PIPA Compliance for Alberta Websites: What You Actually Need to Do
A Calgary dentist collects patient intake forms through her website. A Red Deer landscaping company has a contact form that asks for addresses. A Lethbridge accounting firm lets clients upload tax documents through a portal. Every one of these businesses is handling personal information online—and every one of them falls under Alberta's Personal Information Protection Act.
PIPA has been law since 2004. Yet most Alberta business owners we talk to have never heard of it, or assume it only applies to big corporations. It doesn't. If you run a private-sector business in Alberta and you collect any personal information—names, emails, phone numbers, addresses—PIPA applies to you.
This isn't a legal treatise. We're not lawyers, and this doesn't replace legal advice. But we've built dozens of websites for Alberta businesses, and we've seen the same gaps over and over. Here's what you actually need to know and do.
What PIPA Covers (and Why Your Website Matters)
PIPA—the Personal Information Protection Act (SA 2003, c P-6.5)—governs how private-sector organisations in Alberta collect, use, and disclose personal information. It's enforced by the Office of the Information and Privacy Commissioner of Alberta (OIPC).
"Personal information" under PIPA means information about an identifiable individual. That includes the obvious—names, email addresses, phone numbers—but also things like IP addresses, device identifiers, location data, and browsing behaviour collected through cookies or analytics tools.
If your website does any of the following, PIPA applies:
- Has a contact form
- Collects email addresses for a newsletter
- Runs Google Analytics or any tracking tool
- Uses cookies that identify visitors
- Stores customer data in a database
- Lets users create accounts or upload files
The penalties aren't theoretical. Organisations can face fines up to $100,000 per offence, and individuals up to $10,000. The OIPC can investigate complaints, conduct audits, and issue binding orders. In a joint investigation, they ordered Clearview AI to stop collecting facial recognition data from Canadians—including Albertans—without consent. That's the kind of enforcement power we're talking about.
If your website collects personal information from Albertans, PIPA compliance isn't optional. It's the law—and it's been the law for over 20 years.
The Five Things Every Alberta Website Needs
PIPA is built around a few core principles: accountability, consent, limited collection, security, and access. Here's how each one translates into practical website requirements.
1. Designate a Privacy Officer
This surprises most small business owners. PIPA requires every organisation to designate at least one person responsible for ensuring the business complies with the Act. For a small business, that's usually the owner. For a larger company, it might be an operations manager or compliance officer.
Your privacy officer's name (or at minimum, their title and contact information) should be accessible to anyone who asks. The simplest approach: include it in your privacy policy.
2. Write a Real Privacy Policy
Not a copy-pasted template from a random generator. Not a paragraph you borrowed from a competitor's site in 2016. A privacy policy that actually reflects what your website does.
Under PIPA, your privacy policy must explain:
- What personal information you collect — Be specific. "We collect your name, email address, and phone number through our contact form" is good. "We may collect information" is not.
- Why you collect it — PIPA requires that collection be limited to purposes that a reasonable person would consider appropriate. "To respond to your enquiry" is a valid purpose. "For marketing" needs more detail.
- How you use and disclose it — Do you share data with a CRM? An email marketing platform? A payment processor? Say so.
- How you protect it — PIPA requires "reasonable security measures." Describe what you do (encryption, secure hosting, access controls).
- How people can access or correct their information — Individuals have the right to request access to their personal information and ask for corrections.
- Who your privacy officer is — Name, title, or contact method.
If your website uses cookies for analytics or advertising, your policy needs to address that directly. We wrote about the practical side of analytics setup in our GA4 guide for small businesses—including how consent gating works.
3. Get Consent Right
PIPA recognises three types of consent, and understanding the differences matters for how you build your website.
Express consent means the person actively agrees—checking a box, clicking "I agree," signing a form. You need express consent for anything sensitive or anything outside what a person would reasonably expect.
Implied (deemed) consent applies when someone voluntarily provides information for an obvious purpose. When a visitor fills out your contact form and hits submit, they've implied consent for you to use that information to respond. You don't need a separate checkbox for that.
Opt-out consent means you've clearly told someone what you plan to do, given them a reasonable chance to say no, and they haven't objected. Newsletter sign-ups with a clear unsubscribe option can work this way—but only if the initial collection was transparent.
Here's where websites get tripped up: cookies and tracking. If your site drops analytics cookies, advertising pixels, or any tracking technology that collects personal information (and yes, IP addresses count), you need consent before those cookies are set. Not after. Not buried in a privacy policy nobody reads. A visible cookie consent banner with the ability to decline non-essential cookies.
This connects directly to how you protect your website technically. SSL encryption isn't just a security best practice—it's part of demonstrating the "reasonable security measures" PIPA demands.
4. Implement Reasonable Security
PIPA doesn't prescribe specific technical standards, but it requires organisations to take "reasonable steps" to protect personal information against unauthorised access, collection, use, disclosure, copying, modification, or disposal.
