Canadian privacy law for US companies.

Many US companies assume that a CCPA-compliant privacy program covers their obligations in Canada. It usually does not. Canadian privacy law is a patchwork of federal and provincial statutes that apply on a different conceptual basis from US privacy law and impose obligations that go beyond what a typical US-drafted privacy notice and data processing addendum capture.

This article walks through the Canadian privacy regime as it actually applies to US companies, the most common gaps in US-built privacy programs, and a practical checklist for closing them.

The basic structure

Canadian privacy law operates on two layers — federal and provincial — and the two layers interact through "substantially similar" designations. The federal statute, the Personal Information Protection and Electronic Documents Act (PIPEDA), applies to commercial activity across Canada except in provinces that have enacted substantially similar private-sector legislation. Three provinces have done so: Quebec, British Columbia, and Alberta. In those provinces, the provincial statute generally applies to information collected, used, or disclosed within the province; PIPEDA still applies to inter-provincial and international flows. Ontario is currently developing private-sector privacy legislation but has not yet enacted it; PIPEDA applies in Ontario in the meantime.

The result, for a US company with Canadian customers or employees: PIPEDA at the federal level plus the relevant provincial statute (Quebec Law 25, BC PIPA, Alberta PIPA) where customers, employees, or operations are located in those provinces.

How Canadian privacy law differs from CCPA

The conceptual frame is different. CCPA and CPRA are rights-based statutes — they give California consumers a set of rights (access, deletion, opt-out) that businesses must honour. PIPEDA and the provincial statutes are consent-based statutes — they require that organizations have a basis (usually consent) for collecting, using, and disclosing personal information, and they constrain what organizations can do with information regardless of whether the individual exercises a right.

Practical consequences:

• Consent is the default basis. US companies often assume that posting a privacy notice and giving users an opt-out is sufficient. Under Canadian law, consent — express for sensitive information, implied for non-sensitive — is generally required at the point of collection, and the consent must be meaningful (informed, specific, and not bundled with unrelated terms).
• Purpose limitation is real. Personal information collected for one purpose generally cannot be used for a materially different purpose without fresh consent. This bites US companies whose data architecture assumes broad re-use.
• Cross-border transfers require disclosure. Transferring Canadian personal information to a US service provider, US-based cloud, or US parent company is permitted, but the individual must be told (typically in the privacy notice) that the information will be processed outside Canada and may be subject to foreign law. Quebec Law 25 goes further and requires an impact assessment for transfers outside Quebec.
• Breach notification is mandatory. PIPEDA requires notification of breaches presenting a "real risk of significant harm" — to the Privacy Commissioner, to affected individuals, and (in some cases) to other organizations. Quebec Law 25 has its own breach notification rules.

Quebec Law 25 — the biggest gap in most US programs

Quebec's Law 25 (the Act to modernize legislative provisions as regards the protection of personal information) is the most stringent privacy statute in Canada and the one US companies most often miss. Key provisions:

• Designated privacy officer. Organizations must designate a person responsible for the protection of personal information and publish that person's contact information.
• Privacy impact assessments. Required before any project involving the acquisition, development, or overhaul of an information system that collects personal information; also required before any transfer outside Quebec.
• Automated decision-making transparency. Individuals must be informed when a decision affecting them is based exclusively on automated processing, and on request, must be given the information used, the principal factors, and the right to have the decision reviewed.
• Consent rules. Quebec consent rules are stricter than PIPEDA's, particularly around the form of consent for sensitive information and minors.
• Penalties. Administrative monetary penalties of up to CAD 10 million or 2% of worldwide turnover, and penal fines up to CAD 25 million or 4% of worldwide turnover.

BC PIPA and Alberta PIPA

Both statutes are conceptually similar to PIPEDA but operate within their respective provinces. The two most-noticed practical differences for US companies:

• Both statutes apply to employee personal information, which PIPEDA generally does not. US companies hiring in BC or Alberta need to consider how they handle employee records.
• Both statutes have their own consent and notice requirements that should be reflected in privacy notices applicable to BC or Alberta-based users.

Common gaps in US-built privacy programs

Privacy notice does not address Canada

The privacy notice was drafted for CCPA/CPRA (or GDPR) and never updated for Canadian users. There is no mention of PIPEDA, no Canadian contact for privacy inquiries, no disclosure of cross-border transfers from Canada, and no Quebec-specific language.

Consent is not obtained meaningfully at the point of collection

The US assumption — "we posted a notice, you used the service, that's consent" — does not work cleanly under PIPEDA. Best practice is express consent at signup, particularly for any non-obvious uses (analytics, marketing, third-party sharing) and for any sensitive information.

No mechanism for handling Quebec users differently

Most US privacy programs treat all non-EU users identically. A Quebec user is entitled to substantially more — automated decision-making transparency, mother-tongue communications, and the right to request that information be processed only in Quebec where reasonably possible.

Data processing addendum has no Canadian-law provisions

US-drafted DPAs typically cover GDPR and CCPA. They rarely address PIPEDA, Quebec Law 25 transfer impact assessments, or BC/Alberta employee-information rules. For B2B SaaS vendors with Canadian customers, this is a frequent ask during procurement.

Breach response plan does not contemplate Canada

PIPEDA's "real risk of significant harm" standard is not identical to US state breach-notification thresholds. A breach affecting Canadian individuals may need to be reported to the federal Privacy Commissioner and to provincial Commissioners — on a timeline and in a form that the company has not pre-planned for.

Employee privacy is overlooked

For US companies hiring in Canada — and particularly in BC, Alberta, or Quebec — employee personal information is regulated. Employment offers, background-check authorizations, and HR data handling all warrant a Canadian-privacy review.

A practical Canadian privacy checklist

1. Map where your Canadian individuals are. Federal-only (most provinces) vs. Quebec / BC / Alberta. The provincial overlay drives most of the work.
2. Update the privacy notice. Add Canadian-specific sections covering PIPEDA, cross-border transfer disclosure, Canadian contact for privacy inquiries, and Quebec-specific language where applicable.
3. Designate a privacy officer for Quebec if you have Quebec users or employees, and publish that person's contact information.
4. Implement meaningful consent at collection. Particularly for sensitive information, marketing communications, third-party sharing, and any automated decision-making.
5. Add Canadian-law provisions to your DPA — including transfer-impact-assessment language for Quebec.
6. Update breach response. Build PIPEDA's "real risk of significant harm" assessment into the playbook and identify which Canadian Commissioner(s) need to be notified.
7. Address employee privacy for any Canadian hires, particularly in BC, Alberta, or Quebec.
8. Document the program. Canadian Commissioners are increasingly active; demonstrating an actual privacy program (not just paperwork) is the best regulatory posture.

---

This article is general information, not legal advice for any specific situation. If you would like a Canadian-law review of your privacy program, contact koby@canadianattorney.com.