Salomon Web Services Salomon Web Services
Home/ Blog/ Privacy
Privacy

PIPEDA Explained for Small Business (Without the Legalese)

PIPEDA sounds like a compliance headache reserved for big companies. It isn't. If you collect a customer's name and email, it already applies to you, and the basics are more manageable than the acronym suggests.

A small business team reviewing how they handle customer personal information

PIPEDA is the Personal Information Protection and Electronic Documents Act, and it is the main privacy law for private businesses in Canada. The name is a mouthful and the text is dense, which leaves a lot of owners assuming it is somebody else’s problem. It is not. If you keep a list of customers with their names and email addresses, you are already handling “personal information,” and PIPEDA already applies.

The good news is that the law is built on ten straightforward principles, and once you read them in plain language they mostly describe how a decent business would want to treat customers anyway. Here is the working owner’s version. It is general information, not legal advice, and for anything specific you should talk to a privacy lawyer.

Who PIPEDA covers

PIPEDA applies to organizations that collect, use, or disclose personal information in the course of commercial activity. There is no blanket “you’re too small to matter” exemption. A solo consultant with a client list is handling personal information just like a national retailer is.

Personal information means information about an identifiable individual: names, emails, phone numbers, addresses, purchase history, and plenty more. If you can tie the data back to a specific person, treat it as personal information.

A quick note on jurisdiction. Alberta, British Columbia, and Quebec have their own private-sector privacy laws considered substantially similar to PIPEDA, and those govern activity within the province. Quebec’s Law 25 is the strict one and deserves its own attention if you sell into Quebec. For businesses operating across provinces or dealing with data crossing borders, PIPEDA is generally in the picture.

The ten principles, in plain English

PIPEDA is built on ten fair information principles. Stripped of the legal language, they read like this:

  1. Be accountable. Someone in your business owns privacy. Name them, even if it’s you.
  2. Say why. Identify the purpose before or when you collect information.
  3. Get consent. Collect, use, and share with the person’s knowledge and consent.
  4. Collect only what you need. No hoovering up data “just in case.”
  5. Use it only for what you said. Don’t quietly repurpose the data later.
  6. Keep it accurate. Wrong data leads to wrong decisions and unhappy customers.
  7. Protect it. Safeguard the information with security appropriate to how sensitive it is.
  8. Be open. Make your privacy practices easy to find and understand.
  9. Give access. People can ask what you hold about them and correct it.
  10. Provide recourse. Give people a way to challenge how you handled their data.

Read those again and notice how little of it is exotic. Collect what you need, use it for what you said, keep it safe, be honest about it, and let people see and correct their own records. A business that does those five things is most of the way to compliant.

Consent under PIPEDA is supposed to be meaningful, which means people should actually understand what they are agreeing to. Burying data collection in a 4,000-word policy that nobody reads is exactly what regulators have started pushing back on. The more sensitive the information, the clearer and more explicit the consent should be. For most small businesses that means a plain-language privacy notice and not asking for more than the job requires.

Breach reporting is mandatory

This is the part owners most often miss. Since November 2018, PIPEDA has required mandatory breach reporting. If your business suffers a “breach of security safeguards” that creates a real risk of significant harm to someone, you must:

That last point catches people. You are expected to keep a log of security incidents even when they are minor. If the regulator ever comes knocking, that record is part of showing you take safeguards seriously.

What about Bill C-27 and “AIDA”?

You may have read that PIPEDA was about to be replaced by a new law, and that Canada was getting an AI-specific statute called AIDA. That was the plan under Bill C-27. It did not happen. The bill died when Parliament was prorogued in early 2025, taking the proposed Consumer Privacy Protection Act and the Artificial Intelligence and Data Act with it. So today, PIPEDA is still the governing federal law, and there is no in-force federal AIDA. Anyone selling you “AIDA-compliant” anything is selling a law that doesn’t exist yet. Build for the rules on the books now.

A short starter list

PIPEDA is less a hurdle than a description of trustworthy handling of customer data. The businesses that struggle with it are usually the ones collecting more than they need, storing it carelessly, and hoping nobody asks. Tighten those three habits and most of the law takes care of itself.

Frequently asked questions

Does PIPEDA apply to my small business?

Most likely, yes. PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activity. There's no small-business exemption in the way many owners assume. If you keep customer contact details, you're handling personal information.

Isn't PIPEDA being replaced?

That was the plan under Bill C-27, which proposed a new Consumer Privacy Protection Act. But that bill died when Parliament was prorogued in early 2025, so PIPEDA remains the law of the land today. Build for the rules that exist now, not the ones that didn't pass.

Do I have to report a data breach?

Yes. Since 2018, PIPEDA requires you to report breaches of security safeguards that pose a real risk of significant harm to the Office of the Privacy Commissioner, notify affected individuals, and keep records of breaches even when they don't meet the reporting threshold.

What about Quebec, Alberta, and BC?

Those provinces have their own private-sector privacy laws that are recognized as substantially similar to PIPEDA, and they apply to activity within the province. Quebec's Law 25 in particular is stricter in several areas, so businesses operating there have an extra layer to mind.

Want to apply this to your business?

We'll walk you through the implementation step by step, no commitment required.

Get a free quote More articles