Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
PIPEDA STATUS IN 2026
Yes, PIPEDA is still in force. Bill C-27 (the proposed Consumer Privacy Protection Act) lapsed when Parliament prorogued in early 2025, and Bill C-8 (Critical Cyber Systems Protection Act) does not replace PIPEDA. Canadian SMBs handling personal information must comply with PIPEDA’s 10 Fair Information Principles, plus Quebec Law 25 if any Quebec resident’s data is involved. The OPC remains the federal regulator and the law is current to 2026.
Key Takeaways
- PIPEDA applies to almost every Canadian SMB that handles personal information across provincial or national borders, with no employee-count threshold for the Accountability or Safeguards principles.
- Across Fusion Computing’s 30+ Canadian SMB PIPEDA engagements in 2024 to 2026, the two most-missed principles are Accountability (no named privacy officer) and Safeguards (no documented vendor due diligence).
- Quebec Law 25 has been in full force since September 22, 2024 and applies to any business collecting PI about a Quebec resident, with penalty exposure up to CA$25M or 4% of worldwide turnover.
- Bill C-8 does not replace PIPEDA. It overlays cybersecurity-program obligations on designated critical-systems sectors and is flowing into SMB vendor contracts as a 2026 to 2027 procurement gate.
- The minimum documented evidence the OPC and CAI expect is a privacy policy naming a privacy officer plus a breach response runbook with 72-hour notification triggers.
Book a Free PIPEDA Readiness Review
What is PIPEDA, and does it apply to a Canadian SMB?
PIPEDA, Quebec Law 25, and Bill C-8 each push Canadian SMBs toward documented monitoring and incident-response evidence. The contractual model most SMBs pick to supply that evidence trail is an MSSP. See our guide on what an MSSP is and how it fits Canadian regulatory requirements.
PIPEDA breach-notification timing is incompatible with the average 241-day industry dwell time. For the practical control most Canadian SMBs use to compress the detection window from months to minutes, see our 2026 guide to managed detection and response (MDR) for Canadian SMBs.
Copilot-specific PIPEDA gap: the Pre-Copilot SharePoint Audit covers the data-layer remediation that PIPEDA places on the data collector when generative AI is added to an existing tenant.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal Canadian privacy law that governs how private-sector organizations collect, use, and disclose personal information in commercial activity. It applies to almost every Canadian SMB handling PI across provincial or national borders, with no employee-count threshold and no revenue floor.
Alberta, British Columbia, and Quebec have provincial laws Ottawa has declared substantially similar, so PIPEDA does not apply to activity that stays inside one of those three provinces. PIPEDA still applies the moment data crosses a provincial or national border, which catches almost every cloud-using SMB.
Citation capsule. Statutory text: laws-lois.justice.gc.ca. Regulator: Office of the Privacy Commissioner of Canada. Key amendments: 2018 Digital Privacy Act and 2018 Breach of Security Safeguards Regulations.
What does PIPEDA actually require a Canadian SMB to do?
According to the Office of the Privacy Commissioner of Canada (2026), PIPEDA’s 10 Fair Information Principles, codified in Schedule 1 of the Act, apply to every private-sector organization that collects personal information for commercial activity, with no employee-count or revenue threshold. The maximum statutory penalty under PIPEDA is CA$100,000 per offence, with broader exposure through published OPC findings, compliance orders, and cyber-insurance renewal evidence requirements.
PIPEDA codifies 10 Fair Information Principles plus a federal breach-reporting obligation. Every principle applies regardless of size. Accountability and Safeguards drive most IT and operational work; the other eight drive the privacy policy, consent flows, and individual-access procedure.
| Principle | What it requires | Practical control |
|---|---|---|
| 1. Accountability | Name a privacy officer. | Appointment letter; named in privacy policy. |
| 2. Identifying Purposes | State why you collect, at or before collection. | Purpose statement on every form. |
| 3. Consent | Obtain meaningful consent for use and disclosure. | Consent checkbox + plain-language disclosure. |
| 4. Limiting Collection | Collect only what is necessary. | Annual form-field minimization review. |
| 5. Limiting Use & Retention | Use only for stated purpose; retain only as long as needed. | Retention schedule and disposal log. |
| 6. Accuracy | Keep PI accurate, complete, current. | Customer self-service update path. |
| 7. Safeguards | Physical, organizational, technological controls proportionate to sensitivity. | MFA, encryption, RBAC, vendor DDQ, MDR. |
| 8. Openness | Make privacy policies available and clear. | Privacy policy linked from site footer. |
| 9. Individual Access | Allow individuals to access and correct their PI. | Data-subject access request procedure. |
| 10. Challenging Compliance | Provide a way to challenge compliance. | Privacy officer contact published. |
Across Fusion Computing’s 30+ Canadian SMB PIPEDA engagements in 2024 to 2026, the two most-missed principles were Accountability (no named privacy officer) and Safeguards (no documented vendor due diligence). The other eight were usually satisfied by light privacy-policy edits. Want a principle-by-principle gap analysis? Book a free review →
When must a Canadian SMB report a PIPEDA breach?
