Data Privacy Compliance: PIPEDA, Loi 25, CCPA, LGPD
Complete guide to global data privacy compliance for Canadian businesses: PIPEDA, Quebec Loi 25, CCPA, LGPD, POPIA, PIPL, GDPR.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokData privacy regulation is a global concern. As of January 2026, 137 countries have enacted national data protection legislation, according to the UN Conference on Trade and Development (UNCTAD). For Canadian businesses that process personal information of European customers, Californian consumers, Brazilian counterparties, South African clients or Chinese users, compliance with PIPEDA and provincial privacy legislation such as Quebec's Loi 25 is only the starting point.
This guide compares the most significant data privacy frameworks relevant to Canadian businesses, maps their areas of convergence and divergence, and provides a practical compliance structure for organisations operating across multiple jurisdictions.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.
Comparison Table: PIPEDA, Loi 25, GDPR, CCPA, LGPD and POPIA
The major data privacy laws share structural similarities but differ substantially on territorial scope, individual rights, maximum penalties and enforcement authority.
| Law | Jurisdiction | In Force | Territorial Scope | Key Rights | Maximum Penalties | Enforcement Authority |
|---|---|---|---|---|---|---|
| PIPEDA | Canada (federal) | 2001, amended | Federally regulated private sector + provinces without substantially similar laws | Access, correction, withdrawal of consent | Federal Court orders, damages, public findings | OPC (Office of the Privacy Commissioner) |
| Loi 25 (Quebec) | Quebec | Phased 2022-2024 | Private sector organisations operating in Quebec | Access, correction, erasure, portability, de-indexing | CAD 25 million or 4% of worldwide turnover | CAI (Commission d'accรจs ร l'information) |
| PIPA (Alberta) | Alberta | 2004 | Private sector organisations in Alberta | Access, correction | Orders, public reports | OIPC Alberta |
| PIPA (BC) | British Columbia | 2004 | Private sector organisations in BC | Access, correction | Orders, public reports | OIPC BC |
| EU GDPR (Reg. 2016/679) | European Union | 25 May 2018 | Any organisation processing data of EU residents | Access, rectification, erasure, portability, objection | EUR 20 million or 4% of global turnover | National DPAs (coordinated by EDPB) |
| CCPA/CPRA | California, USA | Jan 2020, amended Jan 2023 | CA businesses > USD 25M revenue, or > 100,000 consumers, or > 50% revenue from data sales | Know, delete, opt-out of sale, correct | Up to USD 7,500 per intentional violation | CPPA |
| LGPD (Brazil) | Brazil | Sept 2020 | Any organisation processing data of individuals in Brazil | Access, correction, anonymisation, portability, erasure | 2% of Brazil revenue, capped at BRL 50 million | ANPD |
| POPIA (South Africa) | South Africa | 1 July 2021 | Any organisation processing personal information in South Africa | Notification, access, correction, erasure, objection | Up to ZAR 10 million + up to 10 years imprisonment | Information Regulator |
These penalties are not theoretical. In 2023, Meta was fined EUR 1.2 billion by the Irish DPC for unlawful transfers of EU personal data to the United States (EDPB binding decision, May 2023). Quebec's CAI began enforcement under Loi 25 in 2024, with the power to impose administrative monetary penalties for the first time in Canadian privacy law history.
PIPEDA: Canada's Federal Privacy Framework
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law. It applies to federally regulated organisations (banks, airlines, telecoms) and to private sector organisations in provinces without substantially similar legislation (PIPEDA). The OPC is the supervisory authority.
On the CheckFile platform, AI-generated document fraud now accounts for 12% of detected cases, up from just 3% in 2024 โ a fourfold increase in a single year.
PIPEDA is built on 10 fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Organisations must obtain meaningful consent for the collection, use, and disclosure of personal information, and individuals have the right to access and correct their personal information.
