ChatGPT
Claude
Perplexity
Gemini
GrokCanada does not have a single, nationally uniform right to erasure equivalent to GDPR's Article 17. Under PIPEDA, the federal baseline for private-sector privacy, the right to deletion is more limited than under European law — but the obligation to retain personal information only as long as necessary for its stated purpose creates an effective deletion requirement once that purpose no longer exists. Quebec's Loi 25 (Law 25), in full force since September 2024, goes further: it provides an explicit right to de-indexation and erasure that closely resembles GDPR. For Canadian institutions recruiting nationally, navigating federal PIPEDA and Quebec's Law 25 simultaneously is the operational reality, and a prospective student's deletion request must be assessed against both frameworks. PIPEDA requires response to requests within 30 days, extendable to 60 days with notice to the individual.
For a broader overview of prospect data compliance in Canadian higher education, see our complete guide to student data protection.
The Canadian Legal Framework: Federal and Provincial Layers
Unlike the EU's unified regulation, Canadian privacy law operates through overlapping federal and provincial frameworks. Admissions teams at Canadian institutions must understand which layers apply — and where they interact.
PIPEDA: the federal baseline
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private-sector organisations that collect, use, or disclose personal information in the course of commercial activities. For private universities, colleges, and career schools that recruit and market to prospective students, PIPEDA sets the national floor. PIPEDA builds on ten fair information principles, including accountability, purpose limitation, and retention limitation. It does not use the phrase "right to erasure," but Principle 5 — limiting retention — requires that personal information be retained only as long as necessary to fulfil the identified purposes. Once that purpose is exhausted, the information must be destroyed, erased, or made anonymous.
Under PIPEDA, individuals have a right to access their personal information and to have inaccuracies corrected. The right to deletion is narrower and arises primarily when the individual withdraws consent and no other lawful basis for retention exists.
Law 25 (Quebec): the strictest standard in Canada
Quebec's Loi modernisant des dispositions législatives en matière de protection des renseignements personnels (Law 25), which came into full force in September 2024, introduced an explicit right to de-indexation and erasure modelled on GDPR. Under Articles 28–31 of the Act, a person may request that technology be used to stop the dissemination of personal information concerning them, and may request erasure where the information was collected in breach of the law, its retention is no longer necessary, or its collection purpose has been achieved. The Commission d'accès à l'information (CAI) oversees enforcement; administrative monetary penalties reach up to $25 million CAD or 4% of worldwide turnover.
Any institution recruiting Quebec residents — regardless of where the institution is located — must be able to handle Law 25 erasure requests. This extends to institutions in Ontario or British Columbia that run targeted campaigns toward Quebec high school graduates or CEGEP students.
PIPA (Alberta and British Columbia)
Alberta's and British Columbia's Personal Information Protection Acts (PIPA) are provincially-specific frameworks deemed "substantially similar" to PIPEDA. They share PIPEDA's retention limitation principle and the practical implication that personal information must not be retained beyond its stated purpose. Institutions primarily operating in Alberta or BC follow provincial PIPA rather than PIPEDA for intra-provincial activities.
Bill C-27 (Consumer Privacy Protection Act): forthcoming
The proposed federal Consumer Privacy Protection Act (CPPA), introduced as Bill C-27, would modernise PIPEDA and introduce an explicit right to erasure for Canadians. As of April 2026, Bill C-27 has not received Royal Assent. When enacted, it will apply nationally and will likely align Canadian federal law more closely with Quebec's Law 25. Institutions should build erasure-capable workflows now; retrofitting compliance after Royal Assent is operationally harder.
When Deletion Obligations Apply to Prospect Data
The trigger for a deletion obligation depends on the legal basis for the original collection and the applicable provincial or federal framework. The table below maps the most common scenarios for Canadian admissions teams.
| Trigger | Applicable law | Institution's obligation |
|---|---|---|
| Prospect withdraws consent | PIPEDA; Law 25; PIPA (AB/BC) | Cease processing for that purpose; delete where no other lawful basis applies |
| Prospect submits explicit erasure request (Quebec) | Law 25, Arts. 28–31 | Comply with de-indexation and/or erasure unless a statutory exception applies |
| Data is no longer necessary for its stated purpose | PIPEDA Principle 5; Law 25; PIPA | Proactive deletion required — no individual request needed |
| Implied CASL consent expires (6 months from inquiry) | CASL | Cease commercial electronic messages; delete if no other lawful basis for retention |
| Data collected without adequate notice or consent | PIPEDA; Law 25 | Remediate the collection; honour any resulting deletion request |
The most significant practical trigger for most Canadian institutions is purpose expiry: once a prospect has made no contact for a defined period and no active application is pending, PIPEDA's retention limitation principle requires deletion regardless of whether the prospect has formally requested it. This is not a passive obligation — it requires a configured, enforced retention policy.
When Can You Lawfully Decline a Deletion Request?
Neither PIPEDA nor Law 25 creates an absolute right to deletion. Specific grounds permit an institution to retain data despite a