Privacy Guide for Canadian Charities (2026)

Every Canadian charity handles personal information. Donor names, beneficiary health records, volunteer records, payroll files — it adds up quickly.

Cyberattacks on nonprofits increased by 30% year-over-year in 2025, with the average cost of a data breach approaching $2 million. For most Ontario charities, a serious breach is not a budget problem. It is an existential one.

The good news is that most of what privacy regulators expect is common sense, properly documented, and consistently followed. This guide covers the key questions every Canadian charity board should be able to answer heading into 2026.

Has Your Charity Assessed Its Privacy Risks?

Before fixing a privacy problem, a charity needs to know where its risks actually live.

A formal privacy risk assessment looks at what personal information is being collected, who accesses it, how it moves through the organization, and where it could be exposed. Many charities skip this step entirely.

A small social services charity discovered mid-audit that intake forms containing health information were being emailed to a personal Gmail account — for convenience. No one had ever thought to ask. That kind of exposure does not surface without a deliberate review.

Boards should:

• Map where personal data lives — databases, paper files, cloud tools
• Identify who has access and whether they genuinely need it
• Document known risks and the steps being taken to address them
• Place privacy risk on the board agenda at least once a year

Are Employees Truly Trained on Privacy?

A signed acknowledgment on day one does not equal training.

Staff need to understand the charity's privacy policy in practice — how to handle donor data, how long records are kept, and how to safely destroy them. In 2024, 68% of data breaches involved a human element such as phishing or simple error. That figure is expected to remain high through 2026.

Training should be repeated annually, not buried in an onboarding checklist. Volunteers are not exempt. Anyone who touches personal data needs to understand the rules.

Does Your Charity Have a Named Privacy Officer?

Charities need a real person accountable for privacy — not just a policy document sitting in a filing cabinet.

PIPEDA requires organizations engaged in commercial activity to designate a privacy officer. Quebec's Law 25 also explicitly requires the designation of a privacy officer for enterprises carrying on activity within Quebec, including charities with an active operational presence in the province. 

At most small charities, the role falls to the Executive Director. That is acceptable. What matters is that a specific person holds the responsibility, their name is documented internally, and their contact information is publicly available to donors and clients.

The Three Pillars of Data Security

Effective data security requires physical, technical, and administrative controls working in combination.

Removing any one pillar leaves the whole structure vulnerable. All three categories cover the basics:

Physical: Locked filing cabinets, secured server rooms, visitor sign-in procedures, restricted access to spaces where records are stored.

Technical: Encrypted devices, multi-factor authentication, role-based access controls, and regular software patching.

Administrative: Written policies on who can access what, how long data is retained, and how it is destroyed at end of life.

A classic charity scenario involves airtight cybersecurity paired with a donor binder sitting open on the reception desk every Tuesday afternoon. Physical controls matter as much as digital ones.

Managing Third-Party Vendors

Outsourcing data processing does not outsource privacy liability.

Every fundraising platform, CRM, payroll processor, and cloud backup service a charity uses likely touches personal information. If contracts with those vendors do not include privacy obligations, the organization keeps all the risk while sharing the data.

Strong vendor contracts should include:

• Written privacy and security requirements
• Breach notification clauses with defined timelines
• Audit rights for high-sensitivity data
• Restrictions on how the vendor may use the data for its own purposes

Vendor oversight is not a one-time step. It should be revisited whenever a vendor changes ownership, updates its terms of service, or experiences its own breach.

Cross-Border Data Storage

Most charities store data outside Canada without realizing it.

Tools like Mailchimp, Salesforce, and Google Workspace typically process data on servers in the United States. This is generally permitted under Canadian privacy law, provided the organization discloses it at the point of collection.

A plain-language line in the charity's privacy policy is usually sufficient: "We use service providers located in the United States; your information may be subject to the laws of that jurisdiction."

Charities with donors, clients, or volunteers in Quebec have additional obligations under Law 25 when transferring data outside the province.

Consent: Getting It Right

PIPEDA is built on consent — and that consent must be meaningful.

For common charitable activities such as accepting donations, issuing tax receipts, and sending newsletters, consent can be simple. The key word is informed. Consent buried in fine print or implied through inaction does not meet the standard.

Canadian privacy law is moving steadily toward explicit opt-in, particularly for marketing communications and non-essential data collection. Charities still relying on opt-out mechanisms should treat that as a compliance gap to close in 2026.

CASL and Electronic Communications: A Common Charity Blind Spot

Collecting donor consent for newsletters is only part of the compliance picture. Canada's Anti-Spam Legislation (CASL) separately governs the act of sending those messages — and charities frequently underestimate its reach.

