Skip to main content
Comply with Canada’s federal private-sector privacy law.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy law for private-sector organizations. It governs how businesses collect, use, and disclose personal information in the course of commercial activity, based on ten fair information principles.
PIPEDA applies to private-sector organizations across Canada, except in provinces with substantially similar laws (such as Quebec, British Columbia, and Alberta) for intra-provincial activity.

Who needs PIPEDA?

Canadian businesses

Private-sector organizations that collect personal information during commercial activities.

Businesses serving Canadians

Organizations outside Canada that handle the personal data of Canadians may also be subject to PIPEDA.

Key components

Ten principles

Accountability, identifying purposes, consent, limiting collection, and six more fair information principles.

Meaningful consent

Obtain valid, informed consent for collection, use, and disclosure.

Access rights

Individuals can access and correct their personal information.

Breach reporting

Report breaches posing real risk of significant harm to the Privacy Commissioner.

How DSALTA helps with PIPEDA

1

Activate PIPEDA

Select PIPEDA from the Frameworks page. DSALTA maps the ten principles to controls.
2

Review privacy controls

Review controls for consent, access, and safeguards.
3

Collect evidence automatically

Connect integrations to maintain privacy evidence.
4

Approve privacy policies

Review and approve Canada-specific privacy policies.
5

Maintain accountability

Track consent records and breach response procedures.

Frequently asked questions

If you collect personal information in the course of commercial activity in Canada, generally yes — unless a substantially similar provincial law applies.
Quebec has its own modernized privacy law (Law 25). Organizations operating there should assess both.