If you've ever collected a customer's email address, processed a payment, kept employee records, or stored a contact form submission — PIPEDA applies to your business.
Most small business owners and office managers either don't know this, assume it doesn't apply to them, or know it applies and aren't sure what to do about it. This guide is for all three.
It won't turn you into a privacy lawyer. But by the end, you'll understand exactly what PIPEDA requires, what a breach means in practice, and the concrete steps your business needs to take to be compliant — without retaining outside counsel for every decision.
What is PIPEDA and who does it apply to?
The Personal Information Protection and Electronic Documents Act is Canada's federal private sector privacy law. It governs how organizations collect, use, and disclose personal information in the course of commercial activity.
It applies to your business if:
- You collect personal information from customers, employees, or suppliers
- You operate anywhere in Canada (with some provincial exceptions)
- You conduct commercial activity — which covers virtually every for-profit business
Personal information under PIPEDA is broadly defined. It includes names, addresses, email addresses, phone numbers, purchase history, IP addresses, photos, employee records, health information, and financial data. If it can be used to identify an individual, it's personal information.
Provincial note: Alberta, British Columbia, and Quebec have their own substantially similar privacy laws (PIPA in AB and BC; Law 25 in QC). If you operate in these provinces, you may be subject to provincial law instead of or in addition to PIPEDA. Quebec's Law 25 is particularly strict and has been significantly updated in recent years.
The 10 fair information principles
PIPEDA is built on 10 fair information principles that define how organizations must handle personal data. Understanding these is the foundation of compliance.
1. Accountability Your organization is responsible for the personal information it holds — including information transferred to third parties for processing. Designating someone as responsible for privacy compliance (even if it's you) is a requirement, not a suggestion.
2. Identifying purposes Before or at the time of collection, you must identify why you're collecting personal information. "We collect your email address to send order confirmations and marketing emails" is an identified purpose. A vague catch-all is not.
3. Consent You must obtain meaningful consent for the collection, use, or disclosure of personal information. Consent must be informed — the individual needs to understand what they're consenting to. Pre-checked boxes and buried fine print don't meet the standard.
4. Limiting collection Collect only what you need for the purposes you've identified. Collecting data "just in case it's useful someday" violates this principle.
5. Limiting use, disclosure, and retention Use personal information only for the purposes for which it was collected. Don't hold onto it longer than necessary. When the purpose is fulfilled and no legal retention requirement applies, delete it.
6. Accuracy Personal information must be as accurate, complete, and up-to-date as necessary for the purpose. Stale customer records used for marketing decisions create both compliance and business risk.
7. Safeguards Personal information must be protected by security safeguards appropriate to the sensitivity of the information. This is where cybersecurity and privacy compliance directly intersect — and where most SMBs have the most significant gaps.
8. Openness Your privacy practices must be transparent and easily accessible. A privacy policy on your website is the minimum. It must be accurate, not a copy-paste template that doesn't reflect what you actually do.
9. Individual access Individuals have the right to access the personal information you hold about them and to challenge its accuracy. You need a process to handle these requests.
10. Challenging compliance Individuals can challenge your compliance with PIPEDA. You need a process for receiving and responding to privacy complaints.
The breach notification requirement — what most businesses miss
In 2018, PIPEDA was amended to include mandatory breach notification requirements. These are the provisions that most small businesses are unaware of, and they carry the most immediate consequence of non-compliance.
What triggers the obligation: A breach of security safeguards involving personal information that creates a "real risk of significant harm" to individuals must be reported to the Office of the Privacy Commissioner of Canada and to the affected individuals. You must also keep records of all breaches, whether or not they meet the reporting threshold.
What "significant harm" includes:
- Bodily harm
- Humiliation or damage to reputation
- Financial loss
- Identity theft
- Negative effects on credit record
- Damage to or loss of employment, business, or professional opportunities
The timeline: Notification must occur "as soon as feasible" — the OPC interprets this as promptly, generally within days of determining the breach meets the threshold. There is no fixed 72-hour window under PIPEDA (unlike GDPR), but delay is scrutinized.
