Privacy Law for Real Estate Agents in Canada
By Yong Du
PIPEDA and provincial PIPA obligations for Canadian real estate agents and brokerages — what client data you hold, FINTRAC identity verification, breach reporting, and compliance requirements under Alberta and BC regulation.
What makes real estate agents distinct
Real estate transactions concentrate three categories of highly sensitive personal information in a single file: government-issued identity documents (required for FINTRAC compliance), financial information (purchase price, financing, banking details), and in many cases a SIN (required for title transfer, capital gains reporting, or mortgage registration). The transaction also involves a property address that links the client's identity to their physical location.
Real estate agents are also FINTRAC reporting entities — the FINTRAC obligation to collect and retain identity verification creates a personal information dataset that is separately subject to PIPEDA breach notification obligations.
Which laws apply
| Jurisdiction | Applies when | Regulator |
|---|---|---|
| PIPEDA | The agent or brokerage handles personal information in commercial activity; or clients are in provinces without substantially similar legislation | OPC — priv.gc.ca |
| Alberta PIPA | Clients or employees are Alberta residents | OIPC Alberta — oipc.ab.ca / breachnotice@oipc.ab.ca |
| BC PIPA | Clients or employees are BC residents | OIPC BC — oipc.bc.ca |
Provincial regulatory overlay: In Alberta, real estate agents are licensed by RECA. In BC, agents are licensed by BCFSA under the Real Estate Services Act. Both regulators have professional conduct and record-keeping obligations. A privacy breach may also require disclosure to your regulator — contact RECA or BCFSA to determine your professional reporting obligations following a breach.
What personal information real estate agents hold
Buyer and seller client files: Full legal name, date of birth, address, phone number, email, SIN (for title transfer or tax reporting in some transactions), government-issued photo ID (driver's licence or passport), banking information.
Transaction documents: Purchase and sale agreements, counter-offers, subject removal documents, deposit receipt confirmations, mortgage commitment letters, legal descriptions and title details.
FINTRAC identity verification records: Government-issued photo ID copies, verification method and source, client name, address, date of birth — retained for 5 years.
CRM and showing records: Client contact information, property preferences, showing history, offer history, correspondence.
Employee and agent information: SINs, banking details, licensing records, commission records.
Common breach scenarios
Business email compromise — wire and deposit fraud: Real estate transactions involve large transfers of funds — deposits, down payments, closing proceeds. BEC attackers compromise agent or brokerage email accounts and redirect wire transfer instructions or deposit information to fraudulent accounts. The BEC is both a financial fraud and a breach of client personal information. See Phishing and Business Email Compromise.
Ransomware: Brokerage file servers and transaction management systems holding client files, FINTRAC records, and transaction documents are ransomware targets. Every client file in the affected system is a potential affected individual. See Ransomware Attack: What Canadian SMEs Must Do.
CRM or transaction platform breach: Cloud CRM and transaction management platforms used by brokerages are vendor breach scenarios if the platform is compromised. Your accountability for client data held there does not transfer to the platform. See Vendor or Third-Party Breach.
Improper disposal: Transaction files, ID copies, and offer documents not securely destroyed when files close. See Physical Records Breach.
RROSH in a real estate breach
Real estate transaction files combine identity documents, SINs, and financial information — the triad most associated with identity theft. RROSH is present in virtually every real estate breach involving transaction files.
FINTRAC records: A breach of FINTRAC identity verification records (government-issued ID copies) is high-risk because those records contain the combination of photo ID, name, address, and date of birth needed for identity fraud. Affected clients should be advised to contact the issuing authority for their ID document and to place a fraud alert with both national credit bureaus.
Multiple parties per transaction: A single transaction involves at least a buyer and a seller, each with their own personal information in the file. A breach of transaction records may affect both parties — each requires individual notification if RROSH is present.
