Overview
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) grants every Canadian resident the right to:
- Know what personal information an organization holds about them
- Access that information upon request
- Challenge its accuracy and have it corrected or annotated
This applies to virtually all private-sector organizations operating in Canada — including data brokers, credit bureaus, background check companies, marketing firms, loyalty programs, and app developers. Quebec’s Act respecting the protection of personal information in the private sector (Law 25, modernized in 2022–2023) goes further and adds a right to be forgotten (data deletion) and data portability.
Who Must Comply
- Any federally regulated private organization in Canada (PIPEDA)
- Any Quebec-based organization or one handling Quebec residents’ data (Law 25)
- Alberta and BC have substantially similar provincial laws (PIPA)
- Federally regulated employers: banks, telecoms, airlines, broadcasting — PIPEDA applies directly
Step-by-Step: Filing an Access Request
- Identify the organization — Start with data brokers like Acxiom, LexisNexis, TransUnion, Equifax, or any company that may hold your data.
- Submit a written request — Email or mail the organization’s Privacy Officer (every PIPEDA-covered organization must designate one). State: “I am submitting an access request under PIPEDA for all personal information your organization holds about me.”
- Verify your identity — Organizations may ask for ID to confirm you are who you say. Provide government ID copies with sensitive numbers redacted if you prefer.
- Wait for the response — Organizations have 30 days to respond (PIPEDA). Quebec’s Law 25 requires response within 30 days, extendable once with notice.
- Review and correct — If information is inaccurate, submit a correction request. The organization must either correct it or note your challenge in the file.
- Deletion (Quebec/Law 25) — Quebec residents can also request data deletion under certain conditions (no longer necessary for original purpose, consent withdrawn).
High-Value Targets
| Organization Type | Why It Matters |
|---|---|
| Equifax / TransUnion | Free credit reports; you can dispute inaccurate tradelines |
| Acxiom / Epsilon | Marketing databases; opt out of targeted advertising profiles |
| LexisNexis / Certn | Background check databases used by landlords and employers |
| Loyalty programs (PC Optimum, Scene+) | Know what purchase behaviour is tracked and sold |
| Insurance companies | Understand what health/driving data they’ve obtained |
Escalation: File a Complaint with the OPC
If an organization:
- Refuses your access request without valid legal reason
- Fails to respond within 30 days
- Refuses a legitimate correction
You can file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) at no cost. The OPC can investigate and issue findings. For Quebec, complain to the Commission d’accès à l’information (CAI).
Tips for Opt-Out and Deletion
- CASL (Canada’s Anti-Spam Legislation): You have the right to withdraw consent for commercial electronic messages at any time. All commercial emails must include a working unsubscribe mechanism.
- Do Not Call List: Register at lnnte-dncl.gc.ca to reduce telemarketing calls.
- Credit bureau opt-outs: Both Equifax and TransUnion offer opt-out from pre-screened credit offers.
Frequently Asked Questions
Can I request all the personal information a data broker or background check company holds on me under PIPEDA?
Yes. Data brokers, background check companies (like Certn and LexisNexis), and marketing database operators that operate in Canada are subject to PIPEDA and must respond to your access request within 30 days. Submitting a written request to the organization’s Privacy Officer is the correct mechanism, and they cannot charge you for it.
What if an organization refuses my PIPEDA access request or ignores it entirely?
You can file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) at no cost. The OPC has the power to investigate the complaint and issue findings. If the organization is in Quebec, file with the Commission d’accès à l’information (CAI) instead.
Does PIPEDA give me the right to have my personal information deleted?
Standard PIPEDA does not include a general right to deletion. However, Quebec’s Law 25 (fully in force since September 2023) does give Quebec residents the right to request data deletion in certain circumstances — specifically where the data is no longer necessary for its original purpose or consent has been withdrawn. Outside Quebec, your best option is to withdraw consent for specific uses and request corrections to inaccurate data.
Does PIPEDA apply to my employer’s collection of my personal information?
PIPEDA does not apply to employee personal information in most provincial employment contexts. Federally regulated employees (banks, airlines, telecoms) do have PIPEDA protections in the employment relationship. For most provincially regulated workers, other frameworks apply — Ontario’s ESA electronic monitoring policy requirement, or BC and Alberta’s PIPA legislation.
How do I find and contact an organization’s Privacy Officer to submit a PIPEDA access request?
PIPEDA requires every covered organization to designate a Privacy Officer and make that person’s contact information available. Check the company’s website privacy policy (usually at the bottom of the page), or search “[Company name] Privacy Officer” or “[Company name] data access request.” If you cannot find the information, addressing your written request to “The Privacy Officer” at the company’s head office address is sufficient to start the clock.
Caveats
- PIPEDA does not apply to employee information within an employment relationship in most provinces.
- Journalism, artistic, and literary purposes have limited exemptions.
- National security and law enforcement exemptions apply.
- Law 25’s right to deletion is narrower than Europe’s GDPR — organizations can decline if the data is still needed for a legitimate purpose.