PIPEDA and Quebec Law 25: Cross-province privacy compliance mapping for Canada in 2026

On 23 September 2025, the Office of the Privacy Commissioner of Canada (OPC) released PIPEDA Findings #2025-003, a joint investigation with the Commission d'acces a l'information du Quebec (CAI), the BC OIPC and the Alberta OIPC that found TikTok had collected sensitive data from roughly 500,000 underage Canadian users every year without meaningful consent. Four regulators, one company, one report. That single document is the clearest signal yet that the Canadian privacy file is no longer a federal-only conversation. The problem for any CISO, DPO or general counsel running a Canada-serving business is that the rulebook trifurcates the moment a Quebec resident lands on the signup page. PIPEDA still governs the federal layer. Quebec Law 25 (the amendments brought in by Bill 64, fully in force since 22 September 2024) raises the bar on consent, privacy impact assessments, automated decision-making notices and cross-border transfers. Alberta PIPA, BC PIPA and, for health data, Ontario PHIPA carve out further provincial overlays. Run them as four separate programs and the cost compounds. Run them as one program with a province-aware control set and the cost halves. This guide maps the regimes side by side, calls out where Law 25 is genuinely tougher than PIPEDA, and lays out a SaaS-friendly compliance architecture (single data subject request portal, province detection, rule routing) that one team can operate without duplicating effort.

Four statutes touch the same record the moment a Canadian customer signs up. PIPEDA covers commercial collection, use and disclosure across Canada, except in provinces whose laws have been declared substantially similar. Quebec Law 25 covers any enterprise that handles a Quebec resident's personal information, regardless of where the enterprise sits. Alberta PIPA and BC PIPA fully displace PIPEDA inside their provinces for private-sector activity. Ontario PHIPA governs health information custodians. The practical implication for a SaaS or e-commerce platform with national reach is that you cannot pick one statute and call yourself compliant. A single signup flow can simultaneously trigger PIPEDA Schedule 1 Principle 4.3 (meaningful consent), Law 25 granular transparency obligations, PIPA Alberta breach reporting and, if the user is in Ontario and the data is health-adjacent, PHIPA's custodian duties.

The other practical implication is that the regulators now cooperate as a matter of routine. The TikTok finding cited above was issued jointly. The 2025 joint OPC + UK ICO investigation into 23andMe (PIPEDA Findings #2025-001, June 2025) used a similar pattern. If a Canadian arm of your business is the subject of an OPC investigation, expect CAI, OIPC BC and OIPC Alberta to receive copies of the same evidence package. The leadership question is therefore not "which law do we comply with?" but "what is the smallest set of controls that satisfies all four regulators at once, and where do we layer Quebec-specific overrides?". The remainder of this post answers that question control by control, starting with the rights map.

Begin with a literal mapping table. For every right or obligation, write down the PIPEDA citation, the Law 25 obligation, the PIPA Alberta and PIPA BC equivalent, and the strictest provision. The strictest provision becomes the default control. Province-specific deltas become routing rules in your data subject request portal. Control PIPEDA Quebec Law 25 PIPA AB / BC Default to Lawful basis Meaningful consent (s.6.1, Principle 4.3) Express, granular, separate consent per purpose Consent or reasonable purposes Quebec granular consent Privacy officer Required (Principle 4.1) Required, named publicly, default = CEO unless delegated Required Named, published Privacy impact assessment Recommended Mandatory for high-risk projects and cross-border transfers Recommended Mandatory PIA Breach notification OPC + individuals if real risk of significant harm (s.10.1) CAI + individuals if serious injury risk AB Commissioner + individuals (since 2010); BC OIPC since 2023 Notify under all three Data portability Access right only (Principle 4.9) Right to portability since 22 Sept 2024 Access only Build portability once Automated decision-making No express duty Notice + right to human review Not addressed Law 25 notice Penalty ceiling $100,000 for s.28 offences; no AMPs AMPs up to CAD 10M or 2% turnover; penal fines up to CAD 25M or 4% Up to $100,000 (AB) Engineer to Quebec ceiling The lesson from the table is short. Engineer to Quebec's ceiling, lower the bar selectively for jurisdictions that do not require it, and the entire program collapses to one set of controls plus a few province-aware routing rules. Anyone who tries to engineer to PIPEDA first and bolt Quebec on later ends up rebuilding consent screens and DSR workflows a year in.

