PIPEDA

PIPEDA governs how private sector organizations collect, use, and disclose personal information in commercial activities. Based on fair information principles, it requires consent, limits collection to necessary purposes, ensures accuracy, and provides access rights. The Privacy Commissioner investigates complaints but has limited enforcement powers.

PIPEDA applies to private sector organizations collecting, using, or disclosing personal information in commercial activities across Canada (except in provinces with substantially similar legislation: Quebec, BC, Alberta). It implements ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Organizations must obtain meaningful consent, which varies by sensitivity and context. Individuals have rights to access their information and challenge its accuracy. The Privacy Commissioner of Canada investigates complaints, makes recommendations, and can seek court orders for compliance. Recent amendments (Bill C-27) propose replacing PIPEDA with the Consumer Privacy Protection Act, adding stronger penalties and algorithmic transparency requirements. Canada has EU adequacy status for commercial data transfers.