Know Your Rights
Eight Essential Privacy Protections for Canadians
Understand the privacy rights that safeguard your personal information under federal, provincial, and Charter law. All information is provided for educational purposes.
Filter by Category
Right to Access Your Personal Information
Access & Control
You can request a copy of the personal information any organization or government institution holds about you.
Under PIPEDA, the Privacy Act, and every provincial privacy law in Canada, you have the right to obtain a copy of the personal information an organization has collected about you, learn how it has been used, and see to whom it has been disclosed. Private sector organizations must respond within 30 days. Federal institutions respond under the Access to Information and Privacy (ATIP) process. Provincial ministries and agencies respond under FIPPA (Ontario), FOIP (Alberta and Saskatchewan), or equivalent legislation.
Legal Statute
PIPEDA Sch. 1 Principle 4.9, Privacy Act s.12, FIPPA s.47, PIPA BC s.23
Right to Correct Inaccurate Information
Access & Control
If personal information held about you is wrong, outdated, or incomplete, you can demand that it be corrected.
Accuracy is a core principle of Canadian privacy law. You have the right to request correction of inaccurate personal information, and the organization must either update the record or attach a statement of disagreement. This right applies to credit reporting agencies, health records under PHIPA, tax records under the Privacy Act, and any commercial database covered by PIPEDA. If the organization refuses to correct obvious errors, you can escalate to the appropriate Privacy Commissioner.
Legal Statute
PIPEDA Sch. 1 Principle 4.9.5, Privacy Act s.12(2), PHIPA s.55, FIPPA s.50
Right to Withdraw Consent
Consent & Collection
You can withdraw consent to an organization's collection, use, or disclosure of your personal information at any time.
Canadian privacy law is built on consent. You can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Once you withdraw consent, the organization must stop collecting and using your information for the purposes you withdrew. Under the proposed CPPA (Bill C-27) you also get an explicit right to request deletion. Quebec Law 25 already provides this right, and Quebec residents can require organizations to destroy personal information when the original purpose has been fulfilled.
Legal Statute
PIPEDA Sch. 1 Principle 4.3.8, Quebec Law 25 s.27 and s.28.1, CPPA s.55
Right to Meaningful Consent Before Collection
Consent & Collection
Organizations must obtain meaningful consent before collecting, using, or disclosing your personal information.
Before an organization can collect your personal information, it must identify the purposes for collection, obtain your knowledgeable consent, and limit collection to what is reasonably necessary. Consent cannot be bundled, hidden in terms of service, or obtained through manipulative design. Sensitive information (health, financial, biometric, children's data) generally requires express consent. The OPC has issued specific guidelines on meaningful consent that organizations must follow.
Legal Statute
PIPEDA Sch. 1 Principles 4.2 and 4.3, Quebec Law 25 s.12, OPC Guidelines for Meaningful Consent
Right to Know About Data Breaches
Protection & Remedies
Organizations must notify you when a breach creates a real risk of significant harm to you.
Since November 2018, PIPEDA requires private sector organizations to report any breach of security safeguards involving personal information that creates a real risk of significant harm (RROSH) to the Privacy Commissioner, to notify affected individuals, and to maintain records of all breaches for 24 months. Similar mandatory breach reporting exists under Alberta PIPA, Quebec Law 25, PHIPA (Ontario health), and the Privacy Act for federal institutions. If you received a breach notification, you are entitled to specifics about what was exposed and what containment measures are in place.
Legal Statute
PIPEDA s.10.1, Alberta PIPA s.34.1, Quebec Law 25 s.3.5, PHIPA s.12.3
Right to Complain to the Privacy Commissioner
Protection & Remedies
If an organization mishandles your data, you can file a free complaint with the appropriate Privacy Commissioner.
Every Canadian has the right to complain to a Privacy Commissioner without cost. The federal OPC handles PIPEDA and Privacy Act complaints. Provincial commissioners (OIPC BC, OIPC Alberta, IPC Ontario, CAI Quebec, and others) handle provincial public and private sector complaints. Commissioners investigate, mediate, and in some provinces issue binding orders. After a federal OPC report you may apply to the Federal Court for damages under PIPEDA s.14 or the Privacy Act s.41.
Legal Statute
PIPEDA s.11 and s.14, Privacy Act s.29 and s.41, FIPPA s.57, PIPA AB s.47
Right to Privacy in Your Health Records
Protection & Remedies
Your personal health information is protected by dedicated health privacy statutes in every Canadian province.
Health records carry enhanced privacy protection. In Ontario, PHIPA governs every hospital, clinic, physician, pharmacy, and long-term care home. Other provinces have parallel legislation: HIA (Alberta), HIPA (Saskatchewan), PHIA (Manitoba, Newfoundland, Nova Scotia), and PHIPAA (New Brunswick). You have the right to access your chart, correct errors, lock specific information within your circle of care, and be notified when snooping or unauthorized access occurs. Staff who access records without a business reason can be individually reported to the Commissioner and may face prosecution.
Legal Statute
PHIPA (ON), HIA (AB), HIPA (SK), PHIA (MB, NL, NS), PHIPAA (NB)
Charter Privacy Protection Against State Surveillance
Protection & Remedies
The Charter protects you from unreasonable state searches and informational privacy violations.
Section 8 of the Charter guarantees the right to be secure against unreasonable search or seizure. The Supreme Court has applied it to police requests for ISP subscriber data (R v. Spencer, 2014), text messages (R v. Marakah, 2017), and workplace recordings (R v. Jarvis, 2019). Section 7 protects informational privacy where disclosure would cause serious psychological harm. These Charter rights limit what police, border officers, tax authorities, and other state agents can do with your digital devices, accounts, and records. Private companies are not directly bound by the Charter, but state demands for their customer data are.
Legal Statute
Charter s.7, Charter s.8
Disclaimer: This information is provided for educational purposes only and does not constitute legal advice. While efforts are made to ensure accuracy, Canadian privacy law is complex, overlaps across federal, provincial, and sector-specific regimes, and changes frequently. For personalized guidance specific to your situation, consult with a qualified privacy lawyer or accredited privacy professional.
Need Legal Help?
These rights cards provide informational content about Canadian privacy law. For personalized legal advice, consult a qualified privacy lawyer or an accredited privacy professional.
Find a Privacy Lawyer