What PIPEDA is and who it applies to

PIPEDA stands for the Personal Information Protection and Electronic Documents Act. It is Canada's federal private-sector privacy law, in force since 2001. It governs how private sector organizations collect, use, and disclose personal information in the course of commercial activities.

PIPEDA applies to most Canadian businesses — including small businesses — when they collect personal information in the course of commercial activities. "Commercial activities" is interpreted broadly: if your website is associated with a business and you are collecting anyone's personal information (including something as simple as their email address through a contact form), PIPEDA applies.

There are exceptions. Organizations based in provinces with "substantially similar" provincial privacy laws — currently Alberta, British Columbia, and Quebec — may instead be governed by their provincial law for purely intra-provincial activities. However, for activities that cross provincial or international borders (which includes most websites), PIPEDA still applies. British Columbia's PIPA and Alberta's PIPA are considered substantially similar; Quebec's Law 25 now supersedes PIPEDA for many Quebec-based activities but has additional requirements of its own.

The ten fair information principles

PIPEDA is built around ten fair information principles drawn from the Canadian Standards Association's Model Code for the Protection of Personal Information. Understanding these principles is more useful than memorizing specific rules, because they guide how to handle situations the specific rules do not cover explicitly.

The ten principles are: accountability (one person in your organization is responsible for PIPEDA compliance), identifying purposes (before you collect information, know why you are collecting it), consent (you need meaningful consent for collection, use, and disclosure), limiting collection (only collect what you actually need), limiting use, disclosure, and retention (do not use data for purposes beyond what was consented to, and do not keep it longer than necessary), accuracy (personal information must be reasonably accurate), safeguards (protect personal information with appropriate security), openness (be transparent about your privacy policies), individual access (people can ask to see what you hold on them), and challenging compliance (people can raise concerns about your compliance).

For a small business website, most of these translate into practical requirements: have a real privacy policy, collect only what you need, do not use a contact form submission for a purpose beyond what the person expected, secure your data storage, and respond if someone asks what data you have on them.

What counts as personal information on a website

Personal information under PIPEDA is broadly defined as "any information about an identifiable individual." This includes the obvious: names, email addresses, phone numbers, mailing addresses, and payment information. It also includes less obvious categories.

IP addresses can be personal information, particularly when combined with other data, and the Office of the Privacy Commissioner has taken the position that IP addresses are personal information in many contexts. This is relevant to website analytics — if you are collecting detailed analytics data (including IP addresses) through tools like Google Analytics, that collection is covered by PIPEDA.

Cookies and tracking pixels can also collect personal information, especially those that build profiles of user behaviour over time or across sites. This is the core reason why cookie consent mechanisms became standard practice — not because of Canadian law specifically, but because European GDPR compliance requirements have pushed most international platforms to implement consent mechanisms that also address Canadian concerns.

Business contact information for individuals — a person's work email address at their employer — is generally not considered personal information under PIPEDA when used for business purposes. But a person's personal email address, even if they used it to contact you for business reasons, is personal information.

Practical requirements for your website

For a standard small business website, PIPEDA compliance comes down to a set of concrete, actionable requirements.

You must have a privacy policy. It must be written in plain language (not legalese), must be readily accessible from your website (typically a link in the footer), must explain what personal information you collect, why you collect it, how you use it, who you share it with, how long you keep it, and how people can access or correct it or submit a complaint.

You must obtain meaningful consent before collecting personal information. For a contact form, including a clear statement of how the submitted information will be used (and not used) is typically sufficient — provided it appears before submission, not buried in a long terms document. Pre-ticked newsletter signup boxes do not constitute meaningful consent under PIPEDA.

You must use a secure connection. Collecting personal information over an unencrypted HTTP connection is inconsistent with the safeguards principle. Every website collecting any personal information must use HTTPS — which requires an SSL/TLS certificate on your hosting. This has been standard practice for years, but if your site still shows "Not Secure" in browsers, it is a compliance problem as well as a trust problem.

You must only collect what you need. If your contact form asks for a phone number but you never call anyone, you should not be collecting phone numbers. This principle is often ignored because collecting more data seems harmless — but collecting more data than necessary creates liability if that data is breached.

You must have a retention policy. You cannot keep personal information indefinitely. Define how long you keep contact form submissions, email records, and any other collected data, and actually purge it when that period ends.

You must disclose if you share data with third parties. Using Google Analytics, Facebook Pixel, a newsletter service, a CRM, or any third-party tool that receives personal information constitutes disclosure to a third party. Your privacy policy must list these and explain what information is shared and why.

Quebec Law 25: stricter rules if you operate there

If your business operates in Quebec or targets Quebec residents, you also need to be aware of Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), which was substantially amended between 2022 and 2024 and is now among the strictest data protection laws in North America — comparable in many respects to Europe's GDPR.

Law 25 requires explicit opt-in consent for collecting sensitive information (rather than implied consent), privacy impact assessments for high-risk uses of personal information, the right to data portability (people can ask you to export their data in a standard format), the right to deletion, and mandatory reporting of privacy incidents to the Commission d'accès à l'information (CAI) within 72 hours of discovering a breach if it poses a risk of serious harm.

It also requires that any automated decision-making that significantly affects individuals must be disclosed, and individuals must be able to ask for human review of automated decisions. For most small business websites, this is not relevant — but if you use any kind of automated scoring, filtering, or recommendation system, it becomes relevant.

Law 25 applies to any organization that collects personal information about Quebec residents, regardless of where the organization is based. A BC business with a website targeting Quebec customers needs to comply.

The most common PIPEDA failures on small business sites

No privacy policy, or a copy-pasted template that does not reflect actual practices. A generic template that does not accurately describe your actual data practices is worse than useless — it creates a misleading statement that could be used against you in a complaint. Privacy policies need to be accurate.

Google Analytics without disclosure. Google Analytics collects detailed data including IP addresses and behavioral data. If your privacy policy does not mention it, and you are running GA on your site, you are not meeting the disclosure requirements.

Contact forms that do not state their purpose. Adding a brief note near your contact form — "We use the information you provide to respond to your enquiry. We do not add you to any mailing list." — is simple, meaningful, and constitutes the consent acknowledgment PIPEDA requires.

Newsletter signups without clear opt-in. Canadian Anti-Spam Legislation (CASL) has its own requirements for commercial electronic messages on top of PIPEDA's requirements — and CASL requires express or implied consent before sending commercial email. Pre-checked boxes, single opt-in practices that are ambiguous, or adding people to lists from contact form submissions without explicit agreement can constitute CASL violations, which carry substantial penalties.

Storing old contact form data indefinitely. Most website contact form submissions end up in a database or email inbox and are never purged. Defining a retention period — "we delete contact form data after 24 months" — and actually implementing it is a real compliance requirement.

What happens if there is a data breach

PIPEDA's breach notification requirements have been in force since 2018. If your organization experiences a breach of security safeguards involving personal information — which includes a hacked website, a database that becomes accessible, or simply sending an email containing personal information to the wrong recipient — and that breach creates a "real risk of significant harm" to any individual, you must report it to the Privacy Commissioner of Canada and notify the affected individuals.

"Real risk of significant harm" is a lower bar than it sounds. Identity theft, reputational damage, financial loss, embarrassment, or loss of employment are all examples of significant harm that the OPC has cited. If the data involved could enable any of these, you are probably in mandatory reporting territory.

You must also keep records of all breaches, even those that do not require reporting — the Commissioner can ask to see these records.

The practical implication for your website: know what personal data you hold, where it is stored, and who has access to it. A breach you do not know about is still a breach you are responsible for.