What counts as "reasonable" depends on the sensitivity of the information and the size of your organisation. But for any business website, the baseline includes:
- SSL/TLS encryption on every page (not just checkout)
- Security headers configured properly (Content-Security-Policy, X-Frame-Options, and others)
- Software kept up to date—CMS, plugins, server software, PHP versions
- Strong passwords and access controls on your admin panel
- Backups stored securely in case of data loss
- Form data transmitted over HTTPS, never plain HTTP
If you store personal information in a database—customer accounts, form submissions, uploaded documents—you need access controls, encryption at rest, and a plan for secure disposal when the data is no longer needed.
The OIPC's own breach reports confirm that compromised electronic systems are the most common cause of privacy breaches in Alberta. A well-configured website isn't just good practice. It's your first line of defence under PIPA.
5. Have a Breach Response Plan
Since PIPA's breach notification provisions took effect, organisations must report breaches to the OIPC "without unreasonable delay" when there's a "real risk of significant harm" (RROSH) to an individual.
The OIPC updated its breach notification process in April 2024, prioritising cases where RROSH exists. Here's what you need to assess:
Is there a real risk? Consider the sensitivity of the information involved, the probability it's been or will be misused, and whether protective measures (like encryption) were in place.
Could the harm be significant? "Significant harm" under PIPA is broad: identity theft, financial loss, humiliation, damage to reputation, loss of employment or business opportunities, even physical harm.
If both conditions are met, you must:
- Notify the OIPC using their Privacy Breach Notification Form
- Notify affected individuals directly (what happened, what information was involved, what you're doing about it, who to contact)
- Document everything—what happened, when you found out, what steps you took
A five-person company with a contact form that gets hacked needs to follow the same process as a 500-person corporation. The standard is proportional, but the obligation is universal.
What Most Alberta Businesses Get Wrong
We see the same mistakes repeatedly. Some are easy fixes. Others require rethinking how your website handles data.
No privacy policy at all. This is more common than you'd think. If you collect any personal information, you need one. Period.
A privacy policy that doesn't match reality. Your policy says "we don't share your data with third parties" but you use Google Analytics, Mailchimp, and a CRM. Those are all third parties receiving personal information.
No cookie consent mechanism. If your site uses tracking cookies—and almost every site with analytics does—you need a way for visitors to consent before those cookies are set. Not a banner that says "we use cookies" with only an "OK" button. An actual choice.
Collecting more than you need. PIPA's collection limitation principle means you should only collect what's necessary for the stated purpose. Your contact form doesn't need a date of birth. Your newsletter signup doesn't need a phone number.
No designated privacy officer. Even if it's just you, the owner, document it and make it known.
Ignoring employee data. PIPA also covers employee personal information. If you use your website for job applications, those submissions contain personal information subject to the same rules.
Accessibility matters here too. If your privacy policy or consent mechanism isn't accessible to people with disabilities, you're creating a barrier to exercising privacy rights. We explored the business case for accessibility in Alberta in detail—privacy and accessibility overlap more than most businesses realise.
PIPA Compliance Checklist for Alberta Websites
- Designate a privacy officer and make their contact information available
- Write a specific privacy policy that describes what you collect, why, how you use it, who you share it with, and how you protect it
- Implement cookie consent with the ability to decline non-essential cookies before they're set
- Get the right type of consent for each type of data collection (express for sensitive, implied for obvious purposes)
- Use SSL/TLS encryption on your entire website
- Configure security headers and keep all software updated
- Limit collection to only what you need for stated purposes
- Create a breach response plan with clear steps for OIPC notification
- Provide access and correction rights—have a process for when someone asks to see or fix their data
- Review annually—privacy policies should reflect what your website actually does right now, not what it did two years ago
PIPA vs. PIPEDA: Which One Applies to You?
This confuses a lot of Alberta business owners. PIPEDA is the federal Personal Information Protection and Electronic Documents Act. PIPA is provincial. They cover similar ground but aren't identical.
The short version: if your business operates in Alberta and is provincially regulated, PIPA applies. If you operate across provincial or national borders—selling to customers in Ontario, for instance—PIPEDA may also apply to those interprovincial transactions.
For most Alberta businesses with a website that primarily serves Alberta customers, PIPA is your primary concern. But if you ship products nationally, run an e-commerce store with customers across Canada, or transfer data across provincial borders, you should understand both.
When in doubt, consult a privacy lawyer. The OIPC also publishes free guidance documents specifically for small and medium-sized businesses on their website at oipc.ab.ca.
The Takeaway
PIPA compliance for your website isn't a massive undertaking. It's a finite set of practical steps: write an honest privacy policy, get consent before tracking people, secure your systems, designate someone responsible, and know what to do if something goes wrong.
The businesses that run into trouble aren't usually acting maliciously. They simply never thought about it. They built a website, added a contact form, installed Google Analytics, and moved on. The gap between that and basic compliance is small—but the gap between non-compliance and an OIPC investigation is smaller than you think.
Start with the checklist above. If you're unsure about anything, the OIPC's resources for businesses are genuinely helpful and written in plain language. And if your website needs technical updates to get compliant—cookie consent, security hardening, a proper privacy policy page—that's exactly the kind of work we do.
Need help getting your Alberta website PIPA-compliant?
We build and maintain websites for Alberta businesses with privacy, security, and accessibility built in from the start. If you need a cookie consent system, a security audit, or help understanding what your website actually collects, we'd like to hear from you.