PIPEDA

The Personal Information Protection and Electronic Documents Act is Canada's federal private-sector privacy law, governing how organizations collect, use, and disclose personal information in commercial activity.

Scope of PIPEDA

PIPEDA applies to federally-regulated organizations and to commercial activity in provinces that do not have substantially similar private-sector privacy laws. Quebec (Law 25), British Columbia (PIPA), and Alberta (PIPA) have been deemed substantially similar, so their private-sector activity is governed primarily by provincial law with PIPEDA filling gaps. The Office of the Privacy Commissioner of Canada (OPC) enforces PIPEDA and can audit organizations, issue findings, and refer matters to the Federal Court.

PIPEDA principles for AI vendors

PIPEDA is built on ten fair information principles (accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, challenging compliance). For AI vendors, the trickiest principles are usually consent (Canadian consent is purpose-specific, and "training a model" may not be implied by typical service consent), individual access (PIPEDA gives data subjects access rights that AI vendors must support), and accountability (the data controller must be accountable for the AI vendor's processing via contract).

PIPEDA reform and AIDA

Canada has proposed replacing PIPEDA with the Consumer Privacy Protection Act (CPPA), and separately introducing the Artificial Intelligence and Data Act (AIDA). As of writing, neither has passed; the package was reintroduced multiple times and faces ongoing parliamentary scrutiny. PIPEDA remains the operative law. The Quebec Law 25 reforms (effective 2022-2024) provide a preview of where Canadian privacy enforcement is heading: explicit consent for sensitive data, automated decision-making transparency, and data portability rights.