PIPEDA and nonprofits: what the law actually says
Most Canadian nonprofits are technically exempt from PIPEDA for most of their activities. That's true. It's also beside the point, because you're still handling personal information that people are trusting you with, and you need a framework for doing that responsibly.
Probably not, but keep reading
PIPEDA (the Personal Information Protection and Electronic Documents Act) governs how private-sector organizations handle personal information in the course of commercial activities. For most nonprofits, most of the time, those commercial activities simply aren't present.
Collecting membership fees, managing volunteers, running programs, sending newsletters, accepting donations: these are generally not commercial activities under PIPEDA, and most nonprofits are not subject to the law for them.
The exception that catches organizations off guard: selling, bartering, or leasing donor or membership lists to third parties is explicitly defined as a commercial activity. If your organization shares lists with other charities in exchange for reciprocal lists (a common fundraising practice), PIPEDA applies to that activity, and you need explicit opt-in consent.
If your organization operates in British Columbia, the provincial law, BC PIPA, applies to all of your activities, with no exemption for nonprofits. Not commercial activities. All activities.
BC PIPA's requirements are substantively similar to PIPEDA's 10 fair information principles. If your organization operates in BC, you are subject to them.
Quebec has its own privacy law, Law 25, which is significantly stricter than PIPEDA and applies to all organizations operating in the province, including nonprofits. If you serve Quebec or have staff or clients there, get legal advice specific to Law 25. It's outside the scope of this guide.
The exemption from PIPEDA doesn't mean you have no obligations. Donors, clients, and volunteers trust your organization with their personal information. Funders increasingly ask about data governance. And if something goes wrong (a breach, a complaint, a staff departure that takes a database with it), the absence of documented practices makes everything harder.
You need a framework. PIPEDA's principles are a sensible, well-established one, and they're free to adopt.
Six principles that matter most for nonprofits
PIPEDA has 10 fair information principles. These six are where nonprofits most commonly fall short, and where doing the work makes the biggest difference.
Consent
People must agree, clearly and in plain language, to how you collect and use their information. Adding someone to your newsletter because they attended an event is not consent.
Limiting collection
Collect only what you actually need. If you don't have a specific reason to ask for someone's phone number or birthdate, don't ask.
Limiting retention
You can only keep personal information as long as it serves the purpose it was collected for. You need a schedule, and you need to follow it.
Safeguards
Protect information with measures appropriate to its sensitivity. A donor spreadsheet shared via a personal Gmail account is not a safeguard.
Accountability
Someone at your organization needs to own privacy. That means a named person responsible for your policies, your practices, and what happens when something goes wrong.
Openness
Your data practices should be documented and accessible. A privacy policy that exists only as a PDF buried on your server doesn't count.
The gaps we see most often
Donor list practices
Selling, bartering, or leasing donor or membership lists to other organizations is specifically named in PIPEDA as a commercial activity, which means it triggers the law even for otherwise-exempt nonprofits. If you participate in list-sharing arrangements with other charities, you are subject to PIPEDA for that activity, and you need explicit opt-in consent.
Email consent
Collecting business cards at a gala, scanning badges at a conference, or getting emails from a past donation does not constitute consent to receive newsletters. Explicit opt-in is the standard. If you can't point to the moment someone agreed, you don't have consent.
Vendor contracts
When you share data with a third party (your CRM, email platform, payment processor, or grant consultant) you are responsible for what they do with it. Verbal agreements don't count. Written contracts that specify how data is protected and prohibited from being used for other purposes are the minimum.
No privacy policy
Many nonprofits handle substantial amounts of personal data without any documented policy explaining what they collect, why, or how people can access or correct it. This isn't just a legal gap; it's a trust gap. Donors and clients increasingly expect to see it.
No breach response plan
A data breach (a hacked email account, a lost laptop, a database exposed by a misconfigured cloud service) is not a hypothetical for nonprofits. It's a matter of when. Without a documented response plan, organizations improvise under pressure, and that usually doesn't go well.
Breach notification: the threshold that matters
Under PIPEDA, you are required to notify affected individuals (and the Office of the Privacy Commissioner) of any breach that poses a real risk of significant harm (RROSH). That's the legal threshold.
"Significant harm" includes financial loss, identity theft, damage to reputation, loss of employment, humiliation, and physical harm. The assessment depends on the sensitivity of the data involved and the likelihood it will be misused.
A breach of first names and postal codes may not meet that threshold. A breach of donor names, addresses, and payment information almost certainly does. The OPC provides a free online tool (the RROSH Assessment Tool) to help you work through the analysis.
Whether or not PIPEDA legally applies to your organization, the practical advice is the same: assess the risk, notify if there's any real doubt, and document everything. The cost of notifying is almost always lower than the cost of not notifying.
- 1Contain the breach: stop it from getting worse before anything else.
- 2Assess the risk: what data was affected, how sensitive is it, is there a real risk of harm to individuals?
- 3Notify affected individuals as soon as feasible if there is a real risk of significant harm.
- 4Report to the Office of the Privacy Commissioner as soon as feasible.
- 5Document everything: what happened, when you found out, what you did, and why.
- 6Review and fix: figure out how the breach happened and close the gap.
Most nonprofits that handle a breach poorly don't fail because of bad intentions. They fail because they never wrote down what to do, and when it happened they were making it up under pressure.
A one-page breach response plan (who calls whom, what gets assessed, who notifies affected people) takes an afternoon to write and can save your organization's reputation.
Eight things you can do right now
You don't need a lawyer to start. Most of this is documentation and internal process, work that any organization can begin immediately.
- 1Appoint a privacy lead: a named person responsible for your data practices
- 2Map what personal information you hold, where it lives, and who can access it
- 3Write a plain-language privacy policy and publish it on your website
- 4Review your donor and volunteer intake forms: do they clearly explain what you're collecting and why?
- 5Establish retention periods for each data category and a process for deletion
- 6Audit your vendor relationships: do written contracts cover data protection?
- 7Build a one-page breach response plan before you need it
- 8Train staff annually: not a lecture, just a practical conversation about what you handle and why it matters
The infrastructure side of privacy compliance
Good data practices aren't just about policies; they depend on where your data lives and what tools handle it. That's where we come in.
Tools that stay in Canada
We build digital foundations around Canadian-owned and Canadian-hosted tools, which simplifies your compliance story considerably. When your data doesn't leave the country, a whole category of privacy risk disappears.
Learn about our infrastructure service →Email handling that meets Canadian data standards
Our Standard tier processes email on Canadian-owned infrastructure; no content passes through US-based services. For organizations handling sensitive client information in public-facing inboxes, that matters.
Learn about Inbox Triage →For data compliance guidance specific to IRCC-funded programs, see our IRCC data compliance guide.
Not sure where your organization stands?
We're happy to take a look at what you have and tell you honestly what we'd focus on first. No jargon, no sales pitch, just a practical conversation about your actual situation.