Alberta PIPA Reform: What the 12 Recommendations Mean for Your Business

Alberta is rewriting its privacy law — here's what's coming

Alberta's Personal Information Protection Act has governed private-sector data handling since 2004, with its last substantial update in 2010. The Standing Committee on Resource Stewardship completed a mandatory review and submitted 12 recommendations to the Legislative Assembly in February 2025. The Government of Alberta ran a public engagement survey in February 2026 and is currently engaging with the OIPC Alberta through Spring 2026.

No amendment bill has been introduced. But the direction is established.

This guide covers what the 12 recommendations mean for Alberta private-sector organizations — and which changes require action before reform takes effect.

---

The three changes that matter most

Administrative monetary penalties — enforcement gets teeth

The OIPC Alberta currently has authority to investigate complaints, issue findings, and order compliance — but cannot impose fines directly. This is Alberta PIPA's most significant enforcement gap relative to every other Canadian privacy regime.

Recommendation 3 would give the OIPC Alberta authority to impose administrative monetary penalties (AMPs) with:

• Clear criteria for determining penalty amounts
• Increased amounts for serious contraventions, repeated violations, and wilful noncompliance
• An appeal mechanism for organizations

Currently, an Alberta organization that ignores a compliance order faces limited immediate financial consequence. Under AMPs, noncompliance becomes directly costly. BC's OIPC already has this authority. Under C-36 (PPCDA), federal AMPs reach up to the greater of $10 million or 3% of gross global revenue for serious violations. Alberta's penalty ceiling — currently $100,000 for an organization — would need to rise substantially to satisfy Recommendation 9, which directs that Alberta penalties match or exceed comparable Canadian legislation.

Defining significant harm — the RROSH threshold gets codified

Alberta PIPA requires reporting breaches when there is a real risk of significant harm to individuals — but the Act does not define what significant harm means. The current standard relies on a reasonable person test, leaving considerable room for interpretation.

Recommendation 10 would amend PIPA to define significant harm explicitly in the context of loss or unauthorized access or disclosure of personal information.

A statutory definition would align Alberta with PIPEDA and C-36 (PPCDA), which both enumerate specific harm categories: bodily harm, financial loss, identity theft, humiliation, loss of employment, and damage to credit records. For breach assessment, codified harm categories remove interpretive uncertainty — and remove the argument that ambiguity justified non-reporting.

The RROSH threshold itself is not changing. The reform makes the threshold more precise, not different.

Mandatory vendor contracts — your service provider agreements need updating

Alberta PIPA requires organizations to take reasonable steps to protect personal information handled by third parties — but does not require that vendors be contractually bound to PIPA's requirements.

Recommendation 12 would require organizations to contractually bind third-party service providers to comply with PIPA requirements for personal information in the organization's custody or control.

This effectively mandates data processing agreements with every service provider that handles personal information on the organization's behalf — cloud storage platforms, payroll processors, CRM tools, IT support providers. Organizations that have never formalized vendor data obligations will need to inventory their vendor relationships and address each one.

---

The nine other recommendations

Minors (Rec 1): PIPA will include specific requirements for collection, use, and disclosure of personal information of minors. Currently the Act treats children identically to adults.

Substantially similar designation (Rec 2): The Government must ensure PIPA remains substantially similar to federal private-sector privacy legislation. With C-36 (PPCDA) now introduced, this recommendation applies to C-36. Alberta must align with C-36's requirements to keep the substantially similar designation — which preserves Alberta's PIPEDA exemption.

Aligning with world-leading jurisdictions (Rec 4): The Government must monitor privacy developments globally and ensure PIPA maintains comparable or better requirements than leading jurisdictions.

Deidentified and anonymized data (Rec 5): PIPA will include comprehensive provisions on deidentification and anonymization — standardized definitions aligned with other Canadian jurisdictions, clear rules for subsequent use of deidentified data, and consistent technical standards for deidentification processes. Currently PIPA addresses non-identifying information but does not define the term or provide a framework.

Alignment of Alberta's privacy laws (Rec 6): The Government must improve alignment among PIPA, the Health Information Act, and the Protection of Privacy Act (POPA). Organizations subject to multiple Alberta privacy statutes — pharmacies, dental practices, and other health-adjacent private-sector businesses — will face more consistent obligations across all three frameworks.

