Skip to content
GDPR by Law

Canada · updated 2026-06-15

Canada

Required

PIPEDA is consent-based like GDPR but enforced softly — the OPC investigates and names rather than fines. The real teeth are in Quebec's Law 25, which brought GDPR-scale penalties to Canada in 2023.

Law:
PIPEDA (+ Quebec Law 25 provincially)
Regulator:
OPC (Office of the Privacy Commissioner of Canada)

Cookie consent

No banner mandate

Breach deadline

As soon as feasible

DPA with vendors

Required

Max fine

PIPEDA: up to CAD 100,000 per knowing violation of specific provisions. Quebec Law 25: up to CAD 25M or 4% of worldwide turnover

What Canada requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Designated privacy officer

    PIPEDA Sch. 1, Principle 1

    Someone must be formally accountable for privacy compliance, with contact details available on request. Quebec requires publishing the title of the person in charge on your website.

    How to implement Name a privacy officer (founder or ops lead is fine at small scale), publish a privacy contact, and document the designation.

    Required
  2. Privacy policy

    PIPEDA Principle 8

    Openness principle: policies must explain what you collect, why, with whom you share, and how to complain — in plain language.

    How to implement The OPC's Home Depot finding stressed that consent buried in a policy nobody reads is not meaningful. Surface key points at the moment of collection, not just in the document.

    Required
  3. Meaningful consent

    PIPEDA Principle 3 + OPC guidelines

    Consent must be meaningful: express for sensitive data or unexpected uses, implied acceptable for obvious low-risk purposes.

    How to implement Apply the OPC's four key elements: what's collected, with whom it's shared, why, and residual risks — surfaced up front. Express opt-in for anything a user wouldn't expect.

    Required
  4. Breach records & notification

    PIPEDA s.10.1–10.3

    Report RROSH breaches to the OPC and individuals as soon as feasible; keep records of every breach for 24 months regardless of severity.

    How to implement The 24-month record duty is the trap — log every incident, however minor, in a breach register. Fines up to CAD 100,000 attach to knowing violations of these specific duties.

    Required
  5. Quebec Law 25 compliance

    Law 25 (Bill 64)

    If you serve Quebec residents: opt-in defaults for tracking, privacy impact assessments for out-of-province transfers, a published privacy officer, and confidentiality-by-default settings.

    How to implement Treat Quebec like an EU member state: consent-first configuration, PIAs for transfers, and French-language notices. Its penalty ceiling (4% of turnover) is Canada's real enforcement risk.

    Conditional
  6. Processor safeguard contracts

    PIPEDA Principle 1.3

    Contractual or other means ensuring comparable protection when third parties process on your behalf, including cross-border.

    How to implement A GDPR-style DPA satisfies this. Disclose in your policy that data may be processed in other jurisdictions (e.g., US hosting) — the OPC requires transparency about foreign processing.

    Required

The details

Cookie consent
No banner mandate under PIPEDA — implied consent can cover non-sensitive analytics, with opt-out for advertising cookies. Quebec's Law 25 is stricter: technologies that identify, locate, or profile users must be off by default (opt-in).
Data Protection Officer
PIPEDA Principle 1 requires someone accountable for compliance — every organization must designate a privacy officer, though it can be an existing employee. Quebec requires designating a person in charge of personal information protection and publishing their title.
Processing agreements
Accountability principle: transfers to processors require contractual protections ensuring comparable protection. Quebec Law 25 additionally requires assessments before communicating personal information outside Quebec.
Breach notification
Breaches posing a 'real risk of significant harm' (RROSH) must be reported to the OPC and affected individuals as soon as feasible, and you must keep records of ALL breaches for 24 months — even trivial ones.
Enforcement in practice
The OPC's Home Depot finding (2023) faulted sharing e-receipt data with Meta without valid consent — no fine, but a compliance order. Quebec's CAI can now levy GDPR-scale administrative penalties.

Data subject rights

What users can demand from you in Canada, and the engineering that satisfies each right.

Right to access

PIPEDA Principle 9

Individuals can access their personal information and learn how it's been used and disclosed, within 30 days.

Respond within 30 days (extendable once with notice). Minimal cost recovery allowed; most companies waive it.

Right to correction

PIPEDA Principle 9.5

Challenge accuracy and have data amended; unresolved disputes must be recorded and forwarded to third parties.

If you disagree with a correction request, you must note the disagreement on the file — a PIPEDA-specific twist.

Withdrawal of consent

PIPEDA Principle 3.8

Consent can be withdrawn at any time, subject to contractual and legal restrictions, and you must explain the consequences.

Functionally close to erasure for consent-based data: provide account deletion and stop processing on withdrawal.

Right to be forgotten / de-indexing (Quebec)

Law 25 s.28.1

Quebec created a statutory right to cessation of dissemination and de-indexing — the closest thing to a Canadian right to erasure.

For Quebec users, support requests to stop disseminating or de-index information that harms reputation or privacy.

Data portability (Quebec)

Law 25 s.27

Since September 2024, Quebec residents can request computerized personal information in a structured, commonly used technological format.

Your JSON/CSV export flow covers this — extend it to Quebec users.

Automated decision-making (Quebec)

Law 25 s.12.1

Quebec requires informing individuals when a decision is based exclusively on automated processing, and offering a chance to make observations.

Add a disclosure and a human-contact route to any fully automated decision affecting Quebec users.

Tools that cover Canada

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • privacy policy

    Termly

    Policy generation covering PIPEDA and Quebec Law 25 alongside GDPR/CCPA.

    Visit Termly →
  • compliance suite

    OneTrust

    PIA workflows for Quebec's transfer assessments and breach registers with the 24-month retention built in.

    Visit OneTrust →
  • cookie consent

    iubenda

    Consent management with per-region behavior — opt-in for Quebec, notice-based elsewhere in Canada.

    Visit iubenda →

Frequently asked questions

Does PIPEDA actually have teeth?

Direct fines are limited (up to CAD 100,000, only for specific knowing violations like breach-reporting failures). The OPC's power is investigation and publicity — findings name companies publicly and can be enforced through Federal Court. Quebec's Law 25, with penalties up to 4% of turnover, is where real financial risk now sits.

Is Canada 'adequate' for GDPR transfers from the EU?

Yes — Canada holds an EU adequacy decision for PIPEDA-covered commercial organizations (reconfirmed in the EU's 2024 adequacy review), so EU-to-Canada transfers need no SCCs. This makes Canadian hosting a convenient option for EU-focused startups.

What does Quebec Law 25 add for a SaaS company?

Opt-in defaults for tracking technologies, a published privacy officer title, privacy impact assessments before sending data outside Quebec, French-language privacy notices, breach reporting to the CAI, and data portability. If you already run EU-grade compliance, extend it to Quebec users and translate.

Do I need to report every breach in Canada?

Report only breaches posing a real risk of significant harm — but record every breach, however small, and keep those records 24 months. The OPC can inspect the register, and missing records are themselves a violation.

Similar jurisdictions

Free download

Get GDPR updates for Canada

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.