If your charity collects donor names, emails, donation history, volunteer details, or any health information, you are subject to at least one Canadian privacy regime — and possibly all three discussed here. Privacy law in Canada is layered: federal law sets a baseline, provincial law applies on top in some jurisdictions, and sector-specific law applies on top of both for health information.
This article is not legal advice. It is an operational primer to help charity leadership understand the landscape before engaging counsel or a privacy officer for specifics.
PIPEDA — the federal baseline
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law for the private sector. It was enacted in 2000 and is enforced by the Office of the Privacy Commissioner of Canada (OPC).
PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activities. The "commercial activities" qualifier is important for charities: PIPEDA technically applies to charities only when their activities are commercial in nature (selling merchandise, running paid programmes, processing donations through commercial fundraising platforms). Pure mission-driven activity may fall outside PIPEDA's strict scope, but the practical reality is that most charities engage in enough commercial activity that PIPEDA-equivalent practices are the safest baseline.
PIPEDA is built around ten Fair Information Principles: accountability, identifying purposes, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access, and challenging compliance. In practice, the principles translate to a small number of operational requirements:
- Designate someone responsible for privacy compliance.
- Identify why you are collecting personal information before you collect it.
- Get meaningful consent for collection, use, and disclosure.
- Collect only what you need; keep it only as long as you need it.
- Protect what you hold with appropriate safeguards.
- Provide individuals with access to their information on request.
- Notify the OPC and affected individuals of breaches that pose a "real risk of significant harm."
PIPEDA's breach notification requirement, in force since 2018, is one of the most-overlooked obligations among smaller charities. If you suffer a data breach affecting donor or volunteer data, you may have a legal duty to report it to the OPC and notify affected individuals — and to maintain records of all breaches regardless of risk level.
Quebec Law 25 — the GDPR-style provincial overlay
An Act to modernize legislative provisions as regards the protection of personal information, commonly called Quebec Law 25 (formerly Bill 64), was enacted in September 2021 and rolled out in three phases between September 2022 and September 2024. Law 25 is enforced by the Commission d'accès à l'information du Québec (CAI).
Law 25 applies to any organization "carrying on an enterprise" in Quebec that collects, processes, or discloses personal information of Quebec residents. The CAI has interpreted "enterprise" broadly to include charities and nonprofits whose activities involve any organized economic activity, even if that activity is not for profit. The implication: most charities operating in Quebec, or accepting donations from Quebec residents, are in scope.
Law 25 imposes obligations significantly beyond PIPEDA. Highlights:
- Privacy Officer. Every in-scope organization must designate a privacy officer. By default this is the CEO; it can be delegated in writing. The privacy officer's contact information must be published on the organization's website.
- Privacy Impact Assessments. A PIA is required before any personal information is transferred outside Quebec, and before any new system or technology that handles personal information is deployed.
- Enhanced consent. Consent must be granular, informed, and clearly separable from other terms. Bundled consent at signup is not sufficient.
- Breach notification. Breaches that pose a "risk of serious injury" must be reported to the CAI and affected individuals, and a register of all incidents must be maintained.
- Data subject rights. Individuals have the rights to access, rectification, withdrawal of consent, de-indexation (the right to be forgotten), and data portability. Privacy officers must respond to requests within 30 days.
- Privacy by default. Technology products and services offered to the public must default to the highest level of confidentiality.
Penalties under Law 25 are substantial. The CAI can impose administrative monetary penalties up to C$10 million or 2% of worldwide turnover, and penal fines up to C$25 million or 4% for serious violations. These figures are dramatically higher than PIPEDA's penalty regime.
For charities operating across Canada, the practical approach is usually to align to Law 25 as the highest common denominator. If your privacy posture satisfies Law 25, it generally satisfies PIPEDA as well.
PHIPA — the Ontario health privacy regime
Ontario's Personal Health Information Protection Act (PHIPA) is sector-specific: it applies to "health information custodians" handling personal health information in Ontario. Enforcement is handled by the Information and Privacy Commissioner of Ontario (IPC).
For most charities, PHIPA only applies if you provide health-related services or hold health information. Examples include charities running mental-health support programmes, community clinics, addictions services, peer-support networks that handle medical disclosures, or charities operating residential care facilities. If your charity's only health-adjacent activity is, say, a wellness newsletter or a fundraising campaign for a hospital, you are probably not a health information custodian under PHIPA.
If you are a custodian, PHIPA imposes obligations specific to health information: stronger consent requirements, mandatory privacy officers, breach notification to affected individuals and (for serious breaches) to the IPC, and detailed record-keeping requirements. PHIPA also gives individuals robust access and correction rights to their own health records.
The practical compliance posture
For a Canadian charity that operates in multiple provinces, a defensible compliance posture typically involves:
- A designated privacy officer (named on your website, with contact info).
- A published privacy policy that meaningfully describes what you collect, why, who you share it with, and how individuals can exercise their rights.
- Documented data retention and destruction practices.
- Privacy impact assessments before deploying new systems or transferring data outside the country.
- A breach response plan including notification workflows for the OPC and (if applicable) the CAI.
- Vendor contracts that bind third parties to equivalent privacy obligations.
- Periodic staff training on privacy obligations.
- Technical safeguards proportionate to the sensitivity of the data — encryption at rest and in transit, access controls, multi-factor authentication, and audit logging.
None of this is unique to charities. The difference for charities is usually budget and staffing: most do not have a full-time privacy officer or in-house counsel, which is why frameworks like NIST CSF 2.0 and CyberSecure Canada become useful starting points for the technical safeguards layer.
Sources
Federal PIPEDA text and OPC guidance is available at priv.gc.ca. Quebec's Law 25 is published in the official Quebec statute database (legisquebec.gouv.qc.ca, Chapter P-39.1) and the CAI publishes implementation guidance at cai.gouv.qc.ca. Ontario's PHIPA and IPC guidance is available at ipc.on.ca. The Office of the Privacy Commissioner of Canada has published a useful comparison of federal and provincial privacy regimes that we recommend reading alongside this primer.
Disclaimer. This article is provided for general informational purposes only and does not constitute legal advice. Privacy law is jurisdiction-specific and fact-specific. Consult qualified privacy counsel before making compliance decisions for your organization.