Skip to Content
← The Compliance ShieldCanada's Federal Privacy Law & Bill 64

PIPEDA & Québec Law 25

Canada's federal private-sector privacy law and Québec's landmark Law 25 (Bill 64) impose GDPR-level obligations on businesses operating in Canada.

Overview

The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. Canada's Privacy Commissioner can investigate complaints and recommend remediation but currently cannot directly issue fines. That changes under Bill C-27 (the Digital Charter Implementation Act), which — when passed — will introduce fines of up to 5% of global revenue or $25 million. Meanwhile, Québec's Law 25 (formerly Bill 64), fully in force by September 2023, already imposes GDPR-level obligations including mandatory breach reporting, privacy impact assessments, and data subject rights — with fines up to $25 million or 4% of worldwide turnover for the most serious violations.

Who This Applies To

  • Any federally regulated Canadian business collecting customer personal information
  • E-commerce stores operating in Québec or serving Québec residents
  • Companies using third-party analytics, CRM, or marketing automation tools
  • Organizations transferring personal data outside Canada (to US cloud providers, etc.)
  • Employers collecting employee personal information in federally regulated sectors

Your Obligations

Mandatory Breach Reporting (PIPEDA)

Since November 2018, PIPEDA requires organizations to report breaches that pose a 'real risk of significant harm' to the OPC within 72 hours — and notify affected individuals. Failure to report is itself a violation.

Privacy Officer Designation (Law 25)

Québec's Law 25 requires every organization to designate a Privacy Officer (published on their website) and publish a Privacy Policy describing personal information handling practices.

Privacy Impact Assessments (Law 25)

Before implementing new technology or processes that handle personal information, Québec businesses must conduct and document a Privacy Impact Assessment (PIA) — equivalent to GDPR's DPIA requirement.

Explicit Consent for Sensitive Data (Law 25)

Law 25 requires manifest, free, and informed consent for collection of sensitive personal information — and prohibits bundled consent (bundling privacy consent with general terms of service).

Cross-Border Transfer Safeguards

Under Law 25, transferring personal data outside Québec (including to other Canadian provinces) requires a prior PIA and contractual protections ensuring protection equivalent to Québec law.

Real Enforcement Cases

These are not hypothetical risks. The following cases represent actual regulatory enforcement actions and civil litigation — each with documented penalties.

2019–2022$201 Million (class action)

Desjardins Group

A disgruntled employee exfiltrated personal data of 4.2 million Desjardins members over 26 months — including names, addresses, SINs, and financial data. The class action settled for $201 million, the largest privacy breach settlement in Canadian history. The OPC investigation found systemic failures in access controls and data minimization.

2019–2020Compliance Order (no direct fine)

Facebook (Meta) Canada

Canada's Privacy Commissioner found Facebook violated PIPEDA during the Cambridge Analytica scandal by failing to obtain meaningful consent for data sharing and failing to adequately safeguard personal information. Facebook initially refused to comply, prompting the OPC to seek Federal Court enforcement orders.

2021Cease & Desist + Deletion Order

Clearview AI

Canada's OPC and provincial commissioners jointly found Clearview AI violated PIPEDA and provincial laws by scraping billions of Canadian facial images without consent to build a biometric database. Clearview was ordered to cease operations in Canada and delete all Canadian data.

2020–2021Compliance Findings (Bill C-27 fine risk)

LifeLabs

Canada's largest medical lab faced a breach affecting 15 million Canadians, including health test results. Commissioners found LifeLabs violated PIPEDA through inadequate security safeguards and delayed breach notification. The case is widely cited as the catalyst for Bill C-27's proposed fine powers.

Free Consultation

Is your e-commerce store exposed?

Deskulpt engineers audit your current technology stack against PIPEDA & Québec Law 25 requirements, identify gaps, and produce a prioritised remediation roadmap. No retainer required to start.

Book Your Free Canadian Privacy Compliance Review