The consequence of not reporting: Knowingly failing to report a qualifying breach, or knowingly failing to notify affected individuals, is a violation that can result in fines of up to $100,000 per violation.
What compliance actually looks like for a small business
Compliance doesn't require a legal department. It requires intention, documentation, and a few repeatable processes. Here's what practical compliance looks like:
A privacy policy that reflects reality Your privacy policy must accurately describe what personal information you collect, why you collect it, how you use it, who you share it with, how long you keep it, and how individuals can exercise their rights. If your policy was generated from a template and never reviewed, it almost certainly doesn't reflect your actual practices.
A data inventory You need to know what personal information you hold, where it lives, why you collected it, who has access to it, and how long you're keeping it. A simple spreadsheet is sufficient for most small businesses. The goal is awareness — you can't protect or manage what you don't know you have.
Meaningful consent practices Review your forms, checkboxes, and sign-up flows. Are you clearly explaining what you're collecting and why? Are you getting separate consent for separate purposes (transactional emails vs. marketing emails)? Is consent freely given, not buried in terms and conditions?
Vendor agreements If you share personal data with third parties — payment processors, email marketing platforms, HR software, cloud storage providers — you have an obligation to ensure they protect that data adequately. Data processing agreements (DPAs) are the standard mechanism. Most reputable SaaS vendors will provide one on request.
A breach response process Before a breach happens, document: how you'll identify a breach, who's responsible for assessing it, how you'll determine whether it meets the reporting threshold, who will notify the OPC, and how you'll communicate with affected individuals. A one-page document is better than nothing.
Security safeguards This is where PIPEDA directly requires cybersecurity investment. The safeguards must be appropriate to the sensitivity of the information. Holding customer payment data or health information without basic security controls — MFA, encryption, access management — is not compliant.
Common compliance gaps in Canadian small businesses
These are the issues the Office of the Privacy Commissioner most frequently encounters with small businesses:
Outdated or inaccurate privacy policies — The policy says one thing, actual practice says another. This is an immediate credibility and compliance problem if a complaint is filed.
No retention and deletion policy — Businesses hold personal data indefinitely because "we might need it." PIPEDA requires you to delete or anonymize data when the purpose is fulfilled.
Inadequate security for the sensitivity of data — A business storing health information or financial data with no MFA, unencrypted devices, and no access controls is not meeting the safeguards requirement.
No process for individual access requests — An individual asks "what information do you have about me?" and the business has no process to respond. This is a violation.
Third-party data sharing without agreements — Using a US-based email platform to market to Canadian customers without a DPA and without disclosing cross-border data transfers in the privacy policy.
Your compliance checklist
Use this as a starting point:
- [ ] Privacy policy published, accurate, and accessible on your website
- [ ] Data inventory completed — you know what personal data you hold and why
- [ ] Consent mechanisms reviewed — checkboxes and forms meet the meaningful consent standard
- [ ] Retention policy defined — you're not holding data longer than necessary
- [ ] Vendor DPAs in place for all third parties that process personal data
- [ ] Security safeguards appropriate to data sensitivity (see cybersecurity controls)
- [ ] Breach response process documented
- [ ] Individual access request process documented
- [ ] Privacy complaints process documented
- [ ] Someone designated as responsible for privacy compliance
Where security and compliance meet
PIPEDA's safeguards requirement is explicit: personal information must be protected by security measures appropriate to its sensitivity. That means your privacy compliance and your cybersecurity posture are the same problem viewed from two angles.
A business that collects customer data but has no MFA on email, no endpoint encryption, and no incident response plan is simultaneously a cybersecurity risk and a PIPEDA compliance gap.
Guardlyne's free cybersecurity assessment evaluates your security posture across 8 domains — including the controls that directly support PIPEDA compliance — and gives you a clear, prioritized view of where you stand and what to address first.
Start your free Guardlyne assessment →
It's free, takes under 30 minutes, and gives you documentation you can point to when demonstrating that your business takes its privacy obligations seriously.