ClearBreach
Get early access

Guides

PIPEDAAB PIPABC PIPA

What to Do When You Receive a PIPEDA Privacy Complaint

By Yong Du

How Canadian organizations must respond to a direct privacy complaint or OPC investigation under PIPEDA Principle 10 and Alberta PIPA s.5 and s.36.

What to Do When You Receive a PIPEDA Privacy Complaint

Responding to privacy complaints is mandatory under PIPEDA Principle 10 and AB PIPA s.5. Your organization must have a designated person responsible for receiving complaints and a documented process for handling them. An organization that cannot demonstrate a complaint handling process when the OPC investigates has already failed before the first substantive question is asked.

What the law actually requires

PIPEDA Principle 10 requires every organization subject to PIPEDA to have a procedure for receiving and addressing complaints about its compliance with the law. That designated person must be named, reachable, and actually involved in handling complaints.

Under AB PIPA, the accountability obligation in s.5 requires organizations to designate a responsible individual and implement policies and procedures to meet their PIPA obligations — which includes complaint handling. AB PIPA s.36 gives individuals the right to complain to the Commissioner if they are not satisfied with your organization's response. BC PIPA contains equivalent provisions.

In 2025–2026 the Office of the Privacy Commissioner of Canada received 3,044 PIPEDA complaints — a 109% increase over the previous year. The OPC attributes part of this surge to AI-enhanced search engines making the complaint process easier to find. More of your customers, employees, and business contacts know how to file a complaint than at any point in the past decade.

Two types of complaint, two different processes

A direct complaint arrives when an individual contacts your organization directly to challenge how you handled their personal information. They are exercising their right under PIPEDA Principle 10 to have the matter reviewed by your designated privacy contact.

An OPC complaint arrives when an individual bypasses your organization and files directly with the OPC. The OPC then contacts your organization to begin a formal investigation. This is a regulatory proceeding.

Important: PIPEDA s.12 gives your organization 30 days to respond to an access request — when an individual asks to see personal information you hold about them. That 30-day clock does not apply to complaints. PIPEDA Principle 10 sets no fixed statutory deadline for complaint responses. Acknowledging receipt within two to three business days is a practical recommendation for demonstrating good faith — it is not a legal requirement.

What this looks like for a small organization

A 10-person accounting firm does not need a dedicated privacy officer or a formal complaint intake system. What it needs is one named person — the owner, the office manager, a senior staff member — designated as the privacy contact, documented in the privacy policy, and prepared to handle a complaint when it arrives. PIPEDA Principle 7 requires safeguards appropriate to the sensitivity of information. The same proportionality applies to complaint handling — the standard scales with the size and risk profile of the organization.

When a complaint arrives, here is what that response looks like in practice:

  1. Acknowledge receipt — contact the individual to confirm the complaint has been received and is under review.
  2. Identify precisely what is at issue — which personal information, which practice (collection, use, disclosure, access, or retention). A vague complaint requires clarification before you can investigate.
  3. Review your practices against PIPEDA or the applicable provincial PIPA for the specific area at issue.
  4. Record the complaint date, the allegation, what you investigated, what you found, and how you responded. If the OPC later investigates, this record is your evidence that the complaint was taken seriously.
  5. Respond in writing addressing the specific allegation. If a gap in your practices exists, state what corrective action you are taking.
  6. If the alleged violation is material or involves sensitive personal information, involve legal counsel before responding.

What regulators look for

When the OPC investigates a complaint, your organization will receive a written request for a response to the specific allegations, along with requests for relevant records — your privacy policy, relevant communications, and your complaint handling procedures. Investigations take months. The OPC closed only 302 of 3,044 PIPEDA complaints through early resolution in 2025–2026. Organizations that respond promptly and substantively are significantly more likely to reach early resolution than those that do not.

The joint OPC/OIPC/OIPC BC Privacy Management Program guidance (April 17, 2012) identifies accountability and complaint handling as foundational elements of any privacy program. In an investigation, the OPC will look for:

  • A named privacy officer — PIPEDA Principle 1 requires accountability to be assigned to a specific person, not distributed across the organization
  • A written privacy policy that describes the complaint process — PIPEDA Principle 8 requires this to be available to individuals
  • A documented complaint handling procedure — Principle 10 requires the procedure to exist and the OPC expects to see it
  • Evidence the complaint was taken seriously — a written response, a record of the investigation, corrective action where warranted

The gap most organizations have

The OPC's 2025–2026 business privacy survey found that 23% of Canadian businesses have no complaint procedures, 28% have no designated privacy officer, and 26% have no documented staff policies. These organizations are responding to complaints — or being investigated — without the foundations the OPC expects to see. The absence of a complaint procedure does not protect an organization from receiving a complaint. It means the organization is already in violation of PIPEDA Principle 10 before the complaint arrives.

How to close this gap

If your organization does not have a complaint handling process in place, these are the steps to build one:

  • Designate a privacy contact — name one person responsible for receiving privacy complaints. Document their title and contact method in your privacy policy.
  • Write a one-page complaint procedure — document how a complaint is received, how it is investigated, the timeline for communicating a response, and how the outcome is recorded.
  • Update your privacy policy — PIPEDA Principle 8 requires your privacy policy to explain how individuals can raise a complaint. Add the privacy contact's title and a brief description of the process.
  • Create a complaint log — a simple spreadsheet recording date received, nature of allegation, investigation steps, outcome, and any corrective action. This is your evidence file if the OPC investigates.
  • Brief front-line staff — the person who answers your phone or general email needs to know how to route a privacy complaint to the designated contact without delay.

Annual review

Privacy complaint obligations do not stay static. OPC guidance evolves, legislation changes, and your organization's data practices change. Review your complaint handling procedure annually — confirm the designated privacy contact is still in the role, verify the complaint process in your privacy policy is current, and check whether any OPC enforcement decisions from the past year affect your practices. Organizations that treat complaint handling as a one-time setup rather than an ongoing practice are consistently more exposed when an investigation occurs.

This guide covers PIPEDA, Alberta PIPA, and BC PIPA obligations for private-sector organizations. It does not cover Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64) — organizations registered in Quebec should consult Quebec-specific guidance.

If your organization handles personal health information under provincial health legislation such as Alberta's Health Information Act, additional obligations may apply that are not covered here.

ClearBreach helps Canadian organizations determine their PIPEDA and provincial PIPA obligations following a privacy breach. Start your breach assessment →

Need a starting point for your complaint procedure? View the free sample complaint handling procedure. View the sample complaint handling procedure →

Get early access →

This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.