Under the Breach of Security Safeguards Regulations (SOR/2018-64), PIPEDA mandates breach notification to the OPC and affected individuals “as soon as feasible” after determining a real risk of significant harm, with a 24-month minimum retention period for every breach record. Quebec Law 25 imposes a tighter 72-hour notification window to the Commission d’accès à l’information when a Quebec resident is involved, so most Canadian SMBs build the runbook to the Law 25 standard.
PIPEDA requires notification to the OPC and to affected individuals as soon as feasible after determining a breach poses real risk of significant harm. Every breach must be recorded and the record retained for at least 24 months, including breaches below the reporting threshold. Failing to keep the record is itself a violation.
“Real risk of significant harm” turns on sensitivity and probability of misuse. Most ransomware events with confirmed data exfiltration meet that test. Quebec Law 25 imposes a tighter 72-hour window when a Quebec resident is affected, so most Canadian SMBs build the runbook to the Law 25 standard and use it for every incident.
Need a breach response runbook built to the 72-hour standard? Book a free 30-minute consultation →
What IT controls does PIPEDA’s Safeguards Principle require?
The OPC’s Safeguards guidance (2026) requires controls proportionate to the sensitivity of personal information, naming MFA, encryption at rest and in transit, role-based access, vendor due diligence, and monitored detection and response as the baseline for a typical SMB. Across Fusion Computing’s 2026 vendor due-diligence questionnaires, 7 of 10 cloud-vendor responses were missing at least one PIPEDA-required safeguard attestation, the most common reason a client’s posture fails an OPC review.
Principle 7 requires physical, organizational, and technological measures proportionate to sensitivity. For a typical SMB the OPC has clarified through guidance and findings that this means MFA on every account that touches PI, encryption at rest and in transit, role-based access with quarterly review, vendor due diligence on cloud providers handling PI, and a documented detection and response capability.
The OPC Securing Personal Information self-assessment tool is the canonical checklist. Across Fusion Computing’s 2026 vendor due-diligence questionnaires, 7 of 10 cloud-vendor responses were missing at least one PIPEDA-required safeguard attestation. That gap is the most common reason a client’s posture fails review even when internal controls are strong.
Does Bill C-8 change what PIPEDA requires of my SMB?
Bill C-8 (the Critical Cyber Systems Protection Act plus Telecommunications Act amendments) is moving through Parliament. It does not replace PIPEDA. It overlays cybersecurity-program and incident-reporting obligations on designated federally-regulated critical-systems sectors (telecom, finance, energy, transportation), and most Canadian SMBs fall outside the direct designation.
The practical SMB impact is procurement. Designated-sector primes are flowing the obligations down through vendor contracts as a 2026 to 2027 procurement gate, so a 30-employee SaaS or services SMB with a single designated-sector client may need to produce a documented cybersecurity program well before any direct designation lands. The PIPEDA implication is alignment: the controls that satisfy a Bill C-8 flow-down are typically the same controls that satisfy Principle 7.
“Don’t wait for Bill C-8. PIPEDA is the operating regime today, and the controls that satisfy a Bill C-8 flow-down are the same ones that satisfy PIPEDA Principle 7. Build to Quebec Law 25, the strictest of the three. The SMBs caught short in 2026 are treating Bill C-8 as a future problem, not a vendor-contract gate already arriving from primes.”
Citation capsule. Bill C-8 status: Parliament of Canada LEGISinfo Bill C-8. Cybersecurity-policy frame: Innovation, Science and Economic Development Canada at ised-isde.canada.ca. Full breakdown: our Bill C-8 explainer.
Do I have to comply with Quebec Law 25 if I’m not based in Quebec?
