Canada · updated 2026-06-15
Canada
PIPEDA is consent-based like GDPR but enforced softly — the OPC investigates and names rather than fines. The real teeth are in Quebec's Law 25, which brought GDPR-scale penalties to Canada in 2023.
- Law:
- PIPEDA (+ Quebec Law 25 provincially)
Cookie consent
No banner mandate
Breach deadline
As soon as feasible
DPA with vendors
Required
Max fine
PIPEDA: up to CAD 100,000 per knowing violation of specific provisions. Quebec Law 25: up to CAD 25M or 4% of worldwide turnover
What Canada requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Designated privacy officer
PIPEDA Sch. 1, Principle 1Someone must be formally accountable for privacy compliance, with contact details available on request. Quebec requires publishing the title of the person in charge on your website.
How to implement Name a privacy officer (founder or ops lead is fine at small scale), publish a privacy contact, and document the designation.
Required -
Privacy policy
PIPEDA Principle 8Openness principle: policies must explain what you collect, why, with whom you share, and how to complain — in plain language.
How to implement The OPC's Home Depot finding stressed that consent buried in a policy nobody reads is not meaningful. Surface key points at the moment of collection, not just in the document.
Required -
Meaningful consent
PIPEDA Principle 3 + OPC guidelinesConsent must be meaningful: express for sensitive data or unexpected uses, implied acceptable for obvious low-risk purposes.
How to implement Apply the OPC's four key elements: what's collected, with whom it's shared, why, and residual risks — surfaced up front. Express opt-in for anything a user wouldn't expect.
Required -
Breach records & notification
PIPEDA s.10.1–10.3Report RROSH breaches to the OPC and individuals as soon as feasible; keep records of every breach for 24 months regardless of severity.
How to implement The 24-month record duty is the trap — log every incident, however minor, in a breach register. Fines up to CAD 100,000 attach to knowing violations of these specific duties.
Required -
Quebec Law 25 compliance
Law 25 (Bill 64)If you serve Quebec residents: opt-in defaults for tracking, privacy impact assessments for out-of-province transfers, a published privacy officer, and confidentiality-by-default settings.
How to implement Treat Quebec like an EU member state: consent-first configuration, PIAs for transfers, and French-language notices. Its penalty ceiling (4% of turnover) is Canada's real enforcement risk.
Conditional -
Processor safeguard contracts
PIPEDA Principle 1.3Contractual or other means ensuring comparable protection when third parties process on your behalf, including cross-border.
How to implement A GDPR-style DPA satisfies this. Disclose in your policy that data may be processed in other jurisdictions (e.g., US hosting) — the OPC requires transparency about foreign processing.
Required
The details
- Cookie consent
- No banner mandate under PIPEDA — implied consent can cover non-sensitive analytics, with opt-out for advertising cookies. Quebec's Law 25 is stricter: technologies that identify, locate, or profile users must be off by default (opt-in).
- Data Protection Officer
- PIPEDA Principle 1 requires someone accountable for compliance — every organization must designate a privacy officer, though it can be an existing employee. Quebec requires designating a person in charge of personal information protection and publishing their title.
- Processing agreements
- Accountability principle: transfers to processors require contractual protections ensuring comparable protection. Quebec Law 25 additionally requires assessments before communicating personal information outside Quebec.
- Breach notification
- Breaches posing a 'real risk of significant harm' (RROSH) must be reported to the OPC and affected individuals as soon as feasible, and you must keep records of ALL breaches for 24 months — even trivial ones.
- Enforcement in practice
- The OPC's Home Depot finding (2023) faulted sharing e-receipt data with Meta without valid consent — no fine, but a compliance order. Quebec's CAI can now levy GDPR-scale administrative penalties.
Data subject rights
What users can demand from you in Canada, and the engineering that satisfies each right.
Right to access
PIPEDA Principle 9Individuals can access their personal information and learn how it's been used and disclosed, within 30 days.
Respond within 30 days (extendable once with notice). Minimal cost recovery allowed; most companies waive it.
Right to correction
PIPEDA Principle 9.5Challenge accuracy and have data amended; unresolved disputes must be recorded and forwarded to third parties.
If you disagree with a correction request, you must note the disagreement on the file — a PIPEDA-specific twist.
Withdrawal of consent
PIPEDA Principle 3.8Consent can be withdrawn at any time, subject to contractual and legal restrictions, and you must explain the consequences.
Functionally close to erasure for consent-based data: provide account deletion and stop processing on withdrawal.
Right to be forgotten / de-indexing (Quebec)
Law 25 s.28.1Quebec created a statutory right to cessation of dissemination and de-indexing — the closest thing to a Canadian right to erasure.
For Quebec users, support requests to stop disseminating or de-index information that harms reputation or privacy.
Data portability (Quebec)
Law 25 s.27Since September 2024, Quebec residents can request computerized personal information in a structured, commonly used technological format.
Your JSON/CSV export flow covers this — extend it to Quebec users.
Automated decision-making (Quebec)
Law 25 s.12.1Quebec requires informing individuals when a decision is based exclusively on automated processing, and offering a chance to make observations.
Add a disclosure and a human-contact route to any fully automated decision affecting Quebec users.
Tools that cover Canada
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
privacy policy
Termly
Policy generation covering PIPEDA and Quebec Law 25 alongside GDPR/CCPA.
Visit Termly → -
compliance suite
OneTrust
PIA workflows for Quebec's transfer assessments and breach registers with the 24-month retention built in.
Visit OneTrust → -
cookie consent
iubenda
Consent management with per-region behavior — opt-in for Quebec, notice-based elsewhere in Canada.
Visit iubenda →
Frequently asked questions
Does PIPEDA actually have teeth?
Direct fines are limited (up to CAD 100,000, only for specific knowing violations like breach-reporting failures). The OPC's power is investigation and publicity — findings name companies publicly and can be enforced through Federal Court. Quebec's Law 25, with penalties up to 4% of turnover, is where real financial risk now sits.
Is Canada 'adequate' for GDPR transfers from the EU?
Yes — Canada holds an EU adequacy decision for PIPEDA-covered commercial organizations (reconfirmed in the EU's 2024 adequacy review), so EU-to-Canada transfers need no SCCs. This makes Canadian hosting a convenient option for EU-focused startups.
What does Quebec Law 25 add for a SaaS company?
Opt-in defaults for tracking technologies, a published privacy officer title, privacy impact assessments before sending data outside Quebec, French-language privacy notices, breach reporting to the CAI, and data portability. If you already run EU-grade compliance, extend it to Quebec users and translate.
Do I need to report every breach in Canada?
Report only breaches posing a real risk of significant harm — but record every breach, however small, and keep those records 24 months. The OPC can inspect the register, and missing records are themselves a violation.
Similar jurisdictions
Free download
Get GDPR updates for Canada
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.