Comply with Canada's PIPEDA

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law. It governs how organizations collect, use, and disclose personal information in the course of commercial activity, and it is enforced by the Office of the Privacy Commissioner of Canada (OPC). At its core are 10 fair information principles: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

Is PIPEDA changing?

There has been a long effort to modernize Canadian privacy law through Bill C-27, which would have replaced PIPEDA's private-sector provisions with the Consumer Privacy Protection Act (CPPA) and introduced an AI statute (AIDA). That bill died on the Order Paper when Parliament was prorogued in January 2025. As a result, PIPEDA remains the law in force in 2026, and organizations should keep complying with it while watching for future reform.

Breach reporting and provincial laws

Since November 2018, organizations must report breaches that pose a real risk of significant harm to affected individuals and to the OPC, and keep records of all breaches. Several provinces have their own substantially similar laws — notably Quebec's Law 25 and the PIPA statutes in British Columbia and Alberta — which can apply in place of PIPEDA within those provinces.

How episki helps

episki implements the 10 fair information principles as living controls, with consent and identified-purposes management, an access- and correction-request workflow, and a breach-assessment process tied to the real-risk-of-significant-harm test. Because PIPEDA overlaps heavily with GDPR and CCPA, your Canadian privacy program reuses records of processing and rights workflows you already maintain.