Yes, if you collect personal information about a Quebec resident, regardless of where the business is headquartered. Law 25 has been in full force since September 22, 2024 and applies extra-territorially using residency as the trigger, the same logic GDPR uses for EU data subjects.
The obligations stack on top of PIPEDA: a 72-hour breach notification window to the Commission d’accès à l’information du Québec (CAI), a mandatory privacy-impact assessment for any tech project involving PI, a publicly-named Person In Charge, and penalty exposure up to CA$25M or 4% of worldwide turnover.
Across Fusion Computing’s readiness engagements, unrecognized Law 25 exposure is the second-most-common gap behind vendor due diligence, typically in clients with no Quebec head office but a single Quebec customer or hire.
PIPEDA vs Quebec Law 25: where the deltas matter
PIPEDA and Quebec Law 25 stack rather than substitute. The table below pulls the per-area deltas Canadian SMBs hit most often during readiness reviews. Build documentation to the stricter of the two; the same control set satisfies both.
| Compliance area | PIPEDA requirement | Quebec Law 25 requirement | Practical action |
|---|---|---|---|
| Privacy notice | Openness principle: clear, accessible privacy policy. | Same, plus transparency on automated decisions and cross-border transfers. | Publish one notice that satisfies both; flag Quebec residents. |
| Consent | Meaningful consent; opt-out tolerated for low-sensitivity uses. | Express consent for sensitive PI; granular by purpose. | Default to express consent on sensitive fields; document granularity. |
| Breach notification | “As soon as feasible” after real risk of significant harm; 24-month record retention. | 72 hours to the CAI when a Quebec resident is affected. | Build runbook to the 72-hour trigger; one process covers both. |
| Privacy officer | Accountability principle: named privacy officer, no employee-count threshold. | Person In Charge of Personal Information, publicly named. | Appoint a single person to both roles; publish contact in the privacy policy. |
| Cross-border transfers | Accountability follows the data; vendor due diligence required. | Mandatory privacy-impact assessment before transferring PI outside Quebec. | Document a PIA for every US or non-Quebec cloud provider. |
| Automated decisions | No explicit statutory rule; covered by Accountability and Openness. | Disclosure of automated decision-making and a right to explanation. | Add an AI/automated-decisions clause to the privacy notice if any are used. |
| Individual rights | Access and correction (Principle 9). | Access, correction, deletion, portability, and de-indexing. | Extend the data-subject access request procedure to cover Law 25 rights. |
| Records and evidence | Breach register; vendor contracts; consent logs. | PIA file, breach register, governance policy approved by the Person In Charge. | Maintain one combined evidence binder reviewed at the annual tabletop. |
The CAI’s guidance for the private sector is the authoritative source for the Law 25 column. Where PIPEDA and Law 25 say different things, document to the stricter rule; the regulators read the same evidence binder.
How does PIPEDA compare to GDPR, PHIPA, and Bill C-8?
PIPEDA is federal Canadian privacy law for inter-provincial commercial activity. GDPR is EU-extra-territorial with much higher penalty exposure. PHIPA is Ontario-only health-information law. Bill C-8 is a sector-specific cybersecurity-program overlay. They overlap rather than replace each other, and a Canadian SMB serving multiple jurisdictions usually has obligations under three of the four at once.
| Law | Jurisdiction | Trigger | Maximum penalty |
|---|---|---|---|
| PIPEDA | Canada (inter-provincial) | Personal information for commercial activity | CA$100K per offence |
| Quebec Law 25 | Quebec residents (extra-territorial) | PI about a Quebec resident | CA$25M or 4% of turnover |
| GDPR | EU residents (extra-territorial) | PI about an EU data subject | EUR 20M or 4% of turnover |
| PHIPA | Ontario health PI | Health information custodian in Ontario | CA$200K (individual) / CA$1M (org) |
| Bill C-8 | Federal critical-systems sectors | Designated cyber system | Sector-specific (substantial) |
The Information and Privacy Commissioner of Ontario is the regulator for PHIPA. Most Canadian SMBs only need to formally implement PIPEDA, Law 25, and any sector-specific obligations; GDPR-equivalent practice flows in only when EU customer or employee data is involved.
How can a Canadian SMB operationalize PIPEDA + Law 25 compliance?