Five Law 25 pieces have no clean PIPEDA equivalent. Treat them as the gating items for any program targeting Quebec residents. Privacy impact assessments. Law 25 requires a PIA for any project involving acquisition, development or redesign of an information system involving personal information, and for any transfer outside Quebec. PIPEDA does not. Build a PIA template, version it, store the artefacts. The CAI can ask to see them. Cross-border transfer assessments. Before sending personal information outside Quebec, the enterprise must assess the adequacy of protection in the destination jurisdiction. This is a documented exercise, not an attestation. SaaS vendors with US, EU or Indian processing must produce evidence per destination. Biometric pre-notification. Quebec law requires advance notification to the CAI before deploying any system that identifies a person by biometric characteristics. The Imprimeries Transcontinental decision (September 2024) ordered the company to cease its facial-recognition access control. Osler reports biometric notifications to the CAI rose 59 percent year on year in 2023-2024. Automated decision-making notices. When a decision based exclusively on automated processing is made about an individual, Law 25 requires the enterprise to inform the individual, explain the principal factors, and offer human review. PIPEDA has no equivalent. Penalty ceiling. Administrative monetary penalties up to CAD 10 million or 2 percent of worldwide turnover, penal fines up to CAD 25 million or 4 percent, plus a private right of action with statutory damages. The OPC has no comparable AMP power under PIPEDA; its maximum statutory fine is $100,000 for knowing breach reporting offences. If the program design starts with these five items and treats the rest of the controls as common across statutes, the Quebec premium drops to roughly the cost of the PIA library and the biometric workflow, both one-time builds.

The OPC has spent the last two years compensating for the absence of AMP power by leaning harder on three other tools: joint investigations, conditional findings with binding remediation commitments, and Federal Court enforcement applications. The 23andMe finding (PIPEDA Findings #2025-001, June 2025) is the cleanest illustration of the first two tools. A credential-stuffing attack from April to September 2023 affected roughly 7 million users globally, including 319,000 Canadians. The OPC found contraventions of Principle 4.7 (safeguards) and section 10.1 plus the Breach of Safeguards Regulations (notification). Resolution required mandatory MFA, 12-character minimum passwords, compromised credential checking and dark-web monitoring. The UK ICO imposed a parallel £2.31 million fine. The OPC imposed nothing in dollars because it cannot. The remediation, however, is binding through the conditional findings mechanism.

The Aylo (Pornhub) Federal Court application is the third tool. The OPC commenced enforcement after Aylo refused to fully implement its recommendations on meaningful consent for intimate images. The Federal Court can issue binding orders requiring deletion and stronger controls. This case is the bellwether: outcome will tell every PIPEDA-bound organisation how aggressively the OPC will pursue resistance. On the legislative side, Bill C-27 (which included the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and AIDA) died at prorogation on 6 January 2025. Gowling WLG and Osler both note the federal government has signalled an intention to reintroduce privacy reform separately from AI legislation, with federal AI law unlikely before 2027. The practical planning assumption for 2026 is that PIPEDA stays in force unchanged, AMP power does not arrive at the OPC, and the regulator continues to use joint investigations plus the Federal Court to extract behavioural change. For a CISO that means two things. First, regulator-mapped audit evidence is worth investing in because joint investigations will look at the same evidence package across federal and provincial bodies. Second, voluntary remediation commitments need to be treated as enforceable, because they are.

The compliance architecture that survives 2026 audits is a single data subject request portal with three layers: identity verification, province detection, and rule routing. Identity verification. Reasonable identity proofing before responding to access, correction, portability or deletion requests. PIPEDA Principle 4.9 obliges access; Law 25 mirrors it; PIPA AB and PIPA BC are similar. One verification flow, calibrated to the sensitivity of the data, satisfies all four. Province detection. Determine the requester's province from the residential address, billing record or account profile. The rule is not IP-based, because a Quebec resident travelling outside Quebec still has Law 25 rights. The portal asks for province of residence and treats the answer as the routing key. Rule routing. The routing table has roughly seven entries. Quebec residents trigger portability, automated decision-making review rights, granular consent withdrawal, and cross-border transfer disclosure. Alberta residents trigger PIPA AB access plus breach history. BC residents trigger PIPA BC access. Ontario health-information requests route to the PHIPA workflow. Everyone else routes to the PIPEDA baseline. Three operational details matter. First, log every request, every routing decision, and every response in an immutable audit log. The CAI and OPC will both ask for this. Second, set service level agreements at the strictest level the program faces and build in headroom. Third, integrate the portal with your breach notification workflow so that a confirmed breach automatically pre-populates the affected-individual list per province. SaaS teams running this architecture should pair it with a documented data map (where personal information sits, in which sub-processor, in which jurisdiction) and a vendor inventory that flags US-headquartered processors for CLOUD Act assessment. Cross-border privacy program design sits naturally inside this architecture: the same control library scales from PIPEDA + Law 25 to India's DPDP Act and the EU GDPR with relatively small overlays.