CASL does provide a limited exemption for registered charities, but that exemption is narrow. It applies only where the primary purpose of an electronic message is raising funds for the charity. A general donor newsletter, an event promotion, an advocacy update, or any communication with commercial elements that does not primarily solicit funds is not covered by the exemption — and CASL's full requirements apply.

For any electronic message that falls outside the fundraising exemption, charities must:

• Obtain express or implied consent before sending
• Clearly identify the organization and provide a mailing address
• Include a working unsubscribe mechanism in every message
• Honor unsubscribe requests within ten business days

The CRTC enforces CASL and has the authority to issue administrative monetary penalties. Boards that assume their charity status makes CASL inapplicable to all communications should revisit that assumption with legal counsel. Guidance on CASL requirements for registered charities is available through the CRTC at crtc.gc.ca.

AI Tools, Staff Risks, and Emerging Threats

This is the most significant new privacy exposure for Canadian charities in 2026.

Staff are increasingly using AI tools — ChatGPT, Microsoft Copilot, Google Gemini — for drafting communications, summarizing documents, and writing reports. In many cases, they are pasting donor names, beneficiary details, or confidential case notes directly into these platforms without understanding the data implications.

Charities need a clear, written policy on AI tool use that addresses:

• Which categories of personal data cannot be entered into any external AI tool
• Which tools, if any, are approved for staff and volunteer use
• What safeguards apply when using approved tools
• How violations are handled

Phishing attacks remain the most common breach vector for nonprofits. Attackers are now using AI-generated content to create highly convincing fake emails, invoices, and login pages. Annual phishing simulation training, combined with a written AI use policy, is the new baseline expectation for 2026.

Breach Response Protocols

Having a plan before a breach occurs is the difference between a manageable incident and a full-blown crisis.

Charities should document, in advance:

• Who is notified internally first (Executive Director, Board Chair)
• Who determines whether the breach meets the "real risk of significant harm" (RROSH) threshold under PIPEDA
• Who notifies the Office of the Privacy Commissioner of Canada if required
• Who contacts affected individuals
• Who speaks to media if the situation becomes public

When assessing whether a breach must be reported, the governing standard under section 10.1 of PIPEDA is whether the incident poses a real risk of significant harm (RROSH) to affected individuals — considering both the likelihood that harm will occur and its potential severity. 

The Office of the Privacy Commissioner of Canada provides standing guidance on how to apply the RROSH assessment framework on its website. 

Under section 10.3 of PIPEDA, organizations subject to the Act are legally required to keep a record of every breach of security safeguards for a minimum of 24 months from the date the organization determined a breach occurred — regardless of whether the breach meets the RROSH threshold for reporting. 

This is a mandatory statutory obligation, not a best practice. Boards should establish a documented breach log as standard procedure and ensure it is maintained consistently across all incidents, including those assessed as falling below the reporting threshold. Charities not directly subject to PIPEDA are also strongly advised to adopt equivalent record-keeping practices. 

Breach response plans should be rehearsed, not just filed away. A short tabletop exercise once a year closes gaps that paperwork alone will miss.

The Practical Security Checklist

Strong privacy programs combine good policy with consistent technical hygiene.

These fundamentals apply to every charity, regardless of size or budget:

• Use a VPN for all remote work
• Limit data access to those who genuinely need it — a summer student does not need access to the major donor database
• Keep personal data off USB sticks; if USB storage is unavoidable, use encrypted drives
• Vet IT vendors and use written contracts with privacy and security clauses
• Run regular backups and apply software patches promptly
• Enforce strong passwords and secured Wi-Fi networks
• Never leave devices unattended in vehicles
• Maintain active vendor oversight — a vendor's breach becomes the charity's breach
• Establish documented notification procedures for any RROSH-level incident

Which Privacy Laws Apply to Your Charity?

Canadian charities may be subject to multiple privacy laws depending on where they operate, whose data they handle, and what activities they carry out.

Federal PIPEDA applies to charities engaged in commercial activity. While standard fundraising, accepting donations, and collecting membership fees are generally non-commercial, boards should be aware that section 2(1) of PIPEDA explicitly defines commercial activity to include the selling, bartering, or leasing of donor, membership, or other fundraising lists. 

Any charity that shares, swaps, or rents its donor list to another organization or a third-party marketer is conducting a commercial activity and is directly subject to PIPEDA for that data.

Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25, applies to enterprises carrying on activity within Quebec. 

Charities with an active operational presence in Quebec — regional offices, local employees, or targeted local fundraising campaigns — face direct compliance obligations under Law 25, with penalties reaching up to $25 million or 4% of worldwide turnover for serious violations. 

