March 14, 2026 Compliance 9 min read

New PIPEDA Enforcement Actions: What Changed and What Canadian SMBs Must Do Now

By Cybersecurity Canada Editorial Team | Published March 14, 2026

Canada's federal privacy law is being enforced with increasing rigour, and small businesses are not exempt. The Office of the Privacy Commissioner of Canada (OPC) has been expanding its enforcement activities under the Personal Information Protection and Electronic Documents Act (PIPEDA), with a clear focus on organizations that fail to meet basic data protection obligations — regardless of their size.

For Canadian SMBs that collect customer information, employee records, or any form of personal data, understanding what the OPC expects and where enforcement is heading is no longer optional. It is a business risk that requires attention.

What Has Changed in PIPEDA Enforcement

The OPC Is Prioritizing Proactive Enforcement

Historically, the OPC operated primarily on a complaint-driven model — investigating organizations only when individuals filed formal complaints. That approach has been shifting. The OPC's 2024-2025 Annual Report signalled a strategic move toward proactive enforcement, including Commissioner-initiated investigations targeting sectors and practices where privacy risks are highest.

This means the OPC may investigate your business even if no customer has filed a complaint — particularly if your industry handles sensitive personal information or if a data breach suggests systemic safeguard failures.

Breach Reporting Is Under Scrutiny

Since November 2018, PIPEDA has required organizations to report breaches of security safeguards to the OPC when there is a "real risk of significant harm" (RROSH) to affected individuals. Organizations must also notify affected individuals and keep records of all breaches.

The OPC has indicated that many organizations are either under-reporting breaches or failing to conduct adequate risk assessments when determining whether a breach meets the RROSH threshold. Organizations that fail to report qualifying breaches face potential fines of up to $100,000 per violation under PIPEDA.

If your business experiences a data breach — even a minor one — you are required to document it internally. If personal information is involved and there is any possibility of harm, the safer course is to report it.

Consent Requirements Are Being Interpreted Strictly

Recent OPC findings have reinforced that meaningful consent under PIPEDA requires more than a buried clause in a terms-of-service document. The OPC expects organizations to:

• Explain what personal information is being collected
• Explain why it is being collected and how it will be used
• Obtain consent that is informed, voluntary, and specific to the stated purpose
• Not collect more information than is necessary for the identified purpose

For small businesses, this has practical implications. If your website collects email addresses for a newsletter, you cannot use those addresses for unrelated marketing without obtaining separate consent. If your intake forms ask for information you don't actually need, that collection may not comply with PIPEDA's limiting collection principle.

Quebec's Law 25 Is Raising the Bar Nationally

While not a PIPEDA amendment, Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25) — which has been rolling out in phases since September 2022 — has introduced privacy obligations that exceed PIPEDA in several areas. These include mandatory privacy impact assessments, default privacy settings, and the right to data portability.

For businesses operating across provincial borders, Quebec's higher standard is effectively becoming the practical baseline. Organizations that align with Law 25 requirements will generally meet or exceed PIPEDA obligations as well.

The federal government has also signalled its intent to modernize PIPEDA through proposed legislation. While timelines remain uncertain, the direction is clear: privacy obligations for Canadian businesses are increasing, not decreasing.

What This Means for Small Businesses

Many SMB owners assume that privacy enforcement is focused on large corporations and tech companies. Recent OPC activities suggest otherwise. The OPC has investigated organizations of various sizes, and PIPEDA applies to any private-sector organization that collects, uses, or discloses personal information in the course of commercial activity.

The practical risk for a small business is not typically a headline-making fine. It is the combination of:

• OPC investigation costs — Responding to an investigation requires time, legal guidance, and documentation that can strain a small business
• Mandatory remediation — The OPC can require changes to your data practices, which may involve system changes, policy rewrites, and staff retraining
• Reputational impact — OPC findings are published publicly and are easily discoverable by customers, partners, and competitors
• Breach notification costs — Notifying affected individuals, providing credit monitoring, and managing the response to a reported breach can be expensive relative to SMB budgets

Practical Steps for Canadian SMBs

You do not need a legal department or a dedicated privacy officer to meet your PIPEDA obligations. Start with the fundamentals.

Know What Personal Information You Hold

Conduct a basic inventory of the personal information your business collects and stores. This includes:

• Customer names, email addresses, phone numbers, and payment information
• Employee records and payroll data
• Website analytics and tracking data
• Information collected through forms, surveys, or intake processes

You cannot protect or properly manage information you haven't identified. This inventory is also the foundation of your access control practices (BC.12) — understanding who has access to what.

