BC PIPA Compliance Requirements for BC Organizations

BC PIPA compliance requirements

British Columbia's Personal Information Protection Act (BC PIPA) governs how private-sector and non-profit organizations in BC collect, use, and disclose personal information. Unlike PIPEDA and Alberta PIPA, BC PIPA extends compliance obligations to non-profit organizations — a distinction that affects a significant number of BC community organizations, associations, and charities. The Office of the Information and Privacy Commissioner for BC (OIPC BC) investigates complaints and has authority to issue compliance orders.

---

Who must comply with BC PIPA

BC PIPA applies to all private-sector organizations and non-profit organizations that collect, use, or disclose personal information in BC in the course of their activities. This is broader than PIPEDA and Alberta PIPA, which apply only to commercial activity.

Organizations with cross-border or interprovincial commercial activity are subject to both BC PIPA (for intraprovincial activity) and PIPEDA. Federally regulated sectors are subject to PIPEDA regardless of province.

---

Core compliance obligations under BC PIPA

Accountability Designate one or more individuals responsible for the organization's compliance with BC PIPA. That person must implement policies and procedures covering consent, safeguards, access, and complaint handling.

Purpose and consent Document the purpose of collection before collecting. Obtain consent appropriate to the sensitivity of the information and the circumstances. BC PIPA distinguishes between consent for collection, consent for use, and consent for disclosure — each may need to be addressed separately depending on the organization's practices.

Collection, use, and disclosure limits Collect only what is necessary for the stated purpose. Use and disclose personal information only as consented or as specifically authorized under BC PIPA.

Safeguards Protect personal information with safeguards appropriate to the sensitivity of the information. The OIPC BC expects documented security practices, access controls, and encryption for sensitive information.

Openness Publish a privacy policy describing the organization's practices and how individuals can access their information or file a complaint.

Access and correction Respond to access requests within 30 business days — this is 30 business days, not calendar days. Correction requests must also be addressed in a timely manner.

Complaint handling Maintain a process for receiving and responding to complaints. If a complainant is not satisfied with the organization's response, BC PIPA gives them the right to file a complaint with the OIPC BC.

---

Breach reporting under BC PIPA — voluntary, not mandatory

A key distinction from PIPEDA and Alberta PIPA: reporting a breach to the OIPC BC is voluntary under current BC PIPA. However, individual notification obligations still apply when a breach poses a real risk of significant harm. Organizations should document their RROSH assessment for every breach regardless of whether they report to the OIPC BC — that record demonstrates good faith if the OIPC BC later receives a complaint.

See BC PIPA Privacy Breach Reporting Requirements for the full breach response framework.

---

What the OIPC BC looks for

In investigations, the OIPC BC expects organizations to produce: evidence of a named privacy contact, a written privacy policy, documented consent processes, evidence of appropriate safeguards, and a complaint handling procedure. The OIPC BC also looks at whether the organization's response to a complaint, access request, or breach was prompt and substantive — not procedurally evasive.

---

Common compliance gaps

Non-profit organizations subject to BC PIPA — community associations, charities, industry bodies — frequently have no privacy officer and no written privacy policy. The assumption that privacy obligations apply only to commercial businesses is incorrect under BC PIPA. For commercial organizations, vendor management and employee personal information practices are common gap areas.

The OPC's 2025–2026 Canadian business survey found 28% of businesses have no privacy officer, 23% have no complaint procedure, and 45% lack encryption — patterns consistent with OIPC BC findings.

---

Assess your compliance posture

ClearBreach's Privacy Management Program assessment covers all BC PIPA compliance areas, identifies gaps, and generates a Compliance Posture Certificate and Gap Report.

Get early access →

---

Related guides

• Which Privacy Law Applies to My BC Business? — the dual-statute situation: when BC PIPA applies, when PIPEDA applies, and when both apply
• Do I Need a Written Privacy Policy? — what PIPEDA Principle 8 and BC PIPA s.5 require and what the policy must contain
• What to Do When You Receive a PIPEDA Privacy Complaint — complaint handling obligations applicable to BC organizations subject to both BC PIPA and PIPEDA
• Do You Need a Privacy Impact Assessment? — when a PIA is required or recommended under BC PIPA and PIPEDA
• BC PIPA Privacy Breach Reporting Requirements — breach response obligations under BC PIPA
• Why Canadian Privacy Compliance Resources Require Expertise to Apply — why regulatory guidance is built for professionals and what SMBs need instead

---

This guide covers BC PIPA compliance obligations for private-sector and non-profit organizations. Organizations with cross-border commercial activity are also subject to PIPEDA — see PIPEDA Compliance Requirements for Canadian Organizations.

If your organization handles personal health information under BC health legislation, additional obligations may apply that are not covered here.

This guide covers BC PIPA compliance obligations and does not cover Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64). Quebec-registered organizations are subject to Law 25 — consult the Commission d'accès à l'information.