National charities without a clear Quebec nexus are not automatically subject to the full penalty regime simply because a donor happens to reside in that province, but adopting Law 25 standards as an operational baseline is sound risk management for any charity running cross-provincial programs.

Bill C-27 and the CPPA: What Charities Should Watch

Charity boards should be aware of an important legislative development. The federal Bill C-27 that proposed the Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act (AIDA) belonged to the 44th Parliament. When that Parliament dissolved, this legislation died on the order paper without receiving Royal Assent.

In the current 45th Parliament, the designation "Bill C-27" refers to an entirely unrelated piece of legislation — An Act to give effect to the Final Self-Government Agreement for the Tłegǫ́hłı̨ Got'įnę — and has no connection to privacy reform. As of mid-2026, the federal government has not introduced a replacement privacy modernization bill in the current session.

Federal privacy reform is effectively stalled at the legislative level. That said, the standards proposed in the former CPPA — stronger consent requirements, data portability and deletion rights, enhanced breach obligations, and significantly higher penalties — remain the best-practice benchmark against which charities should assess their current programs. Boards should monitor Parliament's legislative agenda for any new federal privacy bill introduced in this session via the Parliament of Canada LEGISinfo database.

Provincial Privacy Law at a Glance

‍

‍

A note on PHIPA: boards sometimes read the Ontario health information row and assume that collecting any health-related data — food allergies for a summer camp, mental health intake forms for a community program — automatically makes their charity a Health Information Custodian (HIC) subject to PHIPA. 

That is generally not the case. Under PHIPA, the definition of a health information custodian is tied to the actual provision of health care services: hospitals, clinics, pharmacies, physicians, and similar regulated health care providers. A charity that collects health information incidentally for the administration of its community programs is not, on that basis alone, a health information custodian. 

Standard health data collected outside a health care delivery context is generally governed by PIPEDA (where commercial activity is involved) or general privacy best practices. Charities that are uncertain whether their activities cross into health care delivery should seek legal advice, as the distinction can have significant compliance implications. 

A national fundraising campaign can quietly trigger four separate privacy regimes at once. Most boards discover this only after something has gone wrong.

Writing a Privacy Policy That Actually Works

A charity's privacy policy should answer real questions in plain, accessible language.

A template copied from a peer organization in 2014 is almost certainly out of date. A current privacy policy should clearly address:

• What personal information is collected and why
• How consent is obtained
• Who can access data internally and for what purpose
• How data is protected when held by third-party vendors
• How long the charity retains personal information
• How and when data is securely destroyed
• What affected individuals can expect in the event of a breach

If a thoughtful donor cannot answer those questions after reading the policy, the policy needs to be rewritten. Quebec's Law 25 also requires privacy policies to be prominently posted on the organization's website.

Cyber Insurance for Charities

Cyber insurance is no longer optional for charities that handle significant volumes of personal data.

Policies vary widely in what they actually cover. Common exclusions include social engineering attacks, ransomware triggered by employee error, and claims arising from third-party vendor breaches. Many charities have learned about these exclusions during a live incident.

Before purchasing or renewing a policy, boards should:

• Confirm coverage for ransomware and social engineering attacks
• Check whether regulatory fines and breach notification costs are included
• Verify that cross-border data transfers do not void coverage
• Understand sublimits that could reduce actual payouts in a major incident

Cyber insurance is a last-resort backstop — not a substitute for sound privacy practices.

Annual Review and Staying Current in 2026

Privacy law is changing faster than most charity policies can keep up with.

Quebec has been actively enforcing Law 25 since its phased rollout, with investigations and fines publicly reported. At the federal level, privacy modernization legislation died with the dissolution of the 44th Parliament, and no replacement bill had been introduced as of mid-2026. Ontario continues to expand public-sector breach reporting obligations. Cookie consent standards are tightening under pressure from provincial regulators. 

A privacy policy more than 12 months old has probably already fallen behind somewhere. Annual reviews should be scheduled, documented in board minutes, and followed by actual updates to vendor contracts and internal procedures.

Cookie Banners, Tracking, and Opt-In Consent

Most charity websites collect more personal data than their boards realize.

Analytics tools, Meta Pixel, Google Ads tags, and social media trackers are standard on most nonprofit websites. Each collects personal data, and under Quebec's Law 25 and emerging federal standards, each requires meaningful, prior consent before it loads.

Pre-ticked consent boxes and "by using this site you agree" banners no longer meet the standard. Quebec regulators have already cited organizations for using these approaches. 