Privacy programs that ignore the cyber stack lose at the breach-notification stage. PIPEDA Principle 4.7 and Law 25 both demand reasonable security safeguards. The 23andMe finding makes the point explicit: MFA was optional, password policy was weak, compromised credentials were not detected, notification was delayed. None of these failures were strictly privacy failures. All of them produced a privacy finding. The other forcing function is Bill C-8 (An Act respecting Cyber Security), which received Royal Assent on 16 June 2026. Part 1 amends the Telecommunications Act with immediate effect. Part 2 enacts the Critical Cyber Systems Protection Act (CCSPA), which covers six vital service sectors: telecommunications, interprovincial and international pipelines and power lines, nuclear energy, federal transportation, banking, and clearing and settlement systems. Designated operators must establish a cybersecurity programme within 90 days of designation, mitigate supply-chain risk, report incidents to the Communications Security Establishment within a period not exceeding 72 hours, and keep records in Canada. AMPs run up to $1 million for individuals and $15 million for corporations per violation, with each day of continuing violation counting as a separate violation. Telecommunications Act AMPs sit at $10 million for a first violation and $15 million for subsequent ones (BLG, July 2025). For federally regulated financial institutions, OSFI Guideline B-13 has been in force since 1 January 2024, structured around three pillars: governance and risk management, technology operations and resilience, and cyber security. The 24-hour OSFI incident reporting threshold for material incidents sits inside Guideline B-13's companion advisory. A privacy program in 2026 therefore needs four cyber inputs running in lockstep: continuous VAPT against the application stack producing the Principle 4.7 evidence, a 24x7 SOC monitoring capability that can detect a credential-stuffing or Salt Typhoon-style intrusion fast enough to meet the 72-hour CSE clock, red team and attack simulation exercises that test the breach-response playbook against realistic ransomware scenarios (CCCS pegs Canadian ransomware incidents growing at 26 percent per year 2021-2024), and an AI risk assessment for any model that processes Canadian personal information given Law 25's automated decision-making rules.

Boards are not interested in the difference between PIPEDA Principle 4.7 and Law 25's safeguards duty. They are interested in three numbers: maximum financial exposure, time to detect and notify, and the percentage of high-risk projects that completed a PIA before launch. The financial exposure number is concrete in 2026. Under Law 25, a serious contravention can cost CAD 10 million or 2 percent of worldwide turnover, whichever is higher. Penal fines can reach CAD 25 million or 4 percent. PIPEDA caps at $100,000 for s.28 offences. CCSPA AMPs reach $15 million per corporate violation with daily accrual. OSFI does not impose fixed fines but can trigger capital add-ons and supervisory action. The class-action risk under Law 25's private right of action is on top of all of this and, for a SaaS with 500,000 Quebec users, the statutory damages math is sobering. The time-to-notify number is governed by three different clocks. CSE under CCSPA: up to 72 hours, regulations pending. OSFI material technology incidents: 24 hours. OPC and CAI breach notification: as soon as feasible after the determination of real risk of significant harm or serious injury. Boards want one dashboard that shows mean time to detect and mean time to notify across all three. The PIA completion percentage is the leading indicator of Law 25 maturity. A program that has completed PIAs for every high-risk project in the last 12 months and has the artefacts on file is materially less likely to face a CAI enforcement action. Track it, report it, and tie it to project gating in the SDLC. One more board input: the CSA cybersecurity disclosure expectations (Staff Notice 11-326 and 51-347) require disclosure of material cyber risks and incidents in continuous disclosure. The materiality standard is judgment-based; there is no fixed day clock as under the US SEC Item 1.05 rule. Boards should pre-agree the materiality threshold in writing.

Treat 2026 as the year to consolidate. Three sprints, 30 days each, produce a defensible program. Days 1 to 30: map and gap. Build the rights and obligations table. Inventory every system that touches Canadian personal information. Tag each record by province of data subject. Name a privacy officer publicly. Document the seven Quebec-specific deltas (PIA library, cross-border assessment, biometric workflow, automated decision-making notice, portability endpoint, granular consent UI, expanded breach notification list). Days 31 to 60: build the portal and the evidence base. Ship the single DSR portal with province detection and rule routing. Stand up the PIA template and back-fill the last 12 months of high-risk projects. Run a penetration test across the customer-facing stack to produce dated Principle 4.7 evidence. Integrate SIEM alerts with the breach-notification workflow so the 72-hour clocks are tracked from incident detection. Days 61 to 90: rehearse and report. Tabletop a ransomware scenario that triggers CCSPA reporting, OSFI reporting (if applicable), OPC notification, CAI notification, and CSA material-change disclosure simultaneously. Identify which roles must be on the call within the first six hours. Brief the board with the three numbers (exposure, time to notify, PIA coverage) and lock the materiality threshold for CSA disclosure. Where in-house capacity is thin, a CERT-In empanelled, India-based partner can compress the cost. Certbar Security runs VAPT, SOC monitoring, attack simulation and privacy program engagements for Canadian clients with regulator-mapped evidence artefacts, working hours that span Canadian and Indian business days for genuine 24x7 coverage, and offshore delivery economics that often land the program at 40 to 60 percent of comparable Canadian-domiciled pricing. The mapping work, the portal build, the PIA library and the breach tabletop can run as one engagement rather than four. Worth a scoping call if the 90-day sprint above looks tight against current headcount. The Canadian privacy file in 2026 rewards organisations that stop treating each statute as a separate program. One control library, province-aware overrides, and the cyber stack wired into the breach clocks gets you across PIPEDA, Law 25, PIPA AB, PIPA BC and PHIPA in one motion. That is the program that survives the next joint OPC and CAI investigation.