Disclaimer: The information on this page is meant to be solution-focused and helpful for Canadian retailers navigating privacy and data reforms in Canada. If you have any questions or suggestions, please contact Kate Skipton at kskipton@retailcouncil.org. This page is not legal advice; it is merely information which we make some effort to keep updated and accurate. We suggest you seek professional advice specific to your circumstances for any material decisions.
Recent regulatory updates
- Alberta Releases 10-Year Review of Privacy Act
The Alberta government has completed its mandatory 10-year review of the Personal Information Protection Act (PIPA), which has governed how organizations collect, use, and disclose … Continued - Competition Bureau AI Report and RCC Letter
The Competition Bureau released their “What we heard” report in early 2025 after consulting on artificial intelligence and competition in summer … Continued - Right to repair for electronics and appliances
The federal government is exploring right to repair measures that could potentially target a wide swathe of consumer electronics and household … Continued
Privacy and data for Canadian retailers
Almost daily, we see and hear headlines about data privacy concerns, data breaches and overall misuse of data (e.g.: Cambridge Analytica, Desjardins). The retail landscape increasingly requires retailers to make use of data to create great customer experiences, while also protecting individuals’ personal information.
Privacy laws and regulations generally apply when a retailer handles information that can identify an individual person, which happens in many situations. An email address, clothing size, physical location, name, credit card number, IP address, web cookies and video camera footage – these are only some examples of personal data that retailers handle.
Who regulates privacy in Canada?
Disclaimer: The information on this page is meant to be solution-focused and helpful for Canadian retailers navigating privacy and data reforms in Canada. If you have any questions or suggestions, please contact Kate Skipton at kskipton@retailcouncil.org. This page is not legal advice; it is merely information which we make efforts to keep updated and accurate. We suggest you seek professional advice specific to your circumstances for any material decisions.
Generally, privacy regulator involvement is triggered by a complaint from an individual, such as from a customer who shares personal information with a retailer and then feels that the retailer has not taken very good care of it. View more information.
It is best to assess which law(s) apply on a case-by-case basis depending on the situation you are dealing with.
Federal: The federal Office of the Privacy Commissioner of Canada (OPC) is the main regulator for retailers handling consumer personal information in Canada. The OPC administers Canada’s federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
The OPC shares jurisdiction with the federal Canadian Radio-Television and Telecommunications Commissioner (CRTC) and the federal Competition Bureau over another privacy law affecting retailers, Canada’s Anti-Spam Law, CASL. CASL addresses commercial electronic communications including text messaging, email marketing and social media. The Competition Bureau may also address privacy as an aspect of competition, such as deceptive marketing in privacy policies or criteria for assessing competitive impact (view 2022 amendments guide, $9M Facebook penalty).
Regional: Every Canadian province and territory has a regulator, in the form of a Commissioner or Ombudsperson, which deals with that region’s legislation governing personal information.
Regulators in Quebec, BC and Alberta address private sector privacy in those provinces. At times, they may conduct joint investigations with the federal Privacy Commissioner (view example). Four provinces also have health privacy laws deemed substantially equivalent to PIPEDA and regulators that address them: Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador. View regional regulator list. View health privacy list.
This means that, in many circumstances, provincial privacy law applies instead of the federal law. The Privacy Commissioner explains more about how this works. View information.
What’s happening in Canadian data privacy reform?
Privacy and data regulatory frameworks have recently been subject to significant review and reform in Canada and internationally. Internationally, frameworks such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) continue to shape key markets and have precedential influence.
As of spring 2025, privacy reform activity across Canada may have subsided given the newly uncertain economic times and changes in federal government leadership and priorities. Proposed federal privacy and AI Bill C-27, the Digital Charter Implementation Act, 2022, did not pass and died on the order paper in 2025 with January prorogation and the spring election call. Retailers and other businesses whose operations involve personal data flowing across regional and international borders must nevertheless still navigate a mosaic of existing data privacy laws.
What potential new privacy rules should retailers expect?