Ontario charities operating nationally should treat Quebec's cookie consent standards as a compliance benchmark. While Law 25's direct enforcement reach depends on a charity's operational connection to Quebec, adopting the more protective consent standard across all digital properties is prudent risk management and reduces cross-provincial exposure. 

Best practice for 2026:

• Use a consent management platform (CMP) that provides a genuine opt-in choice
• Do not load tracking scripts until the user has given active consent
• Offer a clear and easy way for users to withdraw consent at any time
• Maintain a log of consent records in case of regulatory inquiry

Conclusion

Privacy compliance is not a one-time project — it is an ongoing responsibility that grows alongside a charity's programs, staff, and donor base. 

As Canadian privacy law continues to evolve through Quebec's Law 25 enforcement, the stalled federal privacy modernization agenda, and rising cyber threats, boards that stay ahead of these changes protect far more than data. They protect their mission. 

The cost of getting privacy right is modest compared to the cost of getting it wrong. A single breach can erode years of donor trust, trigger regulatory investigations across multiple jurisdictions, and drain resources that should be going toward the communities a charity serves. Building strong privacy practices now is one of the most responsible decisions a board can make.

Charities with questions about privacy obligations, policy drafting, or compliance under PIPEDA and Law 25 are welcome to reach out to B.I.G. Charity Law Group for a free consultation. The team at CharityLawGroup.ca advises Ontario charities and nonprofits on governance, regulatory compliance, and risk management. Contact them by phone at 416-488-5888, by email at dov.goldberg@charitylawgroup.ca, or schedule a free consultation online.

Frequently Asked Questions

Does PIPEDA apply to our charity?

PIPEDA applies to charities engaged in commercial activity. Standard fundraising, accepting donations, and collecting membership fees are generally non-commercial activities and do not, on their own, trigger PIPEDA compliance. However, boards should be aware that section 2(1) of PIPEDA explicitly defines commercial activity to include the selling, bartering, or leasing of donor, membership, or other fundraising lists. Any charity that shares, swaps, or rents its donor list with another organization or a third-party marketer is conducting a commercial activity and is directly subject to PIPEDA for that data. Courts and regulators also increasingly treat PIPEDA as the standard of care for any organization handling personal data in Canada, regardless of whether they technically fall within the commercial activity threshold. 

Does Quebec's Law 25 apply to our Ontario charity?

It depends on the nature of your charity's connection to Quebec. Quebec's Law 25 applies to enterprises carrying on activity within Quebec. Charities with an active operational presence in the province — regional offices, local staff, or fundraising campaigns specifically targeted at Quebec residents — face direct compliance obligations under Law 25. 

An Ontario charity with no meaningful Quebec nexus is not automatically subject to Law 25's full penalty regime simply because a donor happens to reside there. That said, adopting Law 25 standards as an operational baseline is strongly advisable for any charity running national programs, both as a risk mitigation strategy and as a signal of organizational maturity to donors and regulators. 

What is Bill C-27, and should charities be paying attention?

Charity boards should be aware of an important update. The Bill C-27 that proposed the Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act (AIDA) belonged to the 44th Parliament and died when that Parliament dissolved, without receiving Royal Assent. 

In the current 45th Parliament, "Bill C-27" refers to unrelated Indigenous self-government legislation. As of mid-2026, the federal government has not introduced a new privacy modernization bill. 

Federal privacy reform remains legislatively stalled. However, the standards proposed in the former CPPA — stronger consent requirements, data portability and deletion rights, and significantly higher penalties — remain the benchmark charities should use to evaluate their current programs. 

Boards should monitor Parliament's legislative agenda for any new federal privacy bill introduced in the current session. 

When does a breach need to be reported to the Privacy Commissioner?

Under PIPEDA, a breach must be reported to the Office of the Privacy Commissioner of Canada when it poses a real risk of significant harm (RROSH) to affected individuals. This includes breaches that could lead to identity theft, financial loss, physical harm, or serious reputational damage. The RROSH standard is set out in section 10.1 of PIPEDA, and the Office of the Privacy Commissioner provides standing guidance on how to apply this assessment framework on its website.

Separately, section 10.3 of PIPEDA imposes a mandatory record-keeping obligation: organizations must keep a record of every breach of security safeguards for a minimum of 24 months from the date the breach was identified — regardless of whether the breach meets the RROSH threshold. This is a statutory requirement, not a recommendation. Boards should maintain a documented breach log and ensure it captures all incidents, including those assessed as falling below the reporting threshold.

What are the penalties for privacy violations in Quebec?

Quebec's Law 25 carries penalties of up to $25 million or 4% of worldwide turnover for serious violations, including failure to report a breach and non-compliant data transfers outside Quebec.

‍