For FINTRAC reporting entities, data retention obligations under the PCMLTFA intersect with PIPEDA's limiting retention principle. The PCMLTFA requires that client identification records be retained for at least five years after the end of the business relationship. This creates a direct tension with PIPEDA's principle of limiting retention, resolved by the legal obligation exception โ compliance with the PCMLTFA overrides the general obligation to destroy personal information once it is no longer needed for its original purpose.
Bill C-27, the Digital Charter Implementation Act, proposes to replace PIPEDA with the Consumer Privacy Protection Act (CPPA), which would introduce administrative monetary penalties of up to CAD 25 million or 5% of global revenue and strengthen individual rights. As of March 2026, the bill had not yet been enacted but remains under parliamentary consideration (Parliament of Canada, Bill C-27).
Quebec's Loi 25: Canada's Strongest Provincial Privacy Law
Quebec's Act respecting the protection of personal information in the private sector, as amended by Bill 64 (commonly known as Loi 25), represents the most significant reform of privacy law in Canadian history. Fully in force since September 2024, it introduces obligations and enforcement powers comparable to the EU's GDPR.
Key provisions include mandatory privacy impact assessments for any project involving personal information, mandatory breach notification to the CAI and affected individuals, the right to data portability and de-indexing, consent requirements aligned with GDPR standards (clear, free, informed), and administrative monetary penalties of up to CAD 25 million or 4% of worldwide turnover.
Loi 25 requires a privacy impact assessment before any personal information is transferred outside Quebec โ a provision that directly affects document verification workflows involving cloud-based processing. Organisations must evaluate whether the destination jurisdiction provides adequate privacy protection before any cross-border transfer.
For organisations operating across Canada, Loi 25 sets the practical compliance floor. Alberta's PIPA and British Columbia's PIPA provide substantially similar protections to PIPEDA but have not yet introduced the administrative monetary penalty regime that Loi 25 establishes.
Explore further
Discover our practical guides and resources to master document compliance.
Explore our guidesCCPA/CPRA: The California Law and Its Reach Into Canada
The California Consumer Privacy Act (CCPA), substantially strengthened by the California Privacy Rights Act (CPRA) in January 2023, applies to for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenue exceeding USD 25 million, processing the personal information of 100,000 or more consumers per year, or deriving 50% or more of annual revenue from selling consumers' personal information.
Canadian businesses with US operations, subsidiaries, or significant California consumer bases must map data flows against both PIPEDA/provincial and CCPA/CPRA requirements. The CCPA/CPRA operates on an opt-out basis for the sale or sharing of personal information, which differs from PIPEDA's consent-based model.
EU GDPR: Impact on Canadian Businesses
The EU GDPR applies extraterritorially to any organisation that targets EU residents, regardless of establishment. Canadian organisations with EU operations or EU customer bases must comply with both Canadian privacy laws and the GDPR simultaneously.
Canada holds an EU adequacy decision, meaning that transfers from EU member states to Canada do not require additional safeguards for PIPEDA-covered organisations. However, this adequacy decision covers only commercial activities subject to PIPEDA โ it does not extend to provincial public-sector privacy laws or to activities outside PIPEDA's scope.
For a detailed breakdown of GDPR obligations applied to document management, see our GDPR document management compliance guide.
LGPD, POPIA, PIPL: Other Major Frameworks
Brazil โ LGPD
The LGPD applies to any processing of personal data targeting individuals in Brazil. Canadian businesses operating in Latin America โ particularly in mining, financial services, or technology โ must comply with both PIPEDA and the LGPD for Brazilian data subjects.
South Africa โ POPIA
POPIA applies to organisations processing personal information in South Africa. Penalties reach up to ZAR 10 million, with criminal sanctions including imprisonment. Canadian businesses with South African operations must comply with both frameworks.
China โ PIPL
The Personal Information Protection Law applies to any processing of personal information of individuals within China. It requires separate consent for each processing purpose and subjects cross-border transfers to security assessments. Canadian businesses with Chinese operations face the most complex data transfer requirements of any major jurisdiction.
