BC PIPA

Personal Information Protection Act

Flag of CA
British Columbia, CanadaOpt-inState
PIPEDA
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2004
Enacted
October 23, 2003
Enforcing Authority
Office of the Information and Privacy Commissioner for British Columbia (OIPC BC)
Consent Model
Opt-in
Fulfillment Time
30 days
Applies To
Private-sector organizations operating in BC, organizations managing personal information within BC, and nonprofits in commercial activities

Overview

British Columbia's PIPA is recognized as substantially similar to PIPEDA and applies to private-sector organizations, organizations managing personal information within BC, and nonprofits in commercial activities. The OIPC can investigate, audit, and issue binding orders.

What This Means for Your Website

  • Explicit consent is required before collecting, using, or disclosing personal information of BC visitors
  • Collection must be limited to what is reasonably necessary for identified purposes
  • Personal information must be destroyed when the original purpose is fulfilled
  • Mandatory breach notification applies for breaches posing significant risk of harm
  • Nonprofits in commercial activities must also comply

Key Requirements

The OIPC BC enforces PIPA with penalties up to CAD $100,000 for organizations and CAD $10,000 for individuals. The OIPC has binding order-making power. Consumer requests must be fulfilled within 30 days. The data destruction requirement creates an ongoing compliance obligation.

How ConsentStack Handles This

ConsentStack detects BC visitors and applies explicit consent requirements per PIPA, supporting the province's privacy framework.

Penalties

Up to CAD $10,000 for individuals; up to CAD $100,000 for organizations.

Maximum Fine
CAD100,000 per violation

Key Requirements

  • Obtain explicit consent before collecting, using, or disclosing personal information
  • Identify purposes at or before collection
  • Limit collection to what is reasonably necessary
  • Implement reasonable security safeguards
  • Provide access and correction rights
  • Mandatory breach notification for significant risk of harm

Notable Provisions

  • Recognized as substantially similar to PIPEDA
  • OIPC has binding order-making power
  • Covers nonprofits in commercial activities
  • Must destroy data once original purpose is fulfilled

Other PIPEDA Related Regulations

Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
Alberta PIPAAlberta, Canada
Alberta's PIPA is recognized as substantially similar to PIPEDA, covering provincially regulated private-sector organizations. The OIPC has binding order-making power — stronger than PIPEDA's OPC which issues only recommendations. Express consent is required for sensitive data, implied for non-sensitive.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

How does BC PIPA differ from PIPEDA?

BC PIPA is substantially similar to PIPEDA but the OIPC has binding order-making power and the law also covers nonprofits in commercial activities.

What are the BC PIPA penalties?

Up to CAD $100,000 for organizations and CAD $10,000 for individuals. The OIPC can also issue binding compliance orders.

Does BC PIPA require data destruction?

Yes. Organizations must destroy personal information once the original purpose for collection is fulfilled.

Stay compliant with BC PIPA

ConsentStack helps you implement Opt-in consent for British Columbia, Canada automatically.

Get started free