Five steps in sequence: name a privacy officer, inventory PI, document the Safeguards controls, write a breach response runbook, and run a tabletop annually. End-to-end timing for a 25 to 50-employee SMB lands at 30 to 60 days, with Safeguards typically the longest step because it touches the IT stack.
| Step | Deliverable | Timeline |
|---|---|---|
| 1 | Privacy officer appointment + policy update | Week 1 |
| 2 | PI data inventory | Week 2 |
| 3 | Safeguards documentation: MFA, encryption, RBAC, vendor DDQ, MDR | Weeks 3 to 4 |
| 4 | Breach response runbook (72-hour triggers) | Week 5 |
| 5 | Annual tabletop + quarterly access review | Ongoing |
The OPC PIPEDA Self-Assessment Tool is the lowest-friction checklist for steps 1 through 3. Want Fusion Computing to walk the 5-step sequence? Book a free 30-minute consultation →
Get a Custom PIPEDA Readiness Roadmap
Fusion Computing builds PIPEDA + Law 25 readiness for Canadian businesses.
Ontario lawyers adapting PIPEDA controls to legal practice should also review the LawPRO insurance and AI errors disclosure obligations for Rule 7.8-1 framing, and the Law Society of Ontario AI policy template for LSO clause language.
Frequently asked questions
Does PIPEDA apply to my small business in Canada?
Yes, for almost every Canadian SMB. PIPEDA is the federal privacy law for private-sector commercial activity and applies to any organization handling personal information across provincial or national borders, regardless of employee count or revenue. Alberta, British Columbia, and Quebec have substantially-similar provincial laws that cover intra-provincial activity, but PIPEDA still applies the moment data crosses a border, which catches almost every cloud-using SMB.
What are the penalties for violating PIPEDA?
PIPEDA’s maximum statutory penalty is CA$100,000 per offence. Broader pressure is reputational: OPC investigation findings are published, compliance orders are public, and Canadian cyber insurance underwriters increasingly require evidence of PIPEDA-aligned controls at renewal. Quebec Law 25 carries materially higher exposure (up to CA$25M or 4% of worldwide turnover), so a single Quebec customer can change the penalty calculus for an SMB.
What does PIPEDA require after a data breach?
Notification to the OPC and affected individuals as soon as feasible after determining the breach poses real risk of significant harm. Every breach must be recorded and retained for at least 24 months, including breaches below the reporting threshold. If a Quebec resident is affected, Law 25’s 72-hour timeline governs, so most Canadian SMBs build the runbook to the tighter Law 25 standard.
Do I need a privacy policy to comply with PIPEDA?
Yes, plus a breach response runbook. The privacy policy satisfies the Openness principle and names the officer required by Accountability. The runbook operationalizes the Breach of Security Safeguards Regulations and the Law 25 72-hour clock. Together those two artifacts are the minimum compliance evidence the OPC and CAI expect to see during an investigation.
What IT security controls does PIPEDA require?
The Safeguards Principle requires physical, organizational, and technological controls proportionate to sensitivity. For a typical SMB that means phishing-resistant MFA on every account that touches PI, encryption at rest and in transit, role-based access with quarterly review, vendor due-diligence questionnaires for cloud providers, and a documented detection and response capability.
Is PIPEDA being replaced by a new Canadian privacy law?
Not as of 2026. Bill C-27 (Consumer Privacy Protection Act and Artificial Intelligence and Data Act) lapsed when Parliament prorogued in early 2025. Bill C-8 is moving through Parliament but is a cybersecurity-program overlay for designated critical-systems sectors, not a PIPEDA replacement. PIPEDA in its current form remains the governing federal privacy law.
How is PIPEDA different from GDPR?
Jurisdiction, consent model, and penalty exposure. PIPEDA is federal Canadian law for inter-provincial commercial activity; GDPR is EU-extra-territorial covering any EU data subject. PIPEDA uses meaningful-consent that tolerates opt-out in many cases; GDPR requires explicit affirmative consent for many categories. PIPEDA’s CA$100K cap is dwarfed by GDPR’s EUR 20M or 4% of turnover. Canadian SMBs only encounter GDPR if they process EU resident data.
Who in my SMB owns PIPEDA compliance?
PIPEDA’s Accountability principle requires a named privacy officer. There is no employee-count threshold and no requirement that the role be full-time. In a sub-50-employee SMB it is typically held by a co-owner, operations lead, or office manager, with the appointment documented in the privacy policy. Quebec Law 25 adds a parallel Person In Charge requirement that the same individual usually fills.
