PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada's federal privacy law governing how private sector organizations collect, use, and disclose personal information in commercial activities.

What are the penalties for PIPEDA violations?

Currently, the OPC can issue compliance orders but limited fines. However, the proposed CPPA would introduce penalties up to $25 million CAD or 5% of global revenue. Quebec's Law 25 already allows fines up to $25 million CAD.

How long do I have to respond to access requests?

Under PIPEDA, organizations must respond to access requests within 30 days. Quebec's Law 25 also requires response within 30 days, with possible 10-day extension for complex requests.

Does PIPEDA apply in Quebec?

Quebec has its own privacy law (Law 25, formerly Bill 64) that is considered substantially similar to PIPEDA. Organizations operating in Quebec must comply with Quebec's law for activities within the province.

🇨🇦 PIPEDA, Quebec Law 25 & Provincial Privacy Laws

Canada Privacy Law Redaction

AI-powered redaction for PIPEDA and provincial privacy law compliance. Protect personal information and respond to access requests efficiently.

Start Redacting Free PIPEDA Requirements →

$25M

Quebec Law 25 Maximum Fine (CAD)

30 Days

Access Request Deadline

Proposed CPPA Revenue Penalty

Canada's Privacy Law Landscape

Canada has a patchwork of federal and provincial privacy laws. Understanding which laws apply to your organization is essential for proper document handling and redaction.

🍁

PIPEDA (Federal)

Applies to private sector organizations across Canada (except in provinces with substantially similar legislation). Governs collection, use, and disclosure of personal information in commercial activities.

Access requests within 30 days Breach notification required

⚜️

Quebec Law 25 (Loi 25)

Quebec's modernized privacy law with GDPR-like provisions. Applies to organizations operating in Quebec. Significantly increased penalties and new requirements for privacy impact assessments.

$25M max penalty Privacy officer required Data portability rights

Provincial Laws (BC, Alberta)

British Columbia's PIPA and Alberta's PIPA are substantially similar to PIPEDA and apply instead of the federal law for private sector activities within those provinces.

Personal Information to Redact

Standard Personal Information

Names and signatures
Home addresses
Email addresses
Phone numbers
Social Insurance Numbers (SIN)
Driver's licence numbers
Bank account numbers
Provincial health card numbers

Sensitive Personal Information

Health information
Financial information
Ethnic origin
Political opinions
Religious beliefs
Sexual orientation
Biometric data
Criminal records

Coming: Consumer Privacy Protection Act (CPPA)

Federal Privacy Law Reform

The proposed Consumer Privacy Protection Act (CPPA) would replace PIPEDA with significantly stronger requirements:

Penalties up to $25 million CAD or 5% of global revenue
Private right of action for individuals
Algorithmic transparency requirements
Enhanced consent requirements
Data portability and disposal rights

Organizations should prepare now for stricter requirements.

When Redaction is Required

Access Requests

When responding to individual access requests, redact information about other identifiable individuals. You must respond within 30 days.

Third-Party Disclosure

Before sharing documents with third parties, redact personal information not necessary for the disclosed purpose.

Legal Proceedings

Court filings and litigation discovery often require redaction of irrelevant personal information to protect third-party privacy.

Retention & Disposal

When documents must be retained but personal information is no longer needed, redaction can de-identify while preserving records.

PIPEDA Principles That Require Redaction

Principle 4.4 — Limiting Collection

Personal information must be limited to what is necessary. When sharing documents containing more data than needed, redaction ensures compliance.

Principle 4.5 — Limiting Use, Disclosure, Retention

Personal information must not be used for purposes beyond original collection, except with consent or as required by law. Redaction is the primary tool for compliant disclosure.

Principle 4.7 — Safeguards

Personal information must be protected by appropriate security safeguards. The OPC considers whether reasonable steps were taken when investigating complaints — redaction before sharing is a reasonable step.

Principle 4.9 — Individual Access

Individuals can request access to their personal information. When responding, redact third-party data — similar to GDPR DSARs and Australian APP 12.

Federal vs Provincial Enforcement

Federal: OPC (PIPEDA)

The OPC investigates complaints and makes recommendations. Currently cannot directly impose fines, but can refer to Federal Court for damages.

Mandatory breach reporting: Since November 2018, breaches with "a real risk of significant harm" must be reported. Failure: fines up to C$100,000 per offence.

Quebec: Law 25 (2023)

Canada's most aggressive privacy law — modeled on GDPR.

Penalties: Up to C$25M or 4% of global turnover. Mandatory privacy impact assessments, right to data portability, and a private right of action.

Also: Alberta PIPA and British Columbia PIPA have their own regimes.

CPPA: What's Coming

Bill C-27 would replace PIPEDA with significantly stronger enforcement. It died when Parliament prorogued in January 2025 but is expected to be reintroduced.

C$25M

or 5% of global revenue

Maximum for serious violations

C$10M

or 3% of global revenue

Administrative penalties (no court)

New

Private right of action

Class action exposure similar to CCPA

How SafeRedact Helps

AI Detection

Automatically identifies SINs, health card numbers, addresses, and other Canadian personal information.

Permanent Removal

Data is permanently removed from the document—not just covered with black boxes.

Meet Deadlines

Process access requests efficiently to meet 30-day response requirements.

Protect Personal Information. Comply with Canadian Law.

AI-powered redaction for PIPEDA and provincial privacy compliance. Start free—no credit card required.

Start Redacting Free