Any private-sector Canadian organization that collects personal information online has one obligation: publish a privacy policy compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA). But what exactly is a “compliant policy”? Which mentions are mandatory, and which ones distinguish a generic template from a document that the Office of the Privacy Commissioner of Canada (OPC) will consider sufficient in case of a complaint? This guide details the precise requirements, proposes a compliant template structure, and identifies the sections that most free templates omit.
Why PIPEDA requires a privacy policy
The eighth principle of PIPEDA Schedule 1 — openness — requires that “an organization’s policies and practices relating to the management of personal information” be “readily available”. The privacy policy posted on your website is the primary instrument of this obligation. It is not a marketing document or a defensive disclaimer: it is your organization’s public, enforceable commitment to the people whose data it handles.
A cumulative obligation. PIPEDA requires a policy under the openness principle, but also under the identifying purposes principle (second principle): collection purposes must be communicated at or before the time of collection. Without an accessible policy, data collection through your site is technically non-compliant from the very first visit.
An enforceable obligation. Once published, your policy binds you. If you state that you do not share data with third parties, and an investigation reveals a transfer to an analytics provider that is not mentioned, you violate both your own commitment and the sixth principle (limiting use, disclosure, and retention). This is precisely why a generic policy copied from another site is dangerous: it does not reflect your actual practices.
For the broader PIPEDA framework and its application, see our complete guide for Canadian businesses.
The 10 mandatory items in your PIPEDA policy
The OPC has issued detailed guidance on the content expected in a compliant privacy policy. Here are the essentials, organized along the logic of the ten Schedule 1 principles.
1. Organization identity and privacy officer contact information. Your policy must name the legal entity that controls the data and clearly designate the individual accountable for PIPEDA compliance. Contact details must allow direct contact (email and postal address). A simple “contact@…” mailbox without a named officer is not enough.
2. Types of information collected. List specifically the data categories: name, email address, IP address, geolocation data, device identifiers, browsing history, transaction data, content submitted by the user. The level of detail must allow an ordinary person to know what concerns them.
3. Purposes of collection. For each category, indicate why you collect the data: order fulfillment, account management, site security, audience measurement, marketing, legal obligations. The second principle prohibits “just-in-case” collection: every collection must have a documented purpose.
4. Consent basis. Specify which type of consent you obtain (express or implied) for each category of purpose, and how the user can withdraw it. For sensitive information (health, finances, biometrics), express consent is required.
5. Recipients and third parties. Identify the categories of third parties with which you share information: payment providers, hosting providers, analytics services, marketing processors, business partners. Specify the purpose of each transfer. If you use Google Analytics, Meta, Stripe, or a US email provider, they must appear.
6. Cross-border transfers. If data leaves Canada, your policy must explicitly state so and identify the destination countries. The OPC has clarified that users must be informed that their data may be subject to foreign laws, including laws allowing access by foreign government authorities.
7. Security safeguards. Describe in non-technical terms the measures protecting the information: encryption in transit (HTTPS), encryption at rest, access controls, monitoring, backups. The seventh principle requires safeguards proportionate to the sensitivity of the data.
8. Retention periods. Indicate how long you keep each data category and according to which criteria (length of customer relationship + legal tax and accounting obligations). A vague formula like “as long as necessary” is not enough.
9. Individual rights. State the rights an individual can exercise under PIPEDA: access to their information, correction of inaccuracies, withdrawal of consent, complaint to the privacy officer and then to the OPC. Describe the practical procedure to exercise each right (form, dedicated email, response time).
10. Breach and complaint procedure. Indicate how the organization handles security safeguards breaches and how the user can file a complaint. This section is treated in more detail below, since most templates omit it.
Differences from a GDPR policy
If you also operate in Europe, you may already have a GDPR policy. Can you simply republish it for Canada? The short answer is no. To understand the gaps, see our comparison PIPEDA vs GDPR.
Vocabulary and references. PIPEDA uses “personal information”, not “personal data”; “breach of security safeguards”, not “personal data breach”; “Office of the Privacy Commissioner of Canada”, not “supervisory authority” or “ICO”. A policy that talks about a “supervisory authority” without naming the OPC is unsuitable for a Canadian audience.
