plan:
- Audit your data collection - know exactly what personal information you collect and why
- Update your privacy policy to reflect PIPEDA requirements (and GDPR/Law 25 if applicable)
- Add a cookie consent mechanism if you use tracking cookies and serve EU or Quebec visitors
- Establish a breach response procedure so you can meet the 72-hour window if needed
- Host data in Canada where possible - keeping Canadian customer data on Canadian servers simplifies jurisdiction questions
Privacy compliance is an ongoing practice, not a one-time checkbox. Start with an honest audit of what data you collect, and build your policies around what you actually do.
