What counts as personal information PIPEDA
In this guide & where to go next
Part of the Quebec Law 25 & PIPEDA Compliance series. Related: Pipeda Consent RequirementsPipeda Breach Reporting Requirements
Want it handled? IT Cares — hands-on managed IT across Canada.
Under PIPEDA, personal information is any factual or subjective information, recorded or not, about an identifiable individual. This includes obvious data like name, address, and ID numbers, but also age, income, opinions, employee files, and online identifiers when they can be linked to a person. If information can identify someone on its own or when combined with other data, PIPEDA treats it as personal information and your obligations apply.
The broad definition of personal information
PIPEDA defines personal information very broadly as information about an identifiable individual. The key test is identifiability: if there is a serious possibility that an individual could be identified from the information, alone or in combination with other available data, it is personal information.
Importantly, the definition covers both factual and subjective information, and it does not have to be recorded. Examples include:
- Name, home address, email address, and phone number.
- Age, date of birth, marital status, and identification numbers.
- Income, financial records, and credit information.
- Opinions, evaluations, and comments about a person.
- Employee records, including disciplinary and performance information.
Because the test is identifiability rather than a fixed list, businesses should treat any data that points to a specific person as personal information.
Digital and online identifiers
Modern data handling raises questions about online identifiers, and PIPEDA generally captures them when they can be linked to an individual. Depending on context, this can include IP addresses, device identifiers, cookies, and location data, particularly when combined with other information that narrows down who a person is.
For businesses operating websites or apps, this means analytics data, advertising identifiers, and account information can all qualify as personal information. The safe approach is to assume that any identifier capable of singling out or tracking a particular user attracts privacy obligations. This is why consent, transparency, and safeguards extend to the data your digital systems collect automatically, not just the information customers type into a form.
What is generally not personal information
Some information falls outside PIPEDA's scope. Truly anonymized or aggregated data, from which no individual can reasonably be re-identified, is generally not personal information. For example, a statistic stating that 60% of customers chose a particular product, with no way to link it to anyone, is not personal information.
Certain business-contact information used solely to communicate with a person in their professional capacity, such as a name, title, and work email used for business purposes, also receives different treatment under the Act. However, the line can be subtle. Data that seems anonymous may become identifiable when combined with other datasets, a process known as re-identification. Because of this, organizations should be cautious about assuming information is exempt and should verify that re-identification is genuinely not feasible before treating data as outside the law.
Why classification matters for compliance
Correctly identifying what counts as personal information is the foundation of every other PIPEDA obligation. You cannot obtain proper consent, limit collection, apply appropriate safeguards, or report a breach accurately if you do not know which of your data is personal information and how sensitive it is.
This is why a data inventory is the practical starting point for compliance: cataloguing what you collect, where it lives, and how sensitive it is lets you apply the right protections to the right data. Sensitive information, such as health, financial, or biometric data, warrants stronger safeguards and more careful consent. A managed IT and cybersecurity partner can help map where personal information resides across your systems and apply controls matched to its sensitivity, ensuring that highly identifiable or sensitive data receives the protection PIPEDA expects.
FAQ
Is an email address personal information under PIPEDA?
Usually yes. A personal email address that identifies an individual is personal information. A generic business email used solely for professional contact may receive different treatment, but any email that can be linked to a specific person, including most personal addresses, falls within PIPEDA's scope and attracts privacy obligations.
Are IP addresses considered personal information?
Often, yes. PIPEDA can treat IP addresses and other online identifiers as personal information when they can be linked to an identifiable individual, alone or combined with other data. The safest approach for businesses is to treat identifiers that can single out or track a user as personal information.
Is anonymized data covered by PIPEDA?
Genuinely anonymized data, from which no individual can reasonably be re-identified, generally falls outside PIPEDA. However, data that can be re-identified by combining it with other information is still personal information. Organizations should verify that re-identification is truly not feasible before treating data as anonymous and exempt.