Which Privacy Law Applies to My Ontario Business?

Which privacy law applies to my Ontario business?

PIPEDA. Ontario has no provincial private-sector privacy legislation deemed substantially similar to PIPEDA, so the federal act governs all private-sector commercial activity in Ontario — including activity confined entirely within the province. There is no dual-statute situation and no intraprovincial/cross-border distinction to manage.

The same applies to organizations in Manitoba, Saskatchewan, New Brunswick, Nova Scotia, PEI, Newfoundland, and the territories.

---

Why Ontario has only PIPEDA

When PIPEDA came into force in 2004, Parliament gave provinces the opportunity to enact substantially similar legislation that would displace PIPEDA for intraprovincial activity under PIPEDA s.26(2)(b). Alberta and BC took that path. Ontario has not enacted qualifying legislation despite periodic legislative discussions over the years.

The result: PIPEDA applies to all commercial activity by Ontario organizations. A purely local Ontario accounting firm, an Ontario technology company serving only Ontario clients, and an Ontario retailer with no cross-border operations all answer to PIPEDA and to the OPC alone.

---

What this means for Ontario organizations

One regulator. The OPC handles all PIPEDA complaints. Ontario organizations do not file breach reports with a provincial OIPC — there is no provincial regulator for private-sector commercial privacy in Ontario. A PIPEDA breach with RROSH is reported to the OPC.

One compliance framework. The ten PIPEDA principles apply to all commercial activity. There is no provincial law to consult separately for intraprovincial transactions.

No cross-border complexity. Ontario organizations selling to Alberta or BC clients do not become subject to those provinces' PIPA — PIPEDA governs the interprovincial transaction on the Ontario side.

---

Ontario-to-Alberta and Ontario-to-BC transactions

This is the question Ontario organizations ask most often: if I sell to Alberta or BC clients, does their provincial law apply to me?

No. Alberta PIPA governs Alberta-registered organizations for their intraprovincial Alberta activity. BC PIPA governs BC-registered organizations for their intraprovincial BC activity. An Ontario organization's commercial activity — regardless of where its clients are located — is governed by PIPEDA.

Your Alberta client's internal handling of personal information you share with them may be subject to Alberta PIPA on their end. That is their obligation. Your handling of their information is a PIPEDA matter.

---

The compliance picture for Ontario organizations

Because PIPEDA is the only statute in play, Ontario organizations sometimes treat their compliance obligations as less urgent than organizations in dual-statute provinces. They are not less demanding. PIPEDA breach notification is mandatory — a breach with RROSH must be reported to the OPC. Access requests must be responded to within 30 days under PIPEDA s.8(3). Ontario generates the largest share of PIPEDA complaints by province.

The OPC's 2025–2026 business survey found 28% of businesses have no designated privacy officer, 23% have no complaint handling procedure, and 45% lack encryption. Ontario organizations are well-represented in those numbers.

---

Assess your compliance posture

ClearBreach assesses breach obligations under PIPEDA — identifying whether RROSH is present and producing the OPC breach report and required documentation when reporting obligations are triggered.

Get early access →

---

Related guides

• Which Canadian Privacy Law Applies to Your Business? — the full jurisdiction framework across all provinces
• PIPEDA Compliance Requirements for Ontario Organizations — all ten PIPEDA obligations for Ontario organizations
• PIPEDA Breach Reporting Requirements — what RROSH means and when OPC reporting is required
• Do I Need a Written Privacy Policy? — PIPEDA Principle 8 requirements
• What to Do When You Receive a PIPEDA Privacy Complaint — Principle 10 complaint handling

---

This guide covers PIPEDA obligations for Ontario private-sector organizations. The same framework applies to organizations in Manitoba, Saskatchewan, New Brunswick, Nova Scotia, PEI, Newfoundland, and the territories.

If your organization handles personal health information as a health information custodian under Ontario's Personal Health Information Protection Act (PHIPA), additional obligations apply that are not covered here — consult the Information and Privacy Commissioner of Ontario.

This guide does not cover Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64). Quebec-registered organizations should consult the Commission d'accès à l'information.