PIPEDA
What is PIPEDA?
PIPEDACanada's federal private-sector privacy law governing how organisations collect, use and disclose personal information in the course of commercial activity.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy statute. It received Royal Assent in 2000 and came into full force on 1 January 2004, applying to organisations across all provinces and territories that handle personal information in the course of commercial activity, unless a substantially similar provincial law applies (e.g. in Quebec, British Columbia and Alberta). PIPEDA is built on ten Fair Information Principles (Schedule 1) covering accountability, consent, limiting collection, safeguards and individual access. Since November 2018 it has required mandatory breach notification to the Office of the Privacy Commissioner (OPC) and to affected individuals where there is a real risk of significant harm. PIPEDA reform via Bill C-27 (CPPA) remains under consideration.
● Examples
- 01
A Canadian e-commerce company reporting a breach of customer payment data to the OPC and notifying affected individuals.
- 02
A SaaS vendor obtaining meaningful consent before processing personal information collected through its website.
● Frequently asked questions
What is PIPEDA?
Canada's federal private-sector privacy law governing how organisations collect, use and disclose personal information in the course of commercial activity. It belongs to the Compliance & Frameworks category of cybersecurity.
What does PIPEDA mean?
Canada's federal private-sector privacy law governing how organisations collect, use and disclose personal information in the course of commercial activity.
How does PIPEDA work?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy statute. It received Royal Assent in 2000 and came into full force on 1 January 2004, applying to organisations across all provinces and territories that handle personal information in the course of commercial activity, unless a substantially similar provincial law applies (e.g. in Quebec, British Columbia and Alberta). PIPEDA is built on ten Fair Information Principles (Schedule 1) covering accountability, consent, limiting collection, safeguards and individual access. Since November 2018 it has required mandatory breach notification to the Office of the Privacy Commissioner (OPC) and to affected individuals where there is a real risk of significant harm. PIPEDA reform via Bill C-27 (CPPA) remains under consideration.
How do you defend against PIPEDA?
Defences for PIPEDA typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PIPEDA?
Common alternative names include: Personal Information Protection and Electronic Documents Act.
● Related terms
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- compliance№ 149
CCPA
The California Consumer Privacy Act, a U.S. state privacy law granting California residents rights over their personal information held by businesses.
- privacy№ 856
Privacy by Design
An engineering and governance approach that embeds privacy considerations into systems, processes, and defaults from the earliest design stages rather than bolting them on later.