Under the Personal Information Protection Act (PIPA) of British Columbia, organizations must obtain meaningful consent from individuals before collecting, using, or disclosing their personal information. This includes online identifiers collected through cookies. Do you have control over consent management?
The Personal Information Protection Act (PIPA) of British Columbia is a provincial privacy law that governs how private sector organizations collect, use, and disclose personal information. Enacted in 2004, PIPA BC aims to balance individuals’ right to privacy with an organization's need to collect and use personal information for reasonable business purposes.
To ensure compliance, businesses operating websites accessible to BC residents must implement cookie banners that inform users about the use of cookies and allow them to opt-in or opt-out.
To be compliant with PIPA BC you should:
Conduct an audit:
Perform a full audit of data collection and sharing practices and identify personal data collected and its purposes
Update privacy policy:
Review and update privacy and cookie policies with PIPA-specific disclosures.
Implement consent management:
Implement cookie consent banners and opt-out flows to automate consent capture and preference management
Ensure data minimization:
Limit data collection to what is necessary for legitimate business purposes
Ensure consumer rights:
Inform individuals about why and how their personal information is collected and used, and establish mechanisms to respond to consumer rights requests within 45 days
Perform Data Protection Assessments:
Safeguard privacy with regard to targeted advertising, data sales, profiling, or processing sensitive data.
PIPA BC applies to:
Private sector organizations in British Columbia
Businesses outside BC that handle the personal information of BC residents
Non-profits, associations, and societies that collect personal data in connection with commercial activities
Exemptions include employees acting in a personal capacity and data handled solely for journalistic, artistic, or literary purposes.
Residents of British Columbia are granted several key rights under PIPA regarding their personal information, including:
Consumers have the right to be told why their personal information is being collected, used, or disclosed at or before the time of collection.
Organizations must obtain meaningful consent (explicit or implied, depending on the situation) before collecting, using, or disclosing personal information.
Consumers can request access to their personal information held by an organization, including details on how it is being used and to whom it has been disclosed.
Individuals have the right to request corrections to their personal information if it is inaccurate or incomplete.
Consumers may withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice.
Individuals can file a complaint with the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) if they believe their rights under PIPA have been violated.
Consumers have the right to expect that their personal information will be protected by appropriate security measures to prevent unauthorized access, collection, use, disclosure, or destruction.
Organizations may only collect, use, or disclose personal information for reasonable purposes that a reasonable person would consider appropriate in the circumstances.
Consumers have the right to know how long their personal information will be retained and when it will be securely destroyed or anonymized.
Cookies that collect identifiable or behavioral information—such as IP addresses, browsing habits, or login details—fall under PIPA’s definition of personal information. Businesses must:
Disclose the use of such cookies in a privacy or cookie policy
Obtain explicit or implied consent before activating non-essential cookies
Allow users to opt out or manage cookie preferences
Non-compliance with PIPA can result in:
Investigations and audits by the Office of the Information and Privacy Commissioner (OIPC) for BC
Mandatory orders to change data handling practices
Public reporting of non-compliance
Legal consequences including fines up to CAD 100,000 for individuals and CAD 500,000 for organizations under related provincial laws
To check your compliance with the PIPA British Columbia, businesses should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
A consent management platform like CookieHub can automate cookie consent collection, provide users with control over their data, maintain detailed consent logs, and ensure your business complies with PIPA BC transparency and accountability requirements.
PIPA governs the collection, use, and disclosure of personal information by private sector organizations in BC during commercial activities.
Personal data includes any information about an identifiable individual, such as names, email addresses, IP addresses, or other data that can be linked to a person.
While PIPA does not formally define “sensitive data,” it places higher expectations for protecting data like health information, financial details, and biometric identifiers due to their potential impact on privacy.
The Office of the Information and Privacy Commissioner (OIPC) for British Columbia enforces PIPA and handles complaints and investigations.
PIPA does not apply to public bodies (covered by the Freedom of Information and Protection of Privacy Act), or individuals collecting data for personal or journalistic purposes.
Visit the OIPC BC official website for full details, guidance documents, and compliance resources.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
