PIPEDA Compliance
Configure your forms for Canada's Personal Information Protection and Electronic Documents Act.
What is PIPEDA?
PIPEDA is Canada's federal private-sector privacy law, in effect since 2001. It applies to organizations that collect, use, or disclose personal information in the course of commercial activity in Canada. If your web form collects personal data from Canadian residents as part of a commercial activity, PIPEDA applies.
Some Canadian provinces (Alberta, British Columbia, Quebec) have their own privacy laws that are deemed "substantially similar" to PIPEDA. Quebec's Law 25 (in effect since 2023) is particularly notable for its stricter consent requirements. The FormBlade PIPEDA preset provides a solid baseline that generally satisfies all Canadian jurisdictions.
Why consent matters under PIPEDA
PIPEDA is built around ten fair information principles, and the third principle is Consent. It states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information (with limited exceptions).
PIPEDA recognizes different forms of consent:
- Express consent — the individual explicitly agrees (e.g., checking a checkbox). Required for sensitive personal information.
- Implied consent — consent can be reasonably inferred from the individual's actions (e.g., filling out and submitting a form).
For most contact forms, implied consent through the act of submitting could be sufficient. However, the FormBlade PIPEDA preset enables express consent (a checkbox) because:
- The Office of the Privacy Commissioner (OPC) has increasingly favored express consent, especially online.
- Quebec's Law 25 requires express consent for collecting personal information for commercial purposes.
- Express consent is harder to challenge if a complaint is filed.
What the PIPEDA preset configures
| Setting | Value | Why |
|---|---|---|
| Consent checkbox | Required | Principle 3 (Consent) requires knowledge and consent. Express consent provides the clearest compliance path. |
| Consent message | "I consent to the collection and use of my personal information as described in the privacy policy." | Principle 3 requires that consent be meaningful. The message references the privacy policy for full details. |
| IP anonymization | Enabled | Principle 4 (Limiting Collection) recommends collecting only information necessary for the stated purpose. Anonymizing IPs reduces the data footprint. |
| Data retention | 730 days | Principle 5 (Limiting Use, Disclosure, and Retention) requires data to be retained only as long as necessary. Two years is a common timeframe for business records. |
| User-agent storage | Enabled | Browser info is not considered sensitive personal information under PIPEDA and is useful for troubleshooting. |
Set up the PIPEDA preset
Account level
- Go to Account Settings in the sidebar.
- Scroll to Compliance.
- Select PIPEDA (Canada) from the dropdown.
- Click Save.
Per form
- Open the form in your dashboard.
- Go to Settings → Compliance.
- Toggle Override account defaults.
- Select PIPEDA (Canada).
- Click Save.
Add consent to custom HTML forms
On hosted forms, the consent checkbox is added automatically. For custom HTML forms:
<label> <input type="checkbox" name="_fb_consent" value="true" required> I consent to the collection and use of my personal information as described in the <a href="https://yoursite.ca/privacy">privacy policy</a>. </label>
The field name must be _fb_consent. FormBlade validates this field server-side and rejects submissions without it with a 422 response.
consent_message field.PIPEDA-specific considerations
Principle 9: Individual access
Individuals have the right to access their personal information and challenge its accuracy. You can export submissions from the dashboard to fulfill access requests. Respond within 30 days of receiving the request.
Principle 5: Retention limits
Personal information must be retained only as long as necessary to fulfill the purpose for which it was collected. FormBlade's automatic data retention purge handles this. The 730-day default is a starting point — adjust it based on your specific business needs.
Right to withdraw consent
Under PIPEDA, individuals can withdraw consent at any time (subject to legal or contractual restrictions). If someone requests withdrawal, delete their submissions from the dashboard and inform them of the consequences of withdrawal.
Breach notification
PIPEDA requires organizations to notify the OPC and affected individuals of any breach of security safeguards that creates a "real risk of significant harm." If you believe FormBlade submissions have been accessed by an unauthorized party, contact us immediately so we can assist with incident response.
Cross-border transfers
PIPEDA does not prohibit international data transfers, but you must inform individuals that their data may be processed outside Canada and that it may be accessible to foreign governments under the laws of those jurisdictions. FormBlade (ZNX Ltd) processes data on EU infrastructure. Mention this in your privacy policy.
Consent is not stored
FormBlade validates the consent checkbox at submission time but strips the _fb_consent field before storing the submission. If your compliance process requires proof of consent, implement a separate consent log on your side.
Quebec's Law 25
If you target Quebec residents specifically, be aware of additional requirements from Law 25 (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels):
- Privacy policy mandatory — must be published on your website in clear, simple language.
- Express consent required — for collecting personal information for commercial purposes (the PIPEDA preset already enables this).
- Privacy impact assessments — required for projects involving personal information. This is your responsibility, not FormBlade's.
- Default privacy settings — technology must be configured to the highest level of privacy by default. The PIPEDA preset with IP anonymization satisfies this.
- French language — privacy policies and consent messages should be available in French for Quebec users.