PIPEDA — the Personal Information Protection and Electronic Documents Act — is the federal law that governs how private-sector organizations in Canada handle personal information. It’s also where every conversation about Canadian e-signature compliance starts. If you sign agreements electronically with Canadian customers, employees, or counterparties, PIPEDA applies whether you’re hosted in Toronto or in Toledo.
What PIPEDA actually requires
The law operates on ten fair information principles. For e-signature platforms, five matter most in practice:
- Accountability. Someone in your organization is named as responsible for compliance.
- Consent. Signers know what they’re consenting to and how their data will be used.
- Limiting collection. You collect only what’s needed for the signing flow — name, email, IP, and the signature image. No more.
- Safeguards. Personal data is protected against loss, theft, and unauthorized access.
- Individual access. A signer can request what you have on them and have it corrected or deleted.
The data residency question
PIPEDA does not strictly require Canadian data to stay in Canada. It does require that data sent across borders gets equivalent protection — and several provincial regimes (Quebec’s Law 25, BC’s FIPPA for public bodies) tighten this further. The practical bar most Canadian businesses set: keep envelope content in Canadian regions, period. It removes the need to map equivalent-protection arguments onto US, EU, or APAC jurisdictions every time a regulator asks.
VG·Sign stores everything — PDFs, signed copies, audit trails, signer identifiers — in ca-central-1 (Montreal). See Data residency for the exhaustive list.
Retention and deletion
PIPEDA’s ninth principle says you keep personal information only as long as necessary for the purpose. For signed agreements, “necessary” usually means the statute of limitations on the underlying transaction — for real estate deals in Ontario, that’s typically seven years. After that window the retention purpose has expired and you have a positive obligation to dispose.
The right approach: a default seven-year retention with a clear notify-then-delete workflow, and the option for the customer to extend, export, or purge before the window closes. Anything shorter risks losing evidence; anything longer (without a documented purpose) violates the principle.
Consent and the consumer disclosure
Before a signer applies an electronic signature, they need to actively consent to receiving the document electronically — and to receive a clear disclosure explaining their rights (paper copy on request, ability to withdraw consent before signing, technical requirements). VG·Sign presents this disclosure on first signing session and records the consent event in the audit log. The disclosure text itself is on our public page.
Breach notification
Since 2018, PIPEDA has required mandatory breach reporting: any breach involving real risk of significant harm must be reported to the Privacy Commissioner of Canada and to affected individuals. For an e-signature platform, that means tight access controls, encryption everywhere, and a documented incident response plan that activates within hours, not days.
Compliance is engineering, not paperwork
The temptation with PIPEDA — and with any privacy regime — is to treat it as a checkbox exercise: write a privacy policy, post it, move on. The platforms that take it seriously bake the principles into the system itself. Encrypted at rest. Region-locked storage. Append-only audit logs. Default retention windows. Self-serve data subject requests. When the regulator (or your enterprise customer’s security team) asks, you point them at the architecture, not a PDF.