Skip to content

Notifications

Government mail service may be affected by the Canada Post labour disruption. Learn about how critical government mail will be handled.

Popular topics:

Alberta.ca Account
Part of Personal Information Protection Act engagement

Modernizing Alberta’s Personal Information Protection Act - Albertan survey

Specifically for Albertans to provide input on how the Act should be updated to better protect their personal information.

Introduction

The Personal Information Protection Act (PIPA) is Alberta’s private sector privacy law, governing how provincially regulated organizations collect, use, and disclose personal information. “Organizations” include corporations, businesses, unincorporated associations, trade unions (as defined in the Labour Relations Code), partnerships (as defined in the Partnership Act), individuals acting in a commercial capacity (such as landlords), and, in certain circumstances, non-profit organizations. It does not include individuals acting in a personal or domestic capacity.

The Government of Alberta is exploring options to modernize PIPA to give Albertans stronger privacy rights, align with global standards, and support innovation while respecting the personal information of Albertans.

PIPA was introduced in 2004 and last significantly updated in 2010. Modernizing PIPA is important to ensure Alberta’s privacy protections remain strong, relevant, and responsive to rapid technological change and the realities of today’s digital world.

Your feedback is valuable and will:

  • Inform options for modernizing PIPA;
  • Help government understand concerns, priorities, and expectations regarding privacy; and
  • Ensure policies are practical and effective and support successful implementation.

The survey takes 15 to 20 minutes to complete and closes February 17, 2026.

Survey

Please do not submit responses that include personal information about other people.

  • User experience
  • Rights of individuals
  • Privacy protections and safeguards
  • Applicability and scope of the Act
  • Conclusion
  • Complete

User experience

How would you rate your knowledge of privacy laws in Alberta?
I think private organizations in Alberta adequately protect my personal information.
I have an adequate amount of control over how my personal information is used by private organizations in Alberta.

Rights of individuals

An automated system is a system, software or process that uses computation to help make decisions, collect information, or interact with individuals or communities.

I am concerned about private organizations using my personal information in automated systems such as artificial intelligence.
I should be notified by a private organization if it intends to use my personal information in an automated system for decision-making or any other purpose.
I should have the right to challenge decisions made about me by an automated system.

For example, the ability to opt out of a product or service, request a human review, or contest the outcome.

De-indexing means removing a webpage, image, or other information about an individual from appearing in an online search engine’s result.

I should have the right to ask private organizations to delete or de-index my personal information when they no longer need it, when I have withdrawn my consent, or for another valid reason.
I should be able to ask a private organization to transfer my personal information to another organization in an accessible format, where possible, or provide me with a copy.

Privacy protections and safeguards

In Alberta, minors are individuals under the age of 18.

There should be specific rules for minors’ data, such as age-specific consent requirements.
There should be limitations on how or when private organizations may collect, use, or disclose specific types of personal information deemed to be more sensitive.

Examples may include biometric data, facial recognition, financial information, or personal information of vulnerable populations – such as those who, due to age, mental or physical health, or other conditions face a greater potential for harm, or difficulty exercising control over their personal information.
There should be stronger security requirements for certain subsets of personal information that are deemed to be more sensitive.

Examples include biometric data, facial recognition, financial information, or personal information of vulnerable populations.
How often do you read a private organization’s privacy statement or privacy policies?
When a private sector organization collects information about me, I know how that personal information may be used because they communicate that clearly with me before I provide consent.
What is the likelihood that you would read through an organization’s privacy statement or policy if it was written in a standard way using plain language that is easy to understand?
Has your personal information (for example, your e-mail address or credit card information) ever been breached?
Private organizations should be required to notify me if there is a possibility that I may be seriously harmed physically, mentally, or financially, due to a breach of my personal information.

“De-identified” data is where personal identifiers are removed, masked or modified but there is still a re-identification risk.

“Anonymized” data is considered permanently transformed and impossible to determine an individual’s identity.

If personal information has been de-identified, private organizations should be able to use that information for research or other purposes.
If personal information has been anonymized, private organizations should be able to use that information for research or other purposes.
How important is it that private sector organizations be subject to penalties and administrative fines for not complying with privacy obligations?

Third-party service providers are organizations that directly or indirectly provide a service for or on behalf of another organization.

Alberta organizations should be required to have formal contracts or legal agreements with third-party service providers that clearly define privacy responsibilities, data ownership, breach reporting, and retention requirements to ensure compliance with PIPA.

Applicability and scope of the Act

Currently, a non-profit organization may only be subject to PIPA when they engage in commercial activity.

Non-profit organizations should be fully subject to PIPA for all activities, regardless of whether they are commercial.

Conclusion