Pilotcore Insights
Security & Compliance

PIPEDA Compliance Checklist: Don't Miss a Thing

Practical PIPEDA compliance checklist for organizations managing personal data in cloud and hybrid environments.

Pilotcore By Pilotcore 6 min read

Need Help With Security & Compliance?

Our experts can help you implement these strategies in your organisation. Get a free consultation today.

Originally published October 25, 2020. Updated for legal and cloud-platform accuracy on May 19, 2026.

Use this guide to map PIPEDA obligations, verify data-handling controls, and reduce compliance gaps before audits or incidents.

For related context, see Cloud Security and Compliance Readiness.

Canadian organizations handling personal information must align operations with overlapping privacy rules, cloud architecture constraints, and evolving regulatory expectations. This checklist focuses on practical compliance controls teams can implement and review on an ongoing basis.

What does PIPEDA stand for?

PIPEDA stands for the Personal Information Protection and Electronic Documents Act, the Canadian federal private-sector privacy law. It received Royal Assent in 2000, came into force in phases from 2001, and became fully applicable to commercial activities in 2004. The Act has been amended several times since then, most notably by the Digital Privacy Act in 2015, which introduced mandatory breach notification provisions that took effect in 2018.

What is PIPEDA compliance?

If your organization collects, uses, or discloses personal information in the course of commercial activity, you are accountable under PIPEDA. Cloud architecture does not move that accountability anywhere. You can use a US-based processor and still be PIPEDA-compliant, provided your contracts and operating controls meet PIPEDA’s accountability requirements and your privacy notices are transparent about cross-border processing.

Where data physically sits matters for a different reason. Personal information stored in the United States can be subject to US lawful-access regimes (the CLOUD Act, for example, and earlier statutes) regardless of who owns the data. The Office of the Privacy Commissioner of Canada puts the federal position bluntly: “PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing” (OPC, Guidelines for processing personal data across borders). The obligation is accountability and transparency, not localisation.

Canada also has no single national private-sector privacy standard. Alberta, British Columbia, and Quebec each operate their own private-sector privacy laws that have been declared substantially similar to PIPEDA, with Quebec’s Law 25 being the most active reform front. For provincially regulated organizations operating wholly inside one of those provinces, the provincial law applies first.

PIPEDA exemptions

PIPEDA does not apply to every organization. Outside its scope are:

  • Federal government institutions covered by the Privacy Act
  • Provincial and territorial governments, and entities acting on their behalf
  • Not-for-profit groups, charities, political parties, and political associations where commercial activity is not central to their purpose
  • Hospitals, schools, and universities, which are governed by provincial public-sector or health-information laws
  • Individuals collecting information strictly for personal use
  • Organizations collecting information for journalistic, artistic, or literary purposes

Provincially regulated organizations in Alberta, British Columbia, or Quebec should consult their applicable provincial law in addition to PIPEDA.

PIPEDA requirements

The core obligations are direct.

Consent must be obtained for the specific intended use of the data, before collection, and renewed if the purpose changes. Most teams operate this through an opt-in flow at the point of collection.

Individuals must be able to see what personal information you hold about them. You must respond to an access request within 30 days, and correct inaccurate personal information when the individual can demonstrate the inaccuracy.

All personal information must be safeguarded with security controls appropriate to its sensitivity (administrative, physical, and technical).

Beyond these, PIPEDA codifies ten Fair Information Principles. The checklist below is the most useful operational form of those principles.

PIPEDA compliance checklist

  • Accountability
  • Identifying Purposes
  • Consent
  • Limiting Collection
  • Limiting Use, Disclosure, and Retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual Access
  • Challenging Compliance

Each principle is described in detail in the OPC’s Guide to PIPEDA and should map directly to a documented control or policy on your side.

Federal privacy reform after bill C-27

PIPEDA remains the operative federal law in 2026, but the reform path that was widely expected to replace it has stalled. Bill C-27, the Digital Charter Implementation Act, 2022 proposed the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal, and the Artificial Intelligence and Data Act (AIDA). Bill C-27 died on the Order Paper after prorogation.

Legal commentary following prorogation suggested that the same package was unlikely to return unchanged, but future federal privacy and AI legislation remains uncertain (Fasken, “Prorogation’s Digital Impact”). Quebec’s Law 25 is the active reform front today, with stronger consent requirements, data-portability rights, and meaningful penalties already in force.

Teams setting up privacy programs in 2026 should design to PIPEDA today, monitor any federal reform restart, and treat Law 25 as the closer-to-PIPEDA-2.0 reference point for forward-looking controls.

