Updated May 28, 2026

Is PIPEDA still in force in 2026?

Yes. The Personal Information Protection and Electronic Documents Act (PIPEDA) remains Canada’s federal private-sector privacy law in 2026. It is enforced by the Office of the Privacy Commissioner of Canada (OPC). Bill C-27 proposes to replace PIPEDA with the Consumer Privacy Protection Act (CPPA), but until that bill receives Royal Assent and is proclaimed in force, PIPEDA applies in full. Plan for CPPA; comply with PIPEDA today.

Who PIPEDA applies to

PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activity. It applies across Canada except where a province has substantially-similar legislation (Quebec, British Columbia, and Alberta for the private sector; Ontario, New Brunswick, Newfoundland & Labrador, and Nova Scotia for health information). PIPEDA always applies to federally regulated businesses and to personal information that crosses provincial or national borders.

The 10 fair information principles

PIPEDA is built on ten principles in Schedule 1: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. The “safeguards” principle (4.7) is where IT controls live — security proportionate to the sensitivity of the information.

Mandatory breach reporting

Since November 2018, PIPEDA requires organizations to report breaches of security safeguards that pose a “real risk of significant harm” (RROSH) to the OPC and to affected individuals, and to keep records of all breaches for at least 24 months. Failure to report a RROSH breach, or to maintain breach records, is an offence.

Penalties — today and under the CPPA

Under PIPEDA today: fines are limited. Knowingly failing to report a RROSH breach, failing to keep breach records, or obstructing an OPC investigation can draw fines up to $100,000 per offence.

Under the proposed CPPA: the penalty regime changes dramatically — administrative monetary penalties of up to 3% of global revenue or $10 million, and for the most serious offences fines up to 5% of global revenue or $25 million, whichever is higher. This is the single biggest reason to get ahead of CPPA now.

How to comply: a practical roadmap

1. Map your personal information. Know what you collect, why, where it lives, and who you share it with.
2. Document consent and purposes. Make your privacy policy specific and current.
3. Implement safeguards. Run the readiness matrix to map your controls to the safeguards principle.
4. Stand up breach response. Build a RROSH assessment process and a 24-month breach log.
5. Prepare for CPPA. The matrix flags which controls CPPA would newly require so you are not scrambling later.

PIPEDA and the other Canadian laws

Where provincial law applies, it may govern instead of PIPEDA — for health information, PHIPA governs in Ontario. Federally regulated financial institutions layer OSFI Guideline B-13 on top. Most cyber-insurance applications now test the same safeguards PIPEDA requires, which is why the cyber insurance readiness matrix pairs well with this guide.

About this guide

This guide is maintained by Mike Pearlstein, CISSP, Founder and CEO of Fusion Computing Limited, a Canadian managed IT and cybersecurity provider and Microsoft Solutions Partner. It is reviewed as legislation and program requirements change. Definitions are written for business leaders, not lawyers — for a legal opinion on your specific obligations, consult qualified counsel.

Related: Cyber insurance readiness matrix  |  Managed IT services  |  PIPEDA in the glossary