Canada

What qualifies as 'personal information' under Canadian privacy law?

Identifiable
Core requirement
PIPEDA s. 4
Governing provision
2014 SCC 43
Spencer ruling
2024 SCC 6
Bykovets ruling
The Short Answer

Personal information under Canadian privacy law includes any information about an identifiable individual, such as name, address, IP address, or online identifiers — especially when it can be linked to a person.

What the Law Says

The definition of 'personal information' is foundational to Canada’s federal private-sector privacy law. While the quoted provision does not itself define the term, it establishes PIPEDA’s application to commercial handling of such information — and the Act’s definition (found in s. 2(1)) is consistently applied by courts and regulators.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), 'personal information' means 'information about an identifiable individual'. This includes obvious identifiers like name, age, ID numbers, and contact details — but also extends to less obvious data when it can be used, alone or with other information, to identify a person.

PIPEDA applies broadly to private-sector organizations across Canada that collect, use, or disclose personal information in the course of 'commercial activities'. This includes for-profit businesses, non-profits engaged in commercial conduct, and associations offering services for a fee.

Importantly, the law treats context as critical: even data that isn’t inherently identifying — like an IP address — may qualify as personal information if it can reasonably be linked to an identifiable individual.

Statutory Text

PIPEDA applies to organizations that collect, use or disclose personal information in the course of commercial activities.

Personal Information Protection and Electronic Documents Act s. 4: Application — S.C. 2000, c. 5

What Courts Have Said

The Supreme Court of Canada has repeatedly clarified that personal information under Canadian law must be understood in light of reasonable expectations of privacy — especially in digital contexts.

R. v. Spencer (2014)
Supreme Court of Canada · 2014

The Court held that internet subscriber information linked to an IP address is personal information attracting a reasonable expectation of privacy under s. 8 of the Charter — and police require judicial authorization to obtain it from an ISP.

R. v. Bykovets (2024)
Supreme Court of Canada · 2024

The Court confirmed that an IP address, when combined with other data, can constitute personal information under PIPEDA and trigger constitutional privacy protections — reinforcing that identification need not be immediate, only reasonably possible.

What to Do

1

Review all data your organization collects — ask: 'Can this identify or be linked to a specific person?'

2

Treat IP addresses, device IDs, cookies, and browsing history as personal information if linkage to an individual is reasonably possible.

3

Obtain meaningful consent before collecting, using, or disclosing such information — unless a legal exception applies.

4

Implement safeguards (e.g., encryption, access controls) appropriate to the sensitivity of the personal information.

5

Document how and why you determine certain data qualifies — or doesn’t qualify — as personal information.

Sources

statutePersonal Information Protection and Electronic Documents Act s. 4: Application — S.C. 2000, c. 5caseR. v. Spencer, 2014 SCC 43caseR. v. Bykovets, 2024 SCC 6caseR. v. Spencer (2014) (2014)caseR. v. Bykovets (2024) (2024)

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.