PIPEDA compliance for AWS

AWS publishes a PIPEDA compliance statement and operates two regions inside Canada: ca-central-1 (Montreal, opened 2016) and ca-west-1 (Calgary, opened 2023). The combination matters because, in 2026, Canadian data residency no longer requires a single-region design. Workloads can be split or replicated across the two Canadian regions for resilience without leaving the country.

How to ensure your AWS data meets PIPEDA compliance

The first decision is connectivity. Public-internet egress from on-premises to AWS will commonly traverse US infrastructure even if your destination region is Canadian. To keep traffic in Canada end-to-end, use encryption in transit plus a private network path: AWS Direct Connect with a Canadian Direct Connect location, or a TLS-terminated path through a Canadian POP. Provision the VPC and dependent resources in ca-central-1 or ca-west-1.

The second decision is reliability. Within a single region, split workloads across at least two availability zones so a zonal failure does not take the service down. For cross-region resilience that still keeps data on Canadian soil, replicate ca-central-1 to ca-west-1 rather than a US region.

The third decision is backup residency. Backups, snapshots, logs, and analytics exports are part of your residency boundary. Verify that S3 replication rules, RDS automated backup destinations, CloudTrail log targets, and any cross-region disaster-recovery copies all land inside Canada. Backup residency is the most common drift point on otherwise Canada-only architectures.

Beyond connectivity, region selection, and backup, the standard AWS controls still apply: customer-managed KMS keys with documented key custody, least-privilege IAM with regular access reviews, mandatory MFA, encrypted EBS/RDS/S3, VPC flow logs into a regionally-resident logging account, and breach detection paired to the PIPEDA breach notification requirements introduced by the Digital Privacy Act.

What to do next

Start with a data-flow inventory: map every place personal information enters, moves, transforms, and exits. Validate consent capture and retention controls against the data-flow map. Confirm AWS region settings for primary storage, backups, logs, and analytics destinations. Run a quarterly compliance review with legal and security stakeholders so the program tracks both regulatory change (federal privacy reform after Bill C-27, Quebec Law 25 updates, provincial activity) and architectural drift.

This article is general information and not legal advice; for organization-specific guidance, consult Canadian privacy counsel.

Frequently asked

Frequently asked questions

  1. What does PIPEDA stand for?

    PIPEDA stands for the Personal Information Protection and Electronic Documents Act, the Canadian federal private-sector privacy law. It received Royal Assent in 2000 and became fully applicable to commercial activities in 2004, with the Digital Privacy Act introducing mandatory breach notification provisions in 2018.

  2. Who must comply with PIPEDA?

    PIPEDA applies to organizations that collect, use, or disclose personal information in the course of commercial activity, including in inter-provincial and international transactions. Federal government institutions, provincial governments, hospitals, schools, universities, and most not-for-profits are outside its scope. Provincially regulated organizations in Alberta, British Columbia, or Quebec may also be subject to provincial private-sector privacy laws.

  3. What are the 10 PIPEDA principles?

    PIPEDA codifies ten Fair Information Principles. Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use Disclosure and Retention, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance. Each principle should map to a documented control or policy in your organization.

  4. Will Bill C-27 replace PIPEDA?

    No. Bill C-27 (the Digital Charter Implementation Act, 2022) proposed the Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act (AIDA), but it died on the Order Paper when Parliament was prorogued on January 6, 2025. Legal commentary following prorogation suggested that the same package was unlikely to return unchanged, but future federal privacy and AI legislation remains uncertain. PIPEDA remains the operative federal law in 2026. Quebec's Law 25 is the active provincial reform track today.

  5. How long do I have to respond to a PIPEDA access request?

    An organization must respond to an individual's request to access their personal information within 30 days. If you cannot meet the deadline, you must notify the individual in writing of the delay and the reason for it. Refusals to provide access must include a written explanation.

  6. Does PIPEDA require breach notification?

    Yes. Since November 2018, organizations subject to PIPEDA must report breaches of security safeguards that create a real risk of significant harm to individuals to the Office of the Privacy Commissioner of Canada, notify affected individuals, and keep records of all breaches for 24 months.

Next step

Ready to get started?

Choose how you'd like to begin your engagement with Pilotcore.

Full engagement

Full consultation

Discuss your complete cloud and security strategy with the principal consultant. For comprehensive transformations and multi-quarter engagements.

Recommended start

Start with a pilot

Test the engagement with a focused 1-4 week scope. See real results, on a fixed timeline, before committing to anything larger.