Which Privacy Law Applies to My Alberta Business?
By Yong Du
Alberta organizations face a dual-statute situation — Alberta PIPA for intraprovincial, PIPEDA for cross-border. Both apply to the same organization.
Which privacy law applies to my Alberta business?
Both Alberta PIPA and PIPEDA — and they apply to the same organization at the same time, governing different transactions. Alberta PIPA governs purely intraprovincial commercial activity. PIPEDA governs cross-border and interprovincial activity. Registering a corporation in Alberta does not exempt it from PIPEDA — it limits PIPEDA's reach to cross-border transactions only.
How Alberta ended up with two statutes
Alberta's Personal Information Protection Act came into force in 2004. That year, the Governor in Council granted Alberta PIPA substantially similar status under PIPEDA s.26(2)(b) — meaning PIPEDA steps back for commercial activity that begins and ends within Alberta. The rationale: a provincial law offering equivalent protection to PIPEDA is sufficient for purely local transactions.
The step-back is limited. PIPEDA applies to any organization that collects, uses, or discloses personal information in the course of cross-border commercial activity — and that provision applies regardless of whether the organization's home province has a substantially similar law.
The practical effect: registering in Alberta does not exempt your organization from PIPEDA. It reduces PIPEDA's reach to your cross-border activity only.
The intraprovincial vs cross-border test
The question that determines which statute applies to a given transaction: does it cross a provincial border?
Governed by Alberta PIPA alone:
- An accounting firm in Edmonton whose clients are all Alberta-based
- A Calgary retail operation with walk-in customers only
- A property management company managing Alberta properties for Alberta landlords
Governed by both Alberta PIPA and PIPEDA:
- An Alberta SaaS company with subscribers in Ontario, Manitoba, or any other province
- An Alberta professional services firm with federal government contracts
- A Calgary manufacturer supplying distributors across provinces
- An Alberta staffing agency with clients in Saskatchewan
The location of your organization's incorporation does not determine which law applies to a specific transaction — the nature of the transaction does.
What "both apply" means in practice
The two statutes overlap significantly. Both require accountability, consent, safeguards, access rights, and a complaint handling procedure. The differences that matter:
Breach notification: An Alberta PIPA breach with RROSH must be reported to the OIPC Alberta. A PIPEDA breach with RROSH must be reported to the OPC. An Alberta organization with cross-border activity that suffers a breach may have reporting obligations to both regulators if the breach involves both intraprovincial and cross-border records.
Access request timelines: Alberta PIPA allows 45 days to respond to an access request. PIPEDA allows 30 days. If an access request spans records from both intraprovincial and cross-border activity, the stricter 30-day PIPEDA deadline governs the cross-border records.
Accountability: Both statutes require a designated privacy contact. One officer satisfies both — you do not need separate officers for each statute.
Complaint escalation: Alberta PIPA complaints go to the OIPC Alberta. PIPEDA complaints go to the OPC. An individual can file with either regulator depending on which statute governs their specific complaint.
The common mistake
Alberta organizations frequently assume that registering an Alberta corporation and operating primarily in Alberta means only Alberta PIPA applies. If your organization accepts subscriptions nationally, has clients in other provinces, holds federal government contracts, or has employees in other provinces — PIPEDA is engaged. The obligations differ in ways that matter when a breach or complaint occurs.
The OPC's 2025–2026 business survey found 28% of businesses have no designated privacy officer, 23% have no complaint handling procedure, and 45% lack encryption. These gaps create concurrent exposure under both Alberta PIPA and PIPEDA for Alberta organizations with cross-border activity.
Assess your compliance posture
ClearBreach assesses breach obligations under both PIPEDA and Alberta PIPA simultaneously — running both tests and producing the correct regulatory reports for each.
Related guides
- Which Canadian Privacy Law Applies to Your Business? — the full jurisdiction framework across all provinces
- Alberta PIPA Compliance Requirements — all Alberta PIPA obligations
- PIPEDA Compliance Requirements — all PIPEDA obligations
- Alberta PIPA Breach Notification Requirements — OIPC Alberta reporting when RROSH is present
- Do I Need a Written Privacy Policy? — what AB PIPA s.5 and PIPEDA Principle 8 require
This guide covers Alberta PIPA and PIPEDA obligations for Alberta private-sector organizations. It does not cover Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64).
If your organization handles personal health information under Alberta's Health Information Act, additional obligations apply that are not covered here.
Frequently asked questions
Does PIPEDA apply to Alberta businesses?
Yes, for cross-border and interprovincial commercial activity. Alberta PIPA is deemed substantially similar to PIPEDA, so Alberta PIPA governs purely intraprovincial activity — but PIPEDA re-engages when your commercial activity crosses the Alberta border. Most Alberta organizations operating across multiple provinces are subject to both.
Can Alberta PIPA and PIPEDA apply to the same organization at the same time?
Yes. An Alberta corporation selling to clients in Ontario is subject to Alberta PIPA for its Alberta-to-Alberta activity and to PIPEDA for its Alberta-to-Ontario activity. Both statutes apply simultaneously — the determining line is the nature of each specific transaction, not the organization as a whole.
If I have BC clients, does BC PIPA apply to me?
No. An Alberta corporation serving BC clients is engaged in interprovincial commercial activity, which falls under PIPEDA — not BC PIPA. BC PIPA governs BC-registered organizations for their intraprovincial BC activity. Your Alberta-to-BC transactions are a PIPEDA matter.
What does Alberta PIPA reform mean for this jurisdiction question?
Alberta PIPA is under active legislative review as of 2026, with a reformed bill expected later in 2026 and Royal Assent anticipated in 2027. The dual-statute structure — AB PIPA for intraprovincial, PIPEDA for cross-border — is not expected to change. Reform is expected to strengthen accountability requirements and introduce provisions for automated decision-making.
This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.