If your SaaS company has Canadian customers, PIPEDA (the Personal Information Protection and Electronic Documents Act) likely applies to you — even if you're headquartered in the EU or US. And with Bill C-27 (the Consumer Privacy Protection Act) moving through Parliament, the Canadian privacy landscape is about to get significantly more demanding.
This guide explains what PIPEDA requires today, what's coming with Bill C-27, and how the obligations differ from GDPR and CCPA.
Does PIPEDA apply to your SaaS company?
PIPEDA applies to private sector organisations collecting, using, or disclosing personal information in the course of commercial activity. The key triggers:
- You have Canadian customers — collecting their email, payment information, or usage data triggers PIPEDA for that commercial activity
- You're a federal work, undertaking, or business — telcos, banks, airlines, broadcasters are federally regulated and PIPEDA applies within the province
- You transfer data across provincial or international borders — PIPEDA applies to the transfer
Three provinces have substantially-similar legislation that can replace PIPEDA for intra-provincial activities:
- Alberta: Personal Information Protection Act (PIPA Alberta)
- British Columbia: Personal Information Protection Act (PIPA BC)
- Quebec: Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) — fully in force as of September 2023
Even in these provinces, PIPEDA still applies to cross-provincial and cross-border data transfers.
The 10 PIPEDA Fair Information Principles
PIPEDA is built around 10 Fair Information Principles derived from the Canadian Standards Association Model Code. Each has practical compliance requirements:
| Principle | Core requirement | Most common SaaS failure |
|---|---|---|
| 1. Accountability | Designate a Privacy Officer responsible for compliance | No named Privacy Officer; privacy owned by no one specifically |
| 2. Identifying Purposes | State purposes before or at time of collection | Vague privacy notices; "improve our service" covers everything |
| 3. Consent | Meaningful consent for collection, use, and disclosure | Bundled consent; consent obtained after the fact |
| 4. Limiting Collection | Only collect what's necessary for identified purposes | Collecting "nice to have" data without clear purpose |
| 5. Limiting Use | Use only for stated purposes; retention schedule required | No retention policy; data kept indefinitely "just in case" |
| 6. Accuracy | Keep personal information accurate and up-to-date | No mechanism for users to correct their data |
| 7. Safeguards | Security measures appropriate to data sensitivity | Breach occurs but RROSH assessment not conducted |
| 8. Openness | Privacy policy readily available, plain language | Privacy policy hidden in footer, requires account login to access |
| 9. Individual Access | Respond to access requests within 30 days | No formal access request process; no one knows who handles them |
| 10. Challenging Compliance | Accessible complaints process with OPC escalation right | Privacy policy doesn't mention OPC or complaints process |
PIPEDA consent: what "meaningful" actually means
PIPEDA's consent requirement is often misunderstood. The OPC's guidance distinguishes two types:
- Express consent: Required for sensitive personal information (health, financial, biometric, government IDs) and whenever individuals would not reasonably expect their information to be used for the purpose in question
- Implied consent: Permissible for routine uses where individuals have a reasonable expectation — for example, collecting a billing address when processing a subscription payment
PIPEDA explicitly requires that consent be meaningful — individuals must be able to understand the nature, purpose, and consequences of the collection. The OPC has found that pre-ticked boxes, buried consent in terms of service, and consent obtained after collection are not valid.
Three common consent failures that draw OPC attention:
- Bundled consent: Requiring consent to all data uses as a condition of using the service, when some uses are not necessary for the service itself
- Retroactive consent: Changing privacy practices and treating continued use as consent without active notification
- Consent that can't be withdrawn: Not providing a mechanism to withdraw consent that works as easily as it was given
Breach notification under PIPEDA
Since November 2018, PIPEDA requires organisations to notify both the OPC and affected individuals of security breaches involving personal information where there is a "real risk of significant harm" (RROSH). Key requirements:
- RROSH assessment: Every breach must be assessed. Factors include: sensitivity of data, number affected, whether data was accessed by a bad actor, and whether encryption or other measures reduce risk
- OPC notification: If RROSH exists, report to the OPC "as soon as feasible" — no fixed 72-hour deadline (unlike GDPR), but promptly is expected
- Individual notification: Notify affected individuals of breaches that create RROSH, in plain language, with what happened, what information was involved, and what the organisation is doing
- Breach records: Every breach must be logged — regardless of RROSH — and records retained for 24 months. The OPC can request these records.
Unlike GDPR's 72-hour supervisory authority notification deadline, PIPEDA's "as soon as feasible" standard is more flexible — but the OPC expects prompt reporting and has found organisations non-compliant for delays measured in weeks.
Bill C-27: what's changing with the CPPA
Bill C-27 (Consumer Privacy Protection Act) will replace PIPEDA when enacted. As of 2026, it has passed Second Reading in the Senate and is progressing through committee, but has not yet received Royal Assent. Key changes:
| Requirement | PIPEDA today | Bill C-27 / CPPA |
|---|---|---|
| Privacy compliance program | Best practice, not mandatory | Mandatory formal program (s.9) |
| Automated decision-making | No specific obligation | Disclosure + right to explanation (s.55, 62) |
| Data portability | No right | Right to receive data + direct transfer (s.63) |
| Right of disposal | Implied through limiting retention | Explicit right to de-identification/disposal (s.55) |
| Privacy impact assessments | No formal requirement | Mandatory for high-risk activities (s.57) |
| Children's privacy | No specific standard | Best interests of child standard (s.2) |
| Fines | Up to CAD $100,000 | Up to CAD $25M or 5% of global revenue |
| OPC enforcement powers | Investigations, orders through court | Direct order-making + penalty powers |
Automated decision-making: the biggest new obligation for AI SaaS
Bill C-27's automated decision-making provisions (s.55 and s.62) are particularly significant for AI-enabled SaaS companies. Under CPPA:
- Disclosure (s.55): Organisations must inform individuals when automated decision-making is used to make a decision that produces legal or significant effects on them — including the personal information used, the decision-making process, and the decision's consequences
- Right to explanation (s.62): Affected individuals can request an explanation of how the automated decision was made and what personal information was used
- Meaningful explanation: Explanations must be in plain language and actually meaningful — not just "our AI determined this based on your profile"
SaaS use cases likely caught by this: credit decisioning tools, hiring/screening tools, risk scoring, fraud detection systems that affect individual customers, content moderation with significant consequences, insurance underwriting AI.
PIPEDA vs GDPR: the key differences for SaaS
For SaaS companies that are already GDPR-compliant, PIPEDA requires some specific attention:
- Consent: PIPEDA's implied consent is more permissive than GDPR in some circumstances — but PIPEDA's "meaningful" standard is stricter than some GDPR interpretations of legitimate interest
- No equivalent to GDPR legitimate interest: PIPEDA has exceptions to consent (business transactions, legal, research), but no general legitimate interests provision equivalent to GDPR Art. 6(1)(f)
- Breach notification timing: PIPEDA's "as soon as feasible" vs GDPR's 72-hour clock — PIPEDA gives more flexibility but is not a free pass for delays
- Individual access: PIPEDA's 30-day access right is similar to GDPR's one-month right, but PIPEDA allows access at minimal cost (GDPR requires free access)
- CASL intersection: Canada's Anti-Spam Legislation (CASL) governs commercial electronic messages and requires separate express consent — PIPEDA's consent principles don't substitute for CASL compliance for email marketing
Use our free PIPEDA / Bill C-27 Compliance Checklist to assess all 10 Fair Information Principles and your Bill C-27 readiness. For GDPR compliance, see the GDPR Compliance Audit Checklist. For data protection impact assessments, see the DPIA Template Generator.