Which Privacy Law Applies to My BC Business?
By Yong Du
BC organizations face a dual-statute situation — BC PIPA for intraprovincial, PIPEDA for cross-border. Non-profits are subject to BC PIPA.
Which privacy law applies to my BC business?
Both BC PIPA and PIPEDA — and they apply to the same organization simultaneously, governing different transactions. BC PIPA governs purely intraprovincial commercial activity and non-profit activity in BC. PIPEDA governs cross-border and interprovincial activity.
BC PIPA has two features that distinguish it from Alberta PIPA: it applies to non-profit organizations, and breach reporting to the OIPC BC is voluntary rather than mandatory.
How BC ended up with two statutes
British Columbia's Personal Information Protection Act came into force in 2004. That year, the Governor in Council granted BC PIPA substantially similar status under PIPEDA s.26(2)(b), meaning PIPEDA steps back for commercial activity that begins and ends within BC.
The step-back has the same limits as in Alberta: PIPEDA applies to cross-border commercial activity regardless of province. Registering in BC limits PIPEDA's reach to cross-border transactions — it does not eliminate PIPEDA.
The intraprovincial vs cross-border test
The question that determines which statute applies: does the transaction cross a provincial border?
Governed by BC PIPA alone:
- A Vancouver law firm with BC-based clients only
- A Victoria retail operation with walk-in customers only
- A BC non-profit collecting member information from BC members only
Governed by both BC PIPA and PIPEDA:
- A BC SaaS company with subscribers across Canada
- A Vancouver consulting firm with federal government contracts
- A BC non-profit with donors or members in other provinces
- A BC manufacturer supplying distributors in multiple provinces
What "both apply" means in practice
Breach notification: BC PIPA — reporting to the OIPC BC is voluntary. Individual notification is still required when a breach creates a real risk of significant harm. PIPEDA — reporting to the OPC is mandatory when RROSH is present. A BC organization with cross-border activity that suffers a breach involving cross-border records has a mandatory OPC reporting obligation for those records, even though the BC PIPA reporting component is voluntary.
Access request timelines: BC PIPA gives your organization 30 business days to respond — weekends and statutory holidays do not count. PIPEDA allows 30 calendar days. The practical effect: the BC PIPA timeline is longer.
Non-profit organizations: BC PIPA applies to non-profits. PIPEDA does not apply to non-commercial activity. A BC non-profit with purely intraprovincial activity is subject to BC PIPA alone. One with cross-border activity is subject to both.
Accountability: Both statutes require a designated privacy contact. A single officer satisfies both — separate officers are not required.
Complaint escalation: BC PIPA complaints go to the OIPC BC. PIPEDA complaints go to the OPC. An individual can file with either regulator depending on which statute governs their complaint.
The common mistake
BC organizations with cross-border activity frequently assume that because OIPC BC breach reporting is voluntary, they have no mandatory regulatory reporting obligations after a breach. This is incorrect. If cross-border personal information is involved in a breach with RROSH, PIPEDA's mandatory OPC reporting obligation applies to that component — regardless of what BC PIPA requires for the intraprovincial component.
The OPC's 2025–2026 business survey found 28% of businesses have no designated privacy officer, 23% have no complaint procedure, and 45% lack encryption. For BC organizations with cross-border activity, these gaps create exposure under both statutes simultaneously.
Assess your compliance posture
ClearBreach assesses breach obligations under both PIPEDA and BC PIPA simultaneously — running both tests and producing the correct regulatory reports for each.
Related guides
- Which Canadian Privacy Law Applies to Your Business? — the full jurisdiction framework across all provinces
- BC PIPA Compliance Requirements — all BC PIPA obligations
- PIPEDA Compliance Requirements — all PIPEDA obligations
- BC PIPA Privacy Breach Reporting Requirements — what the voluntary/mandatory distinction means in practice
- Do I Need a Written Privacy Policy? — what BC PIPA s.5 and PIPEDA Principle 8 require
This guide covers BC PIPA and PIPEDA obligations for BC private-sector and non-profit organizations. It does not cover Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64).
If your organization handles personal health information under BC health legislation, additional obligations may apply that are not covered here.
Frequently asked questions
Does PIPEDA apply to BC businesses?
Yes, for cross-border and interprovincial commercial activity. BC PIPA is deemed substantially similar to PIPEDA, so BC PIPA governs purely intraprovincial activity — but PIPEDA re-engages when commercial activity crosses the BC border. Most BC organizations operating across multiple provinces are subject to both.
Does BC PIPA apply to non-profit organizations?
Yes. BC PIPA applies to both private-sector and non-profit organizations — a significant distinction from PIPEDA and Alberta PIPA, which apply only to commercial activity. A BC non-profit collecting personal information from members, donors, or service recipients in BC is subject to BC PIPA for that intraprovincial activity.
Is breach reporting to the OIPC BC mandatory?
No. Reporting a breach to the OIPC BC is voluntary under current BC PIPA — unlike PIPEDA and Alberta PIPA where reporting to the regulator is mandatory when RROSH is present. Individual notification obligations still apply when a breach poses a real risk of significant harm. A BC organization with cross-border activity has mandatory OPC reporting obligations under PIPEDA for cross-border records involved in a breach.
If I have Alberta clients, does Alberta PIPA apply to me?
No. A BC corporation serving Alberta clients is engaged in interprovincial commercial activity governed by PIPEDA — not Alberta PIPA. Alberta PIPA governs Alberta-registered organizations for their intraprovincial Alberta activity. Your BC-to-Alberta transactions are a PIPEDA matter.
This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.