Do I Need a Written Privacy Policy? What PIPEDA and Alberta PIPA Require

Do I need a written privacy policy?

Yes. If your organization collects, uses, or discloses personal information in the course of commercial activity in Canada, PIPEDA Principle 8 requires you to publish a privacy policy describing your practices. Alberta PIPA s.5 and BC PIPA s.5 have parallel requirements for intraprovincial activity. This is a current legal obligation — not a recommendation. An organization without a publicly accessible privacy policy is non-compliant before any complaint is filed or investigation opened.

---

What the law actually requires

PIPEDA Principle 8 (Openness) requires organizations to make readily available, in a form that is generally understandable, specific information about their policies and practices relating to the management of personal information.

The OPC interprets Principle 8 to require the policy to address:

• What personal information the organization collects
• Why it is collected — the purposes
• How individuals can access their personal information or request corrections
• How to file a complaint
• How to reach the designated privacy contact

Alberta PIPA s.5 requires a designated person responsible for the organization's compliance with PIPA and a privacy management program that includes written policies. The policy must be in writing and available to individuals who request it. BC PIPA has a parallel requirement.

The practical standard: the policy must be publicly accessible — for most organizations, a page on the organization's website reachable from the homepage.

---

What this looks like for a small organization

For a 12-person accounting firm, the policy does not need to be a 30-page legal document. It needs to accurately describe the client information you collect (names, contact details, financial records, tax information), why you collect it (to provide accounting services and meet statutory filing obligations), who you share it with (CRA, provincial revenue agencies, banks where authorized), how long you retain records, and how a client can request access to their file or file a complaint.

The proportionality principle under PIPEDA Principle 7 shapes what is reasonable. The complexity of the policy should reflect the complexity of your actual practices — not the size of your organization. For the very smallest organizations — a five-person firm with straightforward client contracts — the minimum viable version is a single accessible page covering seven elements: what you collect, why, how you use it, who you share it with, how long you keep it, how individuals can access their information, and how to contact your privacy officer. That page, accurately reflecting your practices, satisfies Principle 8.

The critical test: your privacy policy must describe what you actually do. A policy copied from a template that does not match your organization's actual practices is worse than no policy — it creates a documented record of practices you do not follow. In an OPC investigation, a policy that contradicts your actual operations raises credibility concerns that extend beyond the specific complaint.

---

What regulators look for

The OPC expects a publicly accessible policy that identifies a privacy contact, describes how to file a complaint, and is specific enough to your organization's actual practices that it could be produced in an investigation and reviewed against the facts.

The 2012 joint guidance from the OPC, OIPC Alberta, and OIPC BC on Privacy Management Programs identifies written policies and procedures as one of the four foundational elements the OPC expects in every organization. A privacy policy that exists but does not address the complaint being investigated — for example, a policy that describes your collection practices but says nothing about disclosure to third-party vendors — does not demonstrate good-faith compliance.

OIPC Alberta has increasingly focused in investigations on whether organizations have a formal Privacy Management Program, of which the privacy policy is one component. Organizations that can produce a policy, identify their privacy officer, and demonstrate staff awareness of the policy are significantly more likely to reach early resolution.

---

The gap most organizations have

The OPC's 2025–2026 business survey found that while 72% of Canadian businesses claim high privacy awareness, documentation gaps remain the most common compliance failure. Most Canadian SMBs either have no privacy policy or have one generated from a generic template that has never been reviewed against actual practices.

The structural problem: a template tells you what a privacy policy should contain. It cannot tell you whether what you have written is accurate for your specific organization. The OPC's published guidance sets out the required elements. Applying that guidance to verify that those elements are correctly documented against your organization's specific practices is the step most organizations skip — and the step that determines whether the policy holds up when it is reviewed.

An organization with a policy page on its website that has never been compared against its actual data practices has documentation that appears compliant but may not hold up when the OPC requests evidence that the practices described are actually in place.

---

How to close this gap

1. Audit what personal information your organization actually collects — list every category (names, contact information, financial records, health information, employee information, website visitor data).
2. For each category, document the purpose of collection and all the ways you use or disclose it.
3. Identify all third parties who receive personal information and the basis for each disclosure.
4. Establish your retention practice — how long each category is kept and how it is disposed of.
5. Designate a privacy contact — include the role and how to reach them (a personal name is not required, but a reachable role is).
6. Publish the policy on your website, reachable from the homepage.
7. Review the policy annually and whenever your practices change — new software, new vendor, new service line.

---

Annual review

Your privacy policy must accurately reflect your current practices. When you add a vendor who receives personal information, adopt new software that collects data, or change your retention schedule, the policy requires updating. Annual review is a component of the OPC's Privacy Management Program guidance — it is the mechanism by which a one-time compliance exercise becomes an ongoing compliance practice.

ClearBreach's Privacy Management Program assessment covers all ten PIPEDA compliance areas — including whether your privacy policy is current, accurate, and complete — and generates a Compliance Posture Certificate and Gap Report.

Get early access →

---

Related guides

• PIPEDA Compliance Requirements — all ten PIPEDA obligations in one place
• Alberta PIPA Compliance Requirements — AB PIPA obligations for Alberta organizations
• BC PIPA Compliance Requirements — BC PIPA obligations for BC organizations
• What to Do When You Receive a PIPEDA Privacy Complaint — Principle 10 complaint handling
• Do You Need a Privacy Impact Assessment? — when a PIA is required or recommended

---

This guide covers PIPEDA, Alberta PIPA, and BC PIPA obligations for private-sector organizations. It does not cover Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64), which has its own privacy policy requirements.

If your organization handles personal health information under provincial health legislation such as Alberta's Health Information Act or BC's health statutes, additional obligations may apply that are not covered here.