Practical AI and SaaS for Business

Which Canadian Privacy Law Applies to AI

Canada doesn't have one privacy law, it has a federal baseline plus several provincial regimes, and which one governs your AI tool depends on where your customers or employees actually are, not just where your business operates. This guide is a practical map.

Last verified: 17 July 2026. References checked against current legislation.

Editorial Perspective

You run operations at a 30-person Canadian retailer with customers across Ontario, Quebec, Alberta, and BC. The problem is you've been treating PIPEDA as the one law that covers your AI tool everywhere in Canada, and that's not quite right. This guide maps which Canadian privacy law actually applies based on where your customers are, so you can check your real exposure province by province. No legal background needed.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

Canada's privacy law picture isn't one national standard, it's a federal baseline plus several genuinely different provincial regimes, and the one that applies to a specific customer or employee depends on where they are, not where your business is headquartered. A business operating nationally can be juggling two or three different sets of obligations for the same AI tool, depending on its customer base.

In short: PIPEDA is the federal baseline, applying to any business handling personal information in commercial activity, everywhere in Canada except where a substantially similar provincial law applies instead. Quebec's Law 25 is the most developed provincial regime, with explicit AI automated-decision rights. Alberta and British Columbia have their own long-standing private-sector privacy statutes. Check based on where the affected individual is, not where your business operates.

The plain-English answer

For most of Canada, PIPEDA is the applicable federal law and there's no separate provincial private-sector statute layered on top. Quebec, Alberta, and British Columbia are the exceptions, each has its own provincial private-sector privacy law recognised as "substantially similar" to PIPEDA, which generally means the provincial law applies instead of PIPEDA for organisations and activities it covers. The practical question for an AI tool isn't "does PIPEDA apply," it's "which specific law applies to this specific customer or employee, based on where they are."

Why this matters for your business

A 30-person Canadian retailer with customers in multiple provinces is exactly the business most likely to default to a single mental model, "we follow PIPEDA," without realising that Quebec customers specifically trigger a meaningfully stricter set of automated-decision rights under Law 25 that PIPEDA doesn't provide on its own. Treating PIPEDA as a complete answer for the whole country misses the province where the AI-specific rules are actually strongest and most likely to matter.

The province-by-province picture

PIPEDA (federal, applies by default): Covers personal information handled in commercial activity across Canada, except where a substantially similar provincial law takes over. For most provinces, this is the operative law. See our guide on what PIPEDA requires for AI specifically.

Quebec (Law 25): The most developed provincial regime, with explicit statutory rights around AI automated decision-making, notification, explanation, and human review, plus a Privacy Impact Assessment requirement, all already in force. Applies based on where the affected individual is, not your business location. See our guide on Quebec's Law 25 and AI.

Alberta (Personal Information Protection Act): A long-standing provincial private-sector privacy statute, broadly similar in structure to PIPEDA, administered by Alberta's own Information and Privacy Commissioner. It doesn't currently have Quebec-style AI-specific automated-decision provisions, though its general fairness and accountability principles still apply to AI use.

British Columbia (Personal Information Protection Act): BC's own equivalent, similarly structured to Alberta's, administered by BC's Information and Privacy Commissioner. Like Alberta, no AI-specific statutory provisions currently exist, but general principles apply.

What this looks like in practice

Picture the operations director at the retailer, having built the company's AI compliance approach entirely around PIPEDA, on the assumption it's the single applicable standard nationwide. Mapping the actual customer base against this provincial picture reveals a real gap: a meaningful share of customers are Quebec residents, and the AI-assisted pricing and recommendation tool has never been checked against Law 25's stricter automated-decision requirements specifically.

The fix isn't a wholesale rebuild, it's a segmented approach: PIPEDA's general principles cover the baseline everywhere, and Quebec customers specifically get the additional notification, explanation, and human-review process Law 25 requires on top of that baseline. Alberta and BC customers, for now, sit under PIPEDA's general standard without the extra AI-specific layer, though that's worth rechecking periodically as provincial law evolves, particularly given how much movement Canadian AI-specific regulation has already shown in a short window.

What you can do about it

A practical process for mapping your real Canadian privacy exposure:

  • Identify which provinces your actual customers, employees, or candidates are in, not just where your business is registered.
  • Apply PIPEDA's general principles as your baseline everywhere in Canada.
  • For any Quebec-resident individuals affected by an AI decision, layer Law 25's specific automated-decision requirements on top.
  • For Alberta and BC residents, apply the province's own PIPA alongside PIPEDA's general framework, and watch for either province introducing AI-specific provisions in the future.
  • Revisit this mapping whenever your customer base shifts meaningfully, or when a province updates its privacy law.

For the specific PIA requirement that Quebec's law adds on top of the general picture, see our guide on Privacy Impact Assessments in Canada.

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Compliance Checker to check whether your AI tools meet your compliance obligations.

Does PIPEDA still apply in Quebec, Alberta, and BC at all?

Generally, the provincial law takes over for activities it covers, since it's recognised as substantially similar to PIPEDA, rather than both applying in full simultaneously. In practice, this means checking the provincial law's specific requirements rather than assuming PIPEDA alone covers those provinces.

Do Alberta and BC have any AI-specific rules at all?

Not currently, unlike Quebec's Law 25, neither province has enacted AI-specific automated-decision provisions as of mid-2026. Their general privacy principles, fairness, accountability, safeguarding, still apply to AI use, just without Quebec's more explicit statutory rights layer.

What if we can't easily tell which province a customer is in?

Use the most reliable signal available, billing address, shipping address, or account registration details, and apply the stricter standard where genuine ambiguity exists rather than defaulting to the lightest applicable rule.

Is this patchwork likely to get simpler or more complicated over time?

Given Quebec's lead on AI-specific provisions and the general direction of Canadian privacy reform discussion, other provinces introducing their own AI-specific rules over time is plausible, which would add complexity before it simplifies. Revisiting this mapping periodically, not just once, is the practical response either way.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

Need the specific PIPEDA baseline requirements before layering on provincial rules?

Check the federal baseline