Who does PIPEDA apply to?

Privacy Policy

Canada, PIPEDA

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

Who does PIPEDA apply to?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that protects the personal information of Canadians.  The law accomplishes this goal by providing certain privacy rights to Canadians, requiring websites to have a Privacy Policy that makes specific disclosures, and imposing restrictions on the collection, use, and disclosure of personal information. In this article, we will answer the question of who does PIPEDA apply to so that you are aware of the compliance requirements that your website needs to meet. 

Who does PIPEDA apply to: organizations across Canada

PIPEDA applies to private-sector organizations that collect, use and disclose personal information in the course of for-profit, commercial activities across Canada. In this case, “commercial activity” means any particular transaction, act or conduct or any regular course of business that is of a commercial character. Since an organization has to be for-profit for PIPEDA to apply, the law will generally not apply to not-for-profits, charity groups, political parties or associations. However, if your not-for-profit is engaging in commercial activity, the law could still apply, which means that you must perform an assessment of what activities your organization engages in to determine if this law applies. 

Who does PIPEDA apply to: federally regulated businesses

PIPEDA also applies to the following types of federally regulated businesses: 

  • Air transportation; 
  • Banks; 
  • Grain elevators, feed and seed mills, feed warehouses, and grain-seed cleaning plants; 
  • First Nations Band Councils; 
  • Most federal Crown corporations; 
  • Post services, marine shipping, ferries, tunnels, canals, bridges and pipelines that cross international or provincial borders; 
  • Radio and television broadcasting; 
  • Railways that cross provincial or international borders and some short-line railways; 
  • Road transportation services that cross international or provincial borders; 
  • Telecommunications, such as telephone, internet, telegraph, and cable systems; 
  • Uranium mining and processing and atomic energy; 
  • Any business that is vital, essential or integral to the operation of one of the above. 

If your business is one of the above types, PIPEDA applies to you and your website needs to have a PIPEDA compliant Privacy Policy. 

Where do you do business? 

Another aspect of who does PIPEDA apply to is where you conduct business. The privacy law will apply to you if you do business in: 

  • Manitoba; 
  • New Brunswick; 
  • Newfoundland and Labrador; 
  • Northwest Territories; 
  • Nova Scotia; 
  • Nunavut; 
  • Ontario; 
  • Prince Edward Island; 
  • Saskatechwan; 
  • Yukon. 

Unless the personal information crosses provincial or national borders, PIPEDA will not apply to you if you operate entirely within Alberta, British Columbia, or Quebec, as these provinces have their own privacy laws that you will need to follow that are substantially similar to PIPEDA. 

Do U.S. businesses need to comply with PIPEDA?

If you are doing business in the United States and have Canadian customers or if you are collecting the personal information of Canadians through your website, you may be wondering whether you need to comply with PIPEDA. Canadian courts have ruled that PIPEDA will apply to conduct that has a real and substantial connection to Canada, regardless of where you or your business is actually located. The following factors will be used to determine if there is a real and substantial connection: 

  • The location of the target audience of the website; 
  • The source of the content on your website; 
  • The location of the website operator; 
  • The location of the host server; 
  • Whether you market your products or services to Canadians; 
  • Whether you process the personal information of Canadians; and 
  • Whether any misuse or disclosure of personal information would have an impact on Canadians. 

While the presence of only one of these factors may not be sufficient to show a connection, it appears that courts will consider a multitude of these factors in making their determination. It is important to note that businesses outside of Canada have been held as responsible for complying with PIPEDA so, if you have customers in Canada, you may need to comply with this law. 

If your business is located in Canada or has the requisite connection to Canada, you need to ensure that you are complying with PIPEDA by following the fair information principles, having a compliant Privacy Policy, and respecting the privacy rights of Canadians. Use Termageddon’s Privacy Policy generator to help create your PIPEDA ready Privacy Policy and avoid fines for non-compliance. 

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates
  • This field is for validation purposes and should be left unchanged.