Core compliance obligations
Privacy officer: Designate a named individual at the brokerage responsible for PIPEDA compliance. Their contact must appear in the brokerage's privacy policy.
Privacy policy: Describe what client information is collected, why, which third parties it is shared with (lawyers, lenders, FINTRAC), how it is protected, and how clients can access their information or make a complaint. Must be available to clients at the time of engagement.
Client consent at engagement: Clients must consent to the collection, use, and disclosure of their personal information before collection begins. Listing agreements and buyer representation agreements should include or reference a privacy disclosure that covers what you collect and who you share it with.
Retention: FINTRAC requires identity verification records for 5 years. Transaction files should be retained for the applicable limitation period for professional liability claims. After the retention period, files must be securely destroyed. See Personal Information Retention and Destruction.
Platform vendor contracts: CRM systems, transaction management platforms, and e-signature services that process client data must have written contracts with privacy and security obligations.
Safeguards: Encrypted transmission and storage of transaction files and ID documents, MFA on all platforms holding client data, access limited to agents working on each transaction, and secure destruction of paper files and ID copies when the retention period ends.
Client notification specifics: When notifying affected clients of a breach involving government ID or SINs, advise them to contact the issuing authority for each ID document and place a fraud alert with Equifax (1-800-465-7166) and TransUnion Canada (1-877-525-3823). Report to the Canadian Anti-Fraud Centre (1-888-495-8501) if identity fraud is subsequently detected.
Experienced a breach at your brokerage? ClearBreach walks real estate brokerages through their RROSH assessment across PIPEDA, Alberta PIPA, and BC PIPA and generates regulator reports and client notification letters in under 15 minutes. Start your assessment →
Related guides
- PIPEDA Breach Reporting Requirements
- Alberta PIPA Breach Notification
- BC PIPA Breach Reporting
- Phishing and Business Email Compromise
- Vendor or Third-Party Breach: What Canadian Organizations Must Do
- How to Write a Privacy Policy for a Canadian Business
This guide covers PIPEDA, Alberta PIPA, and BC PIPA obligations for real estate agents and brokerages. RECA and BCFSA professional conduct obligations and FINTRAC anti-money-laundering obligations are separate and not fully covered here. Quebec's Law 25 is not covered here.
Frequently asked questions
Does PIPEDA apply to real estate agents and brokerages?
Yes. Real estate agents and brokerages collect and use personal information in the course of commercial activity. PIPEDA applies. Alberta PIPA applies for Alberta-resident clients, and BC PIPA applies for BC-resident clients. Real estate agents in Alberta are regulated by RECA; in BC by BCFSA. Both regulators have record-keeping requirements that run alongside PIPEDA.
We are required to collect government ID under FINTRAC — does that create privacy obligations?
Yes. FINTRAC requires real estate agents to verify client identity (government-issued photo ID, name, address, date of birth) and retain those records for 5 years. Those identity records are personal information subject to PIPEDA in addition to FINTRAC. A breach of FINTRAC identity records triggers PIPEDA breach notification obligations. FINTRAC compliance and PIPEDA compliance are separate obligations that both apply to the same records.
A client's transaction file — including their government ID and SIN — was compromised. What are our obligations?
Conduct a RROSH assessment immediately. A real estate transaction file typically contains: government-issued photo ID, SIN (for title transfer or tax reporting), purchase price, financing details, banking information, offer documents, and personal correspondence. This combination almost certainly meets the RROSH threshold. You must notify the OPC, the applicable provincial regulator if Alberta or BC residents are affected, and the client directly.
Does our brokerage's MLS listing system or CRM create privacy obligations?
Yes. CRM systems used by real estate brokerages typically hold client contact information, transaction histories, showing records, and client preferences. That is personal information subject to PIPEDA. If the CRM is a cloud-based system, the vendor's access to that data requires a written contract with privacy and security obligations. A breach of your CRM is a breach of personal information that triggers a RROSH assessment.
This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.