Review Your Consent Practices

Look at how your business obtains consent for collecting personal information:

• Is your privacy notice written in clear, plain language?
• Does it explain what you collect, why, and how it will be used?
• Are you collecting only the information you actually need?
• Can individuals withdraw their consent easily?

The OPC provides guidance on obtaining meaningful consent that is written for organizations of all sizes. It is worth reviewing against your current practices.

Implement Basic Security Safeguards

PIPEDA requires organizations to protect personal information with security safeguards appropriate to the sensitivity of the information. For most small businesses, this means:

• Multi-factor authentication on all accounts that access personal information
• Strong, unique passwords managed through a password manager
• Encryption for sensitive data, both in transit and at rest
• Access restrictions — Only employees who need personal information to do their jobs should have access to it
• Regular software updates through a consistent patch management process

These measures align directly with the Canadian Centre for Cyber Security's Baseline Controls, which provide a practical framework for implementing the security safeguards PIPEDA requires.

Have a Breach Response Process

If a breach occurs, you need to be able to:

1. Assess what information was affected and whether there is a real risk of significant harm
2. Report qualifying breaches to the OPC as soon as feasible
3. Notify affected individuals with clear information about what happened and what they can do
4. Record the breach, your risk assessment, and your response — PIPEDA requires you to keep these records for at least two years

A documented incident response plan does not need to be complex, but it does need to exist before a breach happens. The Baseline Controls address this under incident response planning (BC.1).

Train Your Team

Employees who handle personal information should understand their obligations. This doesn't require formal certification — it means ensuring that staff know:

• What personal information the business collects and why
• How to handle requests from individuals to access or correct their information
• What constitutes a privacy breach and who to report it to internally
• Basic security practices that protect the data they work with

This overlaps directly with security awareness training (BC.6) and should be integrated into your broader employee training program.

How This Connects to Cybersecurity

Privacy and cybersecurity are not separate concerns — they are two sides of the same obligation. PIPEDA requires you to protect personal information. The Canadian Centre for Cyber Security's Baseline Controls tell you how. Nearly every security control in the Baseline framework — from authentication to backup and recovery to cloud security — directly supports your ability to meet PIPEDA's safeguard requirements.

Our free cybersecurity assessment evaluates your organization across all 13 Baseline Control areas and identifies specific gaps. For businesses that are concerned about their PIPEDA readiness, the assessment results provide a practical starting point for understanding where your security safeguards may need strengthening.

For a broader overview of Canada's privacy framework, including provincial legislation and breach reporting obligations, see our guide on Canada's privacy landscape.

Frequently Asked Questions

Does PIPEDA apply to my small business?

PIPEDA applies to any private-sector organization that collects, uses, or discloses personal information in the course of commercial activity. This includes most Canadian small businesses — even sole proprietors — if they handle customer data, employee records, or any other personal information. Businesses in Alberta, British Columbia, and Quebec may be subject to provincial privacy legislation instead of PIPEDA for activities within those provinces, but PIPEDA applies to interprovincial and international data flows.

What are the penalties for not complying with PIPEDA?

PIPEDA penalties include fines of up to $100,000 per violation for failing to report breaches, failing to maintain breach records, or obstructing an OPC investigation. Beyond fines, the OPC can publish findings that name your organization, require mandatory changes to your practices, and refer matters to the Federal Court. The reputational and operational costs of non-compliance often exceed the financial penalties.

What counts as a "real risk of significant harm" for breach reporting?

The OPC considers factors including the sensitivity of the information involved, the probability that it has been or will be misused, and the potential consequences for affected individuals. Financial information, health records, government-issued identification numbers, and login credentials are generally considered sensitive. If there is any reasonable possibility of identity theft, financial loss, or reputational damage to affected individuals, the breach likely meets the reporting threshold.

How is Quebec's Law 25 different from PIPEDA?

Quebec's Law 25 introduced several requirements that exceed PIPEDA, including mandatory privacy impact assessments for certain projects, default privacy settings for technology products, data portability rights, and the requirement to designate a person responsible for personal information protection. Businesses operating in Quebec must comply with Law 25 for activities within the province. For businesses operating nationally, aligning with Law 25's stricter requirements can help ensure compliance across all jurisdictions.

Do I need a privacy officer?

PIPEDA requires organizations to designate an individual accountable for compliance, but this does not need to be a dedicated privacy officer. In a small business, this responsibility often falls to the owner, a manager, or an office administrator. What matters is that someone is clearly responsible for privacy practices, can respond to access requests, and knows what to do if a breach occurs.