Retailers are familiar with long-held privacy practices like having a privacy policy, asking for customer consent and keeping customer and employee information safe. Some regimes, like PIPEDA, are decades old. In contrast, privacy reforms bring a range of changes typically intended to protect individuals’ personal information in a modern, data-driven world. Reforming privacy typically involves:
- Empowering individuals to have more control over their data. e.g.:
- Rigorous consent and transparency requirements,
- Right to have a company delete their data,
- De-indexing/the right to be forgotten (letting a person remove their information from search engine queries or databases),
- Data portability/data mobility (letting a person take all their data out of a company in portable format)
- Empowering individuals and regulators to hold companies more accountable, e.g.: mandatory breach notification, expanded audit powers, more administrative monetary penalties and fines, private rights of action for individuals.
- Anonymizing (also called “de-identifying”) datasets to help protect the identities of those whose information is contained in the data, as well as addressing the risks of re-identification.
- Requiring consideration, to varying degrees, of legal privacy protections in countries where companies send data for storage or analysis.
- Specific process requirements, like appointing a privacy officer and mandating privacy impact assessments (PIAs).
- Regulating autonomous decision making by technologies, e.g. artificial intelligence.
- New language in privacy policies, in plain and simple terms, to reflect all these proposed requirements.
Defunct federal privacy and AI reform Bill C-27: Federal Bill C-27, the Digital Charter Implementation Act, 2022, was tabled in 2022 but failed to pass before the 2025 election. Among other significant changes to Canada’s privacy regime, Bill C-27 would have established a new federal law governing artificial intelligence, the Artificial Intelligence and Data Act (AIDA). It would have replaced PIPEDA with new legislation called the Consumer Privacy Protection Act (CPPA) and created a new Data Tribunal. Bill C-27 also included significant fines for non-compliant organizations of up to 5% of global revenue or $25 million for the most serious offences, one of many immense changes from the current PIPEDA, which currently does not include major penalties. Government overview: Bill C-27 2022 summary; the text of the bill: Bill C-27 2022. For legal information: Osler overview, BLG resources.
Regional reforms
Quebec
In September 2021, Quebec passed a series of stringent new privacy amendments affecting retailers into law: Bill 64, An Act to modernize legislative provisions as regards the protection of personal information.
Strongly inspired by Europe’s General Data Protection Regulation (GDPR), these amendments included new requirements for data transfers to service providers outside Quebec, new consumer rights like data portability and high financial penalties. The new law (often called Law 25 or Bill 64) was phased into force over three years. Read more: Law firm BLG on Bill 64 requirements for business.
British Columbia and Alberta
British Columbia and Alberta also have provincial privacy laws that generally apply to retailers, both of which are called the Personal Information Protection Act (PIPA). In British Columbia, the Special Committee reviewing PIPA released their report, with 34 privacy reform recommendations, in December 2021. View B.C. full report. Alberta released a report in spring 2025 recommending modern privacy reform as well. View Alberta report.
For questions about privacy, retailers can email kskipton@retailcouncil.org.
Disclaimer: The information on this page is meant to be solution-focused and helpful for Canadian retailers navigating privacy and data reforms in Canada. If you have any questions or suggestions, please contact Kate Skipton at kskipton@retailcouncil.org. This page is not legal advice; it is merely information which we make some effort to keep updated and accurate. We suggest you seek professional advice specific to your circumstances for any material decisions.
Privacy and data resources for retailers
Anonymous Video Analytics (AVA) in stores and malls
Anonymous Video Analytics (AVA) describes a type of technology that collects video images using camera sensors to detect the presence of a human face, using facial pattern comparison algorithms to derive limited demographic data. AVA is sometimes used in public settings such as malls and retail stores for purposes that include advertising (e.g. digital signage), statistical analysis and resource management.
Camera-related technologies can raise privacy concerns and have come under scrutiny by Canadian privacy regulators. Some privacy experts believe a path forward exists for the commercial use of AVA and have outlined some recommendations. View AVA information.
RCC Guidebook: Canadian Anti-Spam Law (CASL): Guidelines for Responsible Transmission of Electronic Messages (RCC members only)
CASL has been in force for several years and applies to email marketing and communications. This 2017 members-only Guidebook helps explain CASL for retailers (CASL may also see some changes as part of any forthcoming federal privacy reforms).