Lawful bases. The GDPR enumerates six lawful bases (Article 6): consent, contract, legal obligation, vital interests, public interest, legitimate interests. PIPEDA operates almost exclusively on consent (with limited exceptions in section 7). A policy that invokes “legitimate interests” under PIPEDA has no legal foundation.
Data subject rights. The GDPR enumerates eight explicit rights (access, rectification, erasure, restriction, portability, objection, automated decision-making, complaint). PIPEDA recognizes three clear rights: access, correction, complaint. The “right to be forgotten” does not formally exist under PIPEDA — although case law is evolving. A policy that promises non-existent rights could create an unenforceable expectation.
Breach notification. The GDPR sets a 72-hour deadline to notify the authority. PIPEDA requires notification to the OPC “as soon as feasible” when the breach presents a real risk of significant harm, with no specific deadline. The mechanics differ enough to warrant dedicated drafting.
The breach section: what templates forget
Since November 2018, sections 10.1 to 10.3 of PIPEDA have imposed an obligation to report breaches of security safeguards. This obligation has a direct consequence for your privacy policy: it must publicly describe the breach procedure, because users have the right to know how they will be notified if their information is compromised.
Items to include in this section:
- The organization’s commitment to assess every breach against the “real risk of significant harm” (RROSH) test
- The notification channel used (direct email, letter, in-account notification)
- The target notification timeframe after detection
- The commitment to notify the OPC where RROSH is found
- The maintenance of an internal register of all breaches, even those not meeting the RROSH threshold
- The user’s ability to request a review of their own historical notifications
Why this section is so rare. The free generic templates available online were mostly drafted before 2018 or copied from European templates. They rarely mention RROSH, never mention the internal register, and seldom give a clear notification channel. This is a massive compliance gap that the OPC can detect easily during an investigation.
Failure to comply with the notification obligation is punishable by specific fines of up to CA$100,000 — the only directly quantified monetary sanction in current PIPEDA.
Four approaches to drafting your policy
Privacy lawyer
Cost: CA$2,500 to CA$8,000. Timeline: 2 to 4 weeks.
A specialized Canadian lawyer audits your real data flows, drafts a tailored policy, and updates it as regulations evolve. This is the most rigorous option, recommended for businesses processing sensitive information (health, finances, minors’ data) or operating across multiple Canadian jurisdictions (PIPEDA + Law 25 + Alberta PIPA + B.C. PIPA).
Free online template
Cost: $0. Risk: high.
Free templates are generic, often drafted under another legal regime (GDPR, CCPA), and never adapted to your specific activity. They typically omit the breach section, do not properly mention the OPC, and create a false sense of compliance. In case of a complaint, they fall short.
Generic AI tool (ChatGPT and equivalents)
Apparent cost: $0. Real cost: the gaps it leaves.
A generalist AI assistant produces text that looks like a compliant policy, but it cannot audit your real practices, does not know the latest version of OPC guidance, and frequently confuses PIPEDA with other regimes. The output passes the visual test, not the legal test.
Specialized legal document generator
Cost: CA$14.90 to CA$49.90. Timeline: under 10 minutes.
A specialized generator asks targeted questions about your activity, your data categories, your processors, and your jurisdiction, then produces a policy that addresses the specific requirements of PIPEDA — including the breach section, Canadian rights, and OPC references. The WebLegal compliance scanner covers PIPEDA requirements and identifies gaps in your current policy. This approach offers the best rigor-to-cost balance for the majority of Canadian businesses online.
Conclusion
A PIPEDA-compliant privacy policy is not a copy-paste of a European template or the output of a generic generator. It is a document that reflects your actual practices, integrates the ten Schedule 1 principles, correctly names the Canadian authorities, and includes a robust breach section. With Bill C-27 set to raise penalties to CA$10 million or 3% of worldwide revenue, the gap between a “passable” policy and a truly compliant one will quickly become a major financial risk. Act before that transition becomes binding.
