PIPEDA, Quebec Law 25, PHIPA — a privacy primer for Canadian nonprofits

Canadian charities sit at the intersection of three privacy regimes, and most of them have never read any of the three end-to-end. That’s not a moral failing — the texts are long and the practical guidance from the federal regulator runs hundreds of pages. But the consequence is that smaller charities collect, store, and share personal information in ways that wouldn’t survive a complaint to the Office of the Privacy Commissioner.

This piece is a fast pass at the three regimes, what they actually require, who they apply to, and the places they meaningfully disagree.

PIPEDA — the federal default

PIPEDA (Personal Information Protection and Electronic Documents Act) is the federal private-sector privacy law. It applies to organizations engaged in “commercial activity” in Canada. The Federal Court has held that a Canadian registered charity can be engaged in commercial activity for PIPEDA purposes — selling event tickets, running a thrift store, processing donations, operating a paid programs registration. Most charities of any size cross that threshold for at least some of what they do.

The PIPEDA model in five lines:

1. Consent. You need it before collecting, using, or disclosing personal information. Consent must be informed and meaningful. Children under 13: parental consent.
2. Limited collection. Only what’s necessary for the stated purpose. The donor-data-broker pattern (collect everything you can about a donor in case it’s useful later) doesn’t survive a complaint.
3. Limited use. The purpose you stated at collection is the only purpose you can use it for unless you get fresh consent.
4. Safeguards. Reasonable security appropriate to the sensitivity of the data. PIPEDA doesn’t prescribe specific controls, but the OPC’s published findings line up closely with NIST CSF 2.0 — encryption in transit and at rest, access control, audit logs, an incident response plan.
5. Breach reporting. Mandatory since 2018. You must notify the OPC and affected individuals of any breach that meets the “real risk of significant harm” threshold. The threshold is lower than most people assume.

Practical translation for a small charity: you need a consent statement on every form, a one-page privacy policy that names the purposes, role-based access on your CRM, and a written incident-response plan that includes who notifies whom on day zero.

Quebec Law 25 — the strict cousin

Law 25 (originally Bill 64) overhauled Quebec’s private-sector privacy regime in three phases between 2022 and 2024. If you have a single Quebec resident in your donor or beneficiary database, Law 25 reaches you regardless of where your charity is headquartered.

Where Law 25 goes further than PIPEDA:

• Privacy Officer is mandatory. A named individual (not “the executive director by default”) accountable for compliance. Their contact information must be public.
• Privacy Impact Assessments. Required before any new project involving personal information, and before any transfer of personal information outside Quebec.
• Cross-border transfer assessments. Before sending Quebec personal information to a province or country with weaker privacy law, you must conduct a documented assessment. The OPC’s view of what counts as “weaker” is broader than most charities expect.
• Automated decision transparency. If you use any algorithm to make a decision affecting an individual (donor scoring, beneficiary eligibility), you must disclose it on request and provide a human-review path.
• Right to data portability. Donors and members can demand a copy of their data in a structured, commonly-used format.
• Higher fines. Up to $25M or 4% of global revenue, whichever is greater.

Practical translation: if you have any Quebec presence, the floor is higher than PIPEDA, and the documentation bar is meaningfully more demanding.

PHIPA, PIPA, and the provincial patchwork

PHIPA (Personal Health Information Protection Act, Ontario) applies to “health information custodians” — which includes some charities operating health services. PIPA (British Columbia and Alberta) is roughly PIPEDA-equivalent and substitutes for the federal law within those provinces. New Brunswick and Newfoundland have their own health-information regimes.

For a charity that operates clinics, runs mental-health services, or handles disability-services personal information, PHIPA or its provincial equivalent applies in addition to PIPEDA. Key differences:

• Stricter consent model. Implied consent inside the “circle of care” is allowed; everything outside it is express consent.
• Audit logs required. PHIPA expects health-information custodians to log every access to a record and to be able to produce the log on request from a regulator or an individual.
• Lockbox provision. Individuals can ask that specific records be hidden from specific staff. The technical infrastructure to honour this is non-trivial — most off-the-shelf charity CRMs do not support it natively.

Where the three disagree

The three regimes mostly agree on direction and disagree on detail. The most operationally important conflicts:

• Consent thresholds for sensitive data. PIPEDA permits implied consent for some sensitive contexts. Quebec Law 25 is stricter; PHIPA inside the circle of care is more permissive.
• Retention. PIPEDA says “as long as necessary for the purpose.” Quebec specifies maximum retention periods for certain categories. PHIPA has its own retention table.
• Cross-border transfer. PIPEDA permits it with reasonable safeguards. Quebec Law 25 requires a documented assessment first. PHIPA restricts it severely for health information.

In practice: if you have to comply with two of the three, build to the strictest. Don’t try to maintain two parallel processes — the operational complexity is where breaches come from.

A practical 30-day path for a small charity

1. Day 1–3: Inventory. What personal information do you hold, where, and why. CRM, email tool, accounting system, spreadsheets, paper files. List everything.
2. Day 4–7: Map. Which regime applies to which data? Most charities end up with a PIPEDA-default and a “plus Quebec Law 25 for these specific donors.”
3. Day 8–14: Write the consent statements and the public-facing privacy policy. One page each. The OPC has model language; start there.
4. Day 15–21: Implement minimum technical controls. MFA on every staff account, role-based access on the CRM, encrypted backups, a documented incident-response plan with names and phone numbers.
5. Day 22–30: Designate a Privacy Officer (mandatory under Quebec Law 25, recommended under PIPEDA). Publish their contact information. Run a tabletop exercise of a fictional breach.

That gets a small charity from “we have a Word doc somewhere” to defensible. It’s not a finished program — but defensible is the bar that matters in the first complaint cycle, and it puts you ahead of most of the sector.

What this looks like in five years

The trajectory across all three regimes is toward higher transparency, higher individual-control rights, and higher penalties for non-compliance. The federal Consumer Privacy Protection Act (CPPA), in various drafts since 2020, would replace PIPEDA with something closer to Quebec Law 25. Whatever form it takes when it eventually passes, the direction is set.

For a charity making a five-year technology decision today — a new CRM, a new email platform, a new donation processor — the right question isn’t “does this comply with PIPEDA?” It’s “does this comply with Quebec Law 25?” The latter is the future floor.