RCC Guidebook: How does the GDPR affect Canadian retailers? (RCC members only)
Europe’s General Data Protection Regulation (GDPR) is a privacy regulation that was launched in 2018. If your business has customers or even website visitors from Europe, then you may fall under the GDPR’s scope. The GDPR’s large fines (up to 20M Euro or 4% of a firm’s worldwide annual turnover, whichever is highest), global reach and influence on Canadian federal and provincial privacy reform make it relevant to Canadian retailers. RCC’s GDPR guidebook covers GDPR for Canadian retailers.
Guiding Principles on Privacy for Retailers in Canada (RCC members only)
Protecting your business and your customers’ personal information against the threats of cyber-breaches and criminal activities is paramount in today’s retail environment. The purpose of this paper is to clarify the guiding principles of the Personal Information and Protection of Electronic Documents Act (PIPEDA) (pre-reform) and the practical applications associated with those principles pertaining to loss prevention and fraud specifically (2017).
Privacy Committee (RCC members only)
The Privacy Committee is comprised of retail professionals interested in and responsible for the areas of data governance and privacy. The purpose of the committee is to share best practices and information related to data governance and privacy and to help members stay ahead of the curve on issues that impact the industry.
Federal requirements on data breach record-keeping and reporting
As of November 1, 2018, retailers must notify the federal Office of the Privacy Commissioner (OPC) if they experience a data breach that creates a “real risk of significant harm” (RROSH) to the individuals whose personal information is affected. Retailers must also record how they assess whether or not a data breach is serious enough to meet the RROSH standard and require notification.
How American retailers use consumer data
Nearly two thirds of U.S. consumers say retailers, not the government or tech vendors, are responsible for data privacy, according to a 2019 Deloitte report. Most U.S. consumers think that retailers use their personal data for target marketing. In fact, the top three consumer data uses by U.S. retailers are to:
- Increase operational efficiencies
- Improve product selection
- Enhance in-store services or experiences.
Consumer journey steps in a data-driven, American retail store may now include mobile phone location data gathering, with AI assistants generating product recommendations and push notifications to personal devices while customers walk around brick-and-mortar stores.
De-identifying personal data in big datasets
Many companies including retailers analyze large volumes of data routinely (“big data”). De-identifying personal information in large datasets is often mentioned as a way to protect privacy. Also called anonymization, effective de-identification means rendering it impossible to identify an individual from the information a dataset contains about them.
However, in practice, rapidly evolving data analytics technologies make it challenging to have confidence that de-identifying any dataset can be permanently effective.
Canadian non-profit CANON is an international resource that covers the challenges posed by anonymization and lists domestic and international anonymization guidance.
How do AI and machine learning challenge traditional Canadian privacy frameworks?
Effective data governance reform is challenging in part because some of the technologies underlying the “data-driven” world handle personal information in paradigm-shifting new ways. In the case of AI and machine learning, this paradigm shift presents itself essentially for two reasons: (1) these programs can analyze much larger and more complex datasets, including unstructured data (e.g. audio, image, video and text; unstructured data comprises 80% of enterprise data), and (2) machine learning programs can teach themselves new insights and make decisions based on what they learn.
The ways these technologies can process an individual’s personal data challenge long-held privacy principles like transparency and purpose-based consent. They raise new possibilities and challenges for how data privacy frameworks can still implement those principles in ethical and economically viable ways.
As a result, legal and regulatory reform pertaining specifically to these technologies has been and continues to be under discussion in Canada and internationally. AI’s predictive capacities make it useful to retailers in many ways, e.g. to better manage inventory and supply chains.
View more info on AI and privacy
View ISED PIPEDA White Paper containing discussion of AI and machine learning reform
Contact Kate Skipton, Senior Policy Analyst, at kskipton@retailcouncil.org for more information.
Disclaimer: The information on this page is meant to be solution-focused and helpful for Canadian retailers navigating privacy and data reforms in Canada. This page is not legal advice; it is merely information which we make some effort to keep updated and accurate. We suggest you seek professional advice specific to your circumstances for any material decisions.