Alberta PIPA

Personal Information Protection Act

Flag of CA
Alberta, CanadaOpt-inState
PIPEDA
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2004
Enacted
December 17, 2003
Enforcing Authority
Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta)
Consent Model
Opt-in
Fulfillment Time
30 days
Applies To
Provincially regulated private-sector organizations, businesses, and some nonprofits in Alberta

Overview

Alberta's PIPA is recognized as substantially similar to PIPEDA, covering provincially regulated private-sector organizations and some nonprofits. The OIPC has binding order-making power — stronger enforcement authority than PIPEDA's OPC, which issues only recommendations.

What This Means for Your Website

  • Express consent is required for sensitive data of Alberta visitors; implied consent acceptable for non-sensitive
  • The OIPC can issue binding orders, not just recommendations
  • Mandatory breach notification applies for breaches posing real risk of significant harm
  • Personal information must be destroyed when no longer needed
  • Currently under legislative review (2024-2025) — changes may be coming

Key Requirements

The OIPC Alberta enforces PIPA with penalties up to CAD $100,000 for organizations and CAD $10,000 for individuals. Binding order-making power gives the OIPC stronger enforcement than PIPEDA's OPC. Consumer requests must be fulfilled within 30 days.

How ConsentStack Handles This

ConsentStack detects Alberta visitors and applies express consent for sensitive data and implied consent for non-sensitive data per PIPA requirements.

Penalties

Up to CAD $10,000 for individuals; up to CAD $100,000 for organizations.

Maximum Fine
CA$100,000 per violation

Key Requirements

  • Obtain consent — express for sensitive, implied for non-sensitive
  • Develop and follow reasonable privacy policies
  • Implement reasonable security measures
  • Mandatory breach notification for breaches posing real risk of significant harm
  • Provide individuals access to their personal information
  • Destroy data when no longer needed for original purpose

Notable Provisions

  • Recognized as substantially similar to PIPEDA
  • OIPC has binding order-making power — stronger than PIPEDA OPC
  • Covers some nonprofits in commercial activities
  • Currently under legislative review (2024-2025)

Other PIPEDA Related Regulations

Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
BC PIPABritish Columbia, Canada
British Columbia's PIPA is recognized as substantially similar to PIPEDA. The OIPC can investigate complaints, conduct audits, issue binding orders, and require compliance. Nonprofits engaging in commercial activities are also covered. Organizations must destroy personal information once the original purpose is fulfilled.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

How does Alberta PIPA differ from PIPEDA?

Alberta PIPA is substantially similar to PIPEDA but the OIPC has binding order-making power — stronger than PIPEDA's OPC which can only make recommendations.

What are the Alberta PIPA penalties?

Up to CAD $100,000 for organizations and CAD $10,000 for individuals.

Is Alberta PIPA changing?

Alberta PIPA is currently under legislative review (2024-2025). Changes to align with evolving privacy standards may be forthcoming.

Stay compliant with Alberta PIPA

ConsentStack helps you implement Opt-in consent for Alberta, Canada automatically.

Get started free