Canadian companies handling personal information are subject to a patchwork of federal and provincial privacy laws — PIPEDA (soon CPPA), Alberta PIPA, BC PIPA, and Quebec Law 25, with Ontario's health privacy law and BC HIA adding further complexity for healthcare. Most US-focused compliance firms don't know these frameworks. ThreeShield does. We deliver cross-provincial Canadian privacy compliance programs directly — CISSP/CISA/CCP certified, fixed scope, 45–60 days.
Canada's federal private-sector privacy law governs organizations collecting, using, or disclosing personal information in the course of commercial activity that crosses provincial or national borders. Bill C-27 introduces the Consumer Privacy Protection Act with significantly enhanced requirements including algorithmic transparency and enhanced enforcement. ThreeShield keeps your program current with the evolving federal regime.
Alberta's Personal Information Protection Act is substantially similar to PIPEDA for intra-provincial activity, but with distinct provisions around the Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta). Separate compliance documentation is typically required even for PIPEDA-compliant organizations operating in Alberta.
BC's Personal Information Protection Act governs intra-provincial commercial activity in BC. Organizations operating in both Alberta and BC typically need to address both provincial frameworks — ThreeShield delivers both in one engagement.
Quebec's modernized privacy regime is the most aggressive in Canada. It requires privacy officer designation (disclosed publicly), Privacy Impact Assessments (PIAs) for new projects involving personal information, mandatory breach notification to the Commission d'accès à l'information (CAI), and — for organizations using automated decision-making — specific disclosure and human review rights. If you have any Quebec users or customers, Law 25 applies.
Which laws apply? What personal information do you collect? Where does it go? Regulatory gap identified.
Privacy program assessment against applicable frameworks. Lavawall® deployed for technical safeguard monitoring.
Privacy policy suite written. Consent framework designed. Breach notification procedures documented. Law 25 specific documents if applicable.
Complete privacy compliance documentation delivered. Lavawall® ongoing monitoring. Annual review cadence established.
If your service has any Quebec users, customers, or processes Quebec residents' personal information, Quebec Law 25 applies regardless of where you're incorporated. For SaaS companies, this typically means all Canadian companies with Quebec subscribers. The Law 25 requirements that are often missed: privacy officer designation (and the requirement to publish that person's title and contact info), automated decision-making disclosures, and the enhanced breach notification regime to the CAI.
GDPR applies to EU residents' personal data — if you have EU users or customers, it applies regardless of your location. Canadian privacy laws (PIPEDA, provincial) apply to Canadian residents. Many of the underlying principles are similar (purpose limitation, consent, breach notification), but the specific requirements, thresholds, and regulators differ significantly. ThreeShield can deliver GDPR compliance in parallel if needed — see our GDPR page. Combined Canadian + GDPR engagements are more efficient than running them separately.
It may be, depending on what tools and what data. Cross-border transfer of personal information is regulated under PIPEDA and provincial laws — you generally need to ensure equivalent protection when data crosses borders, and in some cases (healthcare, government) there are specific residency requirements. ThreeShield's cross-border data flow review maps where your customer data goes and identifies any restrictions or documentation requirements for each flow.
ThreeShield's CISSP/CISA/CCP team delivers PIPEDA, Alberta PIPA, BC PIPA, and Quebec Law 25 compliance assessments and programs directly. These are direct-delivery Canadian privacy frameworks — no CPA firm or external certification body required. This is ThreeShield's strongest differentiated area for organizations with Canadian customers.
Our full audit authority statement →Fixed scope, 45–60 days. PIPEDA + all applicable provincial frameworks in one engagement.
Book a Scoping CallFree Domain Scan →Fixed scope. No hourly billing. No minimums. B-Corp standards.