If You Care About Privacy · 🇨🇦 Canada

PIPEDA Privacy Complaint — Force a Business to Answer for Mishandled Personal Data

Difficulty Easy Applies To All Provinces & Territories Last Updated 2026-04-03

PIPEDA Privacy Complaint — Force a Business to Answer for Mishandled Personal Data

What Is It?

The Personal Information Protection and Electronic Documents Act (PIPEDA) gives individuals rights against many private-sector organizations in Canada. If a business mishandles your personal information, refuses access, keeps inaccurate data, or fails to protect it properly, you can complain to the Office of the Privacy Commissioner of Canada (OPC).

The overlooked angle is that a privacy complaint is not just about breaches. It can also be used when a company stonewalls your access request, keeps incorrect information on file, or collects more personal information than it reasonably needs.

What You Can Complain About

Common PIPEDA issues include:

  • Refusal to provide access to your personal information
  • Failure to correct inaccurate information
  • Unauthorized collection, use, or disclosure
  • Weak safeguards leading to a breach
  • Retaining personal information too long
  • Demanding more personal information than necessary

How It Works

  1. Raise the issue with the organization first
  2. Keep copies of your request and the organization’s response
  3. If unresolved, file a complaint with the OPC
  4. The OPC can investigate and make findings or recommendations

In serious cases, the complaint process can create meaningful pressure even if it does not operate like a damages lawsuit.

Who Benefits Most?

Anyone dealing with a telecom, bank, retailer, app, insurer, or other covered private-sector business that mishandled personal information or refused to deal transparently with a privacy request.

How to Use It

  1. Send a clear written request or complaint to the organization.
  2. Ask for the specific records, correction, or explanation you want.
  3. Save screenshots, emails, and any denial language.
  4. File with the OPC if the response is incomplete, late, or unsatisfactory.
  5. Keep the complaint factual and organized around dates and documents.

What Most People Don’t Know

  • You can complain about access failures, not just breaches. A company refusing to give you your own data can be enough.
  • Written requests matter. A short, dated email often becomes the key evidence in the complaint.
  • Privacy rights and customer-service rights are not the same. Even if a company says “our policy doesn’t allow that,” PIPEDA may say otherwise.
  • The OPC process is often more effective when the issue is framed narrowly. Specific dates, specific records, and specific refusals work better than broad anger.
  • A complaint can expose process failures. Companies often improve retention, security, and access practices once the OPC is involved.

Frequently Asked Questions

Do I need a data breach to file a privacy complaint?


A: No. Access refusals, inaccurate records, over-collection, poor safeguards, or unauthorized disclosure can also support a complaint.

Should I contact the company first?


A: Yes. The strongest complaints usually show that you tried to resolve the issue directly before going to the OPC.

Can I ask the company to correct wrong information about me?


A: Yes. PIPEDA includes rights relating to access and correction of personal information.

Does the OPC process cost money?


A: No. Filing a complaint with the OPC is free.

Sources