KYC, AML and Data Privacy: Managing the Overlap
The intersection of anti-money laundering obligations and data privacy regulation creates significant operational tension. AML law โ including the PCMLTFA โ requires client identification records to be retained for at least five years after the end of the business relationship. Data privacy law requires that personal information be deleted once it is no longer necessary for its original purpose.
This tension is resolved through the legal obligation exception. Under PIPEDA's Principle 5 (Limiting Use, Disclosure, and Retention), personal information may be retained as required by law. The five-year PCMLTFA retention obligation therefore overrides any individual's request for deletion during that period. Beyond five years, the AML legal basis expires and the information must be destroyed.
The same principle applies under Loi 25 (retention for legal obligations), the LGPD, and other major frameworks. The key is documenting the legal basis for extended retention in the organisation's records.
For a detailed breakdown of KYC document obligations, see our complete KYC guide for businesses.
Building a Multi-Jurisdictional Data Privacy Programme
An effective compliance programme for organisations subject to multiple data privacy regulations rests on four operational pillars.
Data mapping and document flow inventory. Identify what personal information is collected, from which individuals (Canadian, EU, Californian, Brazilian), through which channel, stored where, and transferred to whom. This inventory is the common foundation for PIPEDA's accountability obligations, Loi 25's privacy impact assessment requirements, and CCPA/CPRA transparency obligations.
Unified retention policy. Define retention periods that satisfy the most demanding obligation in each applicable jurisdiction. In practice, this means aligning on the longest legally mandated retention period and scheduling deletion at expiry. A document processing platform that timestamps every collection event and automates deletion scheduling reduces the manual overhead of multi-jurisdictional retention management.
Documented transfer mechanisms. For every data flow to another jurisdiction, identify and record the applicable transfer mechanism: adequacy decision, standard contractual clauses, or consent. Loi 25 requires a privacy impact assessment before any transfer outside Quebec. PIPEDA requires comparable protection for cross-border transfers.
Audit-ready evidence. Every major privacy regulator expects organisations to demonstrate compliance rather than merely assert it. A document verification platform that logs consent records, processing events, retention decisions and deletion confirmations provides the evidence base for regulatory examination across jurisdictions.
For organisations conducting a structured review of their current compliance posture, our compliance audit checklist provides a practical framework.
Go further
To dive deeper into this topic, explore our complete guide on document verification.
FAQ โ Global Data Privacy Compliance
Does PIPEDA apply to a Canadian business that processes only data of Brazilian customers?
PIPEDA applies when a Canadian-established organisation collects, uses, or discloses personal information in the course of commercial activities. Separately, the LGPD applies because the individuals are located in Brazil. A Canadian organisation processing data of Brazilian residents in connection with services offered to those individuals is subject to both frameworks simultaneously โ and must satisfy the obligations of each independently.
Can individual access requests under multiple laws be handled through a single process?
A single access request process can be designed to satisfy rights under multiple frameworks, provided the response timelines and scope of each law are observed. PIPEDA requires a response within 30 days. Loi 25 requires a response within 30 days. The CCPA/CPRA requires a response within 45 calendar days. A unified intake process that automatically applies the most stringent deadline will satisfy all three.
When is a Privacy Impact Assessment (PIA) mandatory?
Under Loi 25, a PIA is mandatory before any project involving personal information, any acquisition or modification of an information system, and any transfer of personal information outside Quebec. Under PIPEDA, PIAs are recommended but not mandatory. Under the EU GDPR, a DPIA is required before any processing likely to result in high risk to data subjects.
How should cross-border transfers be managed when no adequacy decision exists?
When no adequacy decision covers a destination jurisdiction, contractual safeguards must be implemented with the data importer. Under Loi 25, a privacy impact assessment documenting the legal environment in the destination jurisdiction is mandatory before any transfer. Under PIPEDA, the transferring organisation remains accountable for the protection of personal information regardless of where it is processed.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for guidance specific to your situation.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.