Nonprofit scope (Rec 7): PIPA will clarify the definition of commercial activity for nonprofit organizations, and the Government will develop best-practice guidelines for nonprofits carrying out noncommercial activities.

Forms of consent (Rec 8): PIPA will more clearly define, in plain language, three forms of consent: deemed consent, express consent, and opt-out consent. Current consent requirements are considered unclear in practice.

Offences and penalties (Rec 9): The existing penalty ceiling — $10,000 for an individual, $100,000 for an organization — must be raised to match or exceed comparable Canadian legislation. C-36 (PPCDA) proposes AMPs up to the greater of $10 million or 3% of gross global revenue for serious violations.

Automated decision-making (Rec 11): Organizations will be required to notify individuals when an automated processing system is used to make a decision about that individual. This includes algorithmic tools and AI systems used in hiring, credit decisions, pricing, or customer triage.

---

What the C-36 connection means for Alberta organizations

C-36 (the Protecting Privacy and Consumer Data Act) received first reading on June 15, 2026. C-36 explicitly preserves the substantially similar provincial exemption — Alberta PIPA continues to govern intraprovincial commercial activity for Alberta businesses, and C-36 applies to cross-provincial and international activity.

The substantially similar designation must be actively maintained. Where C-36 introduces requirements that PIPA does not match — Privacy Management Programs, automated decision-making notification, deidentification standards — Alberta must amend PIPA to keep alignment. If it does not, Alberta organizations with purely intraprovincial activity could face federal obligations in addition to PIPA — two frameworks instead of one.

For breach reporting: C-36's breach provisions are structurally identical to PIPEDA. The RROSH threshold, factors, timing, and reporting obligations carry over unchanged. Alberta PIPA breach reporting to the OIPC Alberta remains separate and is preserved under C-36.

See What Is Bill C-36? Canada's New Privacy Law for the full federal reform analysis.

---

Reform timeline

Date	Event
January 2024	Standing Committee begins mandatory PIPA review
February 2025	Committee submits 12 recommendations to the Legislative Assembly
June 2025	POPA comes into force — Privacy Management Programs mandatory for public bodies by June 2026
February 2026	Government public engagement survey closes
Spring 2026	Government engaging with OIPC Alberta
June 15, 2026	C-36 (PPCDA) receives first reading — substantially similar obligation now references C-36
2026–2027	PIPA amendment bill expected — no timeline announced

---

What to do now

No proclamation date means no compliance deadline yet. But organizations that build privacy documentation now will have a straightforward path to compliance when amendments arrive. Organizations that have done nothing face a compressed timeline once a bill is introduced.

Designate a privacy officer. PIPA already requires one under its accountability principle. This is a current obligation, not a future one.

Document your privacy practices. Written policies covering collection, use, disclosure, retention, and disposal of personal information. When a Privacy Management Program requirement arrives, this documentation is the foundation.

Review your vendor relationships. Recommendation 12 will require formal data processing agreements with service providers that handle personal information on your behalf. Inventorying those vendors now is the first step.

Assess your breach response procedure. The RROSH threshold and reporting process are not changing. Organizations without a documented breach response procedure have a gap under current PIPA — reform makes it more visible.

Start your Alberta PIPA compliance assessment →

---

Related guides

• Alberta PIPA Breach Notification Requirements — current obligations when a breach occurs under Alberta PIPA
• Alberta PIPA Compliance Requirements — what Alberta organizations must have in place under current PIPA
• Alberta POPA and Private Sector Implications — how Alberta's public-sector law signals where PIPA reform is heading
• What Is Bill C-36? Canada's New Privacy Law — the federal reform Alberta must align with to maintain substantially similar status
• Which Privacy Law Applies to My Alberta Business? — when Alberta PIPA applies, when federal law applies, and when both apply

---

This guide is based on the Standing Committee on Resource Stewardship's Final Report — Review of the Personal Information Protection Act (February 2025) and the Government of Alberta's engagement process as of June 2026. No PIPA amendment bill has been introduced as of the date of publication. ClearBreach will update this guide when legislation is tabled.