Free Resource · Updated 2026

PIPEDA Compliance Checklist
for Canadian Small Businesses

A plain-English 10-point checklist covering everything a Canadian small business needs to comply with PIPEDA — Canada's federal private sector privacy law.

Free to use and share Updated for 2026 Covers all provinces

Not legal advice. This checklist is for general educational purposes. For specific legal guidance on your business's privacy obligations, consult a Canadian privacy lawyer or the Office of the Privacy Commissioner of Canada.

Required by PIPEDA (8 items)

01

Designate a Privacy Officer

Required

PIPEDA requires every organization to designate an individual responsible for privacy compliance. This can be the owner in a small business. Their name and contact info must be available to anyone who asks.

Name a privacy contact and add them (or a privacy email) to your website's Privacy Policy page.
02

Publish a Privacy Policy on Your Website

Required

Every Canadian business website that collects personal information must have a publicly accessible Privacy Policy. It must explain what data you collect, why, how it's used, and how users can access or delete their information.

Create a Privacy Policy page at yourdomain.com/privacy. Update it whenever your data practices change.
03

Obtain Meaningful Consent Before Collecting Data

Required

You must get clear consent before collecting personal information. Pre-checked boxes do not count. For sensitive data (health, financial), express consent (opt-in) is required. For less sensitive data, implied consent may suffice in some cases.

Audit every form on your website. Ensure users actively opt in to marketing. Remove pre-checked consent boxes.
04

Only Collect What You Actually Need

Required

PIPEDA's principle of data minimisation means you can only collect personal information that is necessary for the identified purpose. Collecting data 'just in case' is non-compliant.

Review your contact forms, intake forms, and sign-up flows. Remove any fields you don't actively use.
05

Secure Personal Data Against Breach

Required

You must protect personal information with security safeguards appropriate to its sensitivity. This includes encryption at rest and in transit, access controls, and regular security reviews.

Ensure your website uses HTTPS. If you store customer data, verify it's encrypted and access is role-restricted.
06

Report Breaches to the OPC

Required

Since November 2018, PIPEDA requires mandatory breach reporting. If a breach poses a 'real risk of significant harm' to individuals, you must notify the Office of the Privacy Commissioner (OPC) and affected individuals as soon as feasible.

Create a breach response plan. Know who to contact at the OPC (priv.gc.ca). Train anyone with access to customer data.
07

Maintain a Record of Breaches

Required

You must keep a record of every breach involving personal information — even if it doesn't meet the reporting threshold. The OPC can request this record at any time.

Create a simple breach log (even a spreadsheet) and record any incidents involving personal data.
08

Allow Customers to Access Their Data

Required

Individuals have the right to know what personal information you hold about them and to request corrections. You have 30 days to respond to access requests.

Add a process for data access requests to your Privacy Policy. Designate who handles these requests.

Strongly Recommended (2 items)

09

Use Canadian-Region Servers for Sensitive Data

Recommended

PIPEDA doesn't prohibit storing data outside Canada, but you must inform users when their data is processed in another country and ensure equivalent protection. Using Canadian-region cloud infrastructure simplifies compliance significantly — especially in healthcare and legal.

If you store health, financial, or legal data, use AWS ca-central-1, Azure Canada Central, or GCP northamerica-northeast1.
10

Include a Cookie Consent Notice

Recommended

Canada's Anti-Spam Legislation (CASL) and PIPEDA together require transparency about tracking. If your website uses cookies that collect personal data (analytics, advertising), you should inform users and, for non-essential cookies, obtain consent.

Add a cookie notice to your website. Tools like CookieYes or Cookiebot handle this automatically.

Frequently Asked Questions

Does PIPEDA apply to small businesses in Canada?+
Yes. PIPEDA applies to all private sector organizations in Canada that collect, use, or disclose personal information in the course of commercial activity — regardless of size. Most small businesses collecting customer data are covered.
What is the penalty for PIPEDA non-compliance?+
Organizations can face fines up to $100,000 CAD for knowingly violating PIPEDA. More practically, the OPC can investigate complaints, issue findings, and publish reports that damage your reputation.
Does Quebec have different privacy rules?+
Yes. Quebec's Law 25 came into full effect in September 2023 and is stricter than PIPEDA — including mandatory privacy impact assessments, stricter consent requirements, and higher fines (up to $25 million CAD or 4% of worldwide turnover).

Need a PIPEDA-Compliant Software System?

ElevenClicks builds web apps, mobile apps, and AI systems for Canadian businesses with PIPEDA compliance built in from day one — Canadian-region hosting, encrypted storage, role-based access controls.

Book a Free Call Healthcare Solutions