Your Data Rights in Canada Under PIPEDA

What PIPEDA covers and who it applies to

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law for the private sector. It governs how businesses collect, use, and disclose your personal information in the course of commercial activity. Personal information means data about an identifiable individual — your name, email, location history, purchase records, and similar details.

PIPEDA applies across Canada to federally regulated businesses and to most private organisations. Some provinces — British Columbia, Alberta, and Quebec — have their own private-sector laws that are recognised as substantially similar, so an organisation there may answer to a provincial law instead. Public-sector bodies are covered by separate federal and provincial legislation, not PIPEDA.

This is general information, not legal advice. If you are unsure which law applies to a specific organisation, the Office of the Privacy Commissioner of Canada publishes guidance, and a qualified adviser can help with your particular situation.

• PIPEDA covers private organisations engaged in commercial activity
• BC, Alberta, and Quebec have substantially similar provincial laws
• It applies to information about an identifiable individual

The core rights PIPEDA gives you

PIPEDA is built on a consent-based model. In most cases an organisation needs your meaningful consent to collect, use, or disclose your personal information, and you can ask questions about how that information is handled at any time.

Your main rights are the right to access the personal information an organisation holds about you, the right to know how it is being used and to whom it has been disclosed, and the right to ask for corrections if it is inaccurate or incomplete. You can also withdraw consent, subject to legal or contractual limits, which can lead an organisation to stop certain uses of your data.

An access request does not have to follow a special form. A clear written request identifying yourself and what you are asking for is enough. Organisations are generally expected to respond within 30 days and to help you understand the information they provide.

• Access the personal information held about you
• Learn how your information is used and who it was shared with
• Request correction of inaccurate or incomplete information
• Withdraw consent, subject to legal and contractual limits

How to raise a concern and reach the OPC

If you have a privacy concern, the first step is usually to contact the organisation directly. PIPEDA requires organisations to have someone accountable for privacy, often a designated privacy officer, who can receive your request or complaint and explain the organisation's practices.

If the organisation does not respond, refuses your request, or you are not satisfied with the outcome, you can escalate to the Office of the Privacy Commissioner of Canada (OPC), the federal regulator. The OPC can receive complaints, investigate, and issue findings and recommendations. In British Columbia, Alberta, and Quebec, the provincial privacy commissioner may handle complaints about organisations governed by provincial law.

Keeping a calm, factual record helps: note what you asked for, when, and how the organisation replied. That record makes any later escalation clearer. This article is general information, not legal advice — for the steps that fit your own circumstances, consider speaking with a qualified professional.

• Start with the organisation's privacy officer or accountable contact
• Escalate unresolved concerns to the OPC
• Provincial commissioners cover BC, Alberta, and Quebec organisations

Frequently asked questions

Related terms

• Personal data
• Consent
• Data protection regulator
• Right to erasure