PIPEDA and Quebec Law 25: A Practical Compliance Guide for Canadian Businesses

Canadian businesses operating online collect personal information constantly: names, emails, IP addresses, purchase history, health data. Federal and provincial privacy laws govern how that data is collected, stored, used, and protected.

PIPEDA—the Personal Information Protection and Electronic Documents Act—is the federal baseline. Quebec's Law 25 (Bill 64) has raised the bar significantly, with phased requirements that came into force between 2022 and 2023. British Columbia and Alberta have their own private sector privacy laws that apply to provincially-regulated organizations.

Here's what a compliance-oriented posture looks like.

PIPEDA: the federal baseline

PIPEDA applies to federally-regulated businesses and to the collection, use, and disclosure of personal information in the course of commercial activity in provinces without their own substantially similar legislation.

The ten fair information principles under PIPEDA require that organizations:

1. Be accountable for personal information under their control
2. Identify the purposes for collecting information before or at collection
3. Obtain consent from individuals for collection, use, or disclosure
4. Limit collection to what's necessary for identified purposes
5. Not use or disclose information for other purposes without consent
6. Keep information accurate, complete, and current
7. Protect information with appropriate security safeguards
8. Be transparent about policies and practices
9. Give individuals access to their own information on request
10. Provide mechanisms to challenge compliance

The mandatory breach reporting requirement (in force since 2018) requires that organizations report breaches involving a "real risk of significant harm" to the Office of the Privacy Commissioner and notify affected individuals. Maintain records of all breaches for 24 months.

Quebec Law 25: stricter requirements

Quebec's modernized privacy law introduces requirements that go beyond PIPEDA in several areas:

Privacy impact assessments (PIAs) are required before implementing new technology that involves personal information. If you're deploying a new CRM, migrating to a new cloud platform, or adding analytics tooling, a PIA should be part of the process.

Privacy by default requires that privacy settings be set to the most protective option by default—users must actively choose to share more, not opt out of sharing.

Explicit consent for sensitive information requires that consent for sensitive categories of personal information (health, financial, biometric) be obtained separately and explicitly.

Right to data portability allows Quebec residents to request their personal information in a structured, commonly-used format.

Mandatory appointment of a Privacy Officer — organizations subject to Quebec Law 25 must designate a person responsible for the protection of personal information and publish their contact information.

Penalties for non-compliance are substantial: up to $25M CAD or 4% of worldwide turnover, whichever is greater.

Practical compliance steps

1. Data inventory. Map what personal information you collect, where it's stored, who has access, how long you retain it, and whether it's shared with third parties. You can't protect what you haven't mapped.

2. Update your privacy policy. Policies need to accurately reflect your current practices. A template privacy policy downloaded in 2019 is almost certainly non-compliant with Law 25.

3. Review consent mechanisms. Are you obtaining proper consent? Pre-ticked boxes, buried consent language, and bundled consent (one checkbox for multiple purposes) don't meet current standards.

4. Assess your vendors. When you share personal information with processors (cloud providers, CRMs, analytics tools), you retain responsibility. Review Data Processing Agreements (DPAs) with key vendors.

5. Configure data residency. Where your data is stored affects your exposure. Canadian cloud regions reduce complexity for compliance analysis.

6. Establish breach response procedures. Know who to call, what to document, and when you're required to notify—before you need to.

Technology controls that support compliance

Privacy compliance is primarily a legal and organizational exercise, but technology controls support it:

• Access controls and audit logging to demonstrate who accessed personal information
• Encryption at rest and in transit
• Data retention policies enforced technically (automated deletion of records past their retention period)
• Vulnerability management (a breach caused by an unpatched system is harder to defend)

Privacy compliance is an ongoing program, not a one-time project. MicroPro can help assess your technology controls as part of a broader compliance posture review. Get in touch to discuss.