If your nonprofit is considering expanding its fundraising efforts into Canada, it's crucial to understand the country’s complex data privacy landscape. Canada's privacy regulations, encompassing both federal and provincial laws, have specific implications for how organizations handle personal information.
For example, cultivation activities—such as communicating with existing donors—are generally exempt from Canada’s national privacy law and two of the three major provincial privacy laws . However, Québec does not provide an exemption for nonprofits.
In this blog post, we'll review:
- Canadian data privacy laws and what they mean for nonprofits
- How nonprofits should story and process Canadian donor data
- The risks of acquisition campaigns in Canada
Before we jump in, please note that your nonprofit organization should consult legal counsel to ensure full compliance before beginning any fundraising efforts involving Canadian residents.
Federal privacy law: PIPEDA
At the federal level, Canada enforces the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private-sector organizations collect, use and disclose personal information during commercial activities.
Notably, PIPEDA defines “commercial activity” as including the "selling, bartering or leasing of donor, membership, or other fundraising lists."
However, most fundraising activities directed at existing donors—such as collecting membership fees, organizing club activities and mailing out newsletters—are not considered commercial activities under PIPEDA and are generally exempt.
Provincial privacy laws: Alberta, British Columbia and Québec
In addition to PIPEDA, three provinces have their own privacy laws:
Alberta & British Columbia
- Both provinces have Personal Information Protection Acts (PIPA) that apply primarily to commercial activities.
- Nonprofits engaging in non-commercial activities (such as donor stewardship) are generally exempt.
Québec (Law 25)
- Québec’s Law 25 (formerly Bill 64) applies to all organizations, including nonprofits.
- No exemption exists for nonprofits, even if they are only communicating with existing donors.
- Organizations must comply with Law 25 when collecting, storing or processing personal information from Québec residents.
What this means for your nonprofit
- If your nonprofit fundraises in Québec, you must comply with Law 25.
- If your nonprofit fundraises in Alberta or British Columbia, you are generally exempt from provincial privacy laws unless engaging in commercial activities.
- At the federal level (PIPEDA), fundraising from existing donors is not considered commercial activity, so it is usually exempt.
Data residency: Where should your nonprofit store and process donor data?
Canada’s privacy laws strongly favor keeping Canadian residents’ personal data stored and processed within Canada. While not explicitly required under PIPEDA, Québec’s Law 25 and industry best practices indicate that storing and processing Canadian donor data on Canadian servers is the safest approach for compliance.
Why nonprofits should store and process Canadian donor data in Canada
Avoids cross-border transfer restrictions:
- Under Law 25, any transfer of personal information outside Québec requires a Privacy Impact Assessment (PIA).
- If donor data is stored inside Canada, nonprofits avoid this additional compliance burden.
Minimizes risk of U.S. regulatory conflicts:
- If Canadian data is stored on U.S. servers, it may fall under U.S. jurisdiction, including laws like the CLOUD Act, which could expose donor data to legal requests from U.S. authorities.
Increases donor trust:
- Canadian donors (especially those in Québec) are increasingly privacy-conscious and expect their data to be handled under Canadian laws.
- Keeping data in Canada reinforces credibility and protects donor relationships.
3 important practices for data residency
- Store donor data in Canada: Use Canadian-based cloud providers or data centers for all donor information.
- Process donor data on servers in Canada: Ensure that all fundraising analytics, segmentation and reporting occur on servers located within Canada.
- Use Canadian print vendors: If mailing to Canadian donors, use a Québec-based print vendor to avoid triggering cross-border PIA requirements under Law 25.
Acquisition campaigns: Proceed with caution
Nonprofits that conduct acquisition campaigns (i.e., prospecting for new donors using rented lists) must comply with stricter data privacy laws as these campaigns are considered commercial activity under PIPEDA and provincial laws. Acquisition campaigns in Canada are usually more trouble than they’re worth.
Key compliance risks with acquisition campaigns
Verification of consent:
- Canadian privacy laws require proof that individuals explicitly consented to have their data shared.
- Rented or purchased lists may not have sufficient consent records, making compliance difficult to verify.
Law 25’s Privacy Impact Assessments (PIAs):
- If the nonprofit rents a donor list from a vendor outside Québec, a PIA must be conducted before processing the data.
- If the original data collection was non-compliant, the liability shifts to the nonprofit using the list.
Recommendations for acquisition campaigns in Canada
- Avoid acquisition campaigns unless you can verify that every name on the rented list was collected with explicit consent.
- If working with a list provider, require proof of consent and conduct a Privacy Impact Assessment (PIA) before using the data.
Consult legal counsel before fundraising in Canada
Before launching fundraising campaigns in Canada, nonprofits should consult with legal counsel to:
- Determine whether their activities qualify as commercial under PIPEDA or provincial laws.
- Ensure that their data storage and processing comply with Canadian residency expectations.
- Confirm that their marketing or acquisition campaigns meet consent requirements.
Nonprofits operating exclusively with existing donors will generally face fewer compliance burdens, but those engaging in acquisition campaigns or handling Québec donor data must take extra precautions.
Canada welcomes philanthropy
Despite the regulatory landscape, Canada remains an excellent environment for nonprofit fundraising. By understanding privacy laws and structuring donor data storage and processing correctly, nonprofits can fundraise successfully while maintaining compliance and donor trust.
Disclaimer: The above content is informative in nature and is not intended as legal advice. As a company that provides professional fundraising consulting services, RKD Group retains counsel to ensure compliance with fundraising laws in each applicable state. Questions related to Canadian data privacy laws should be directed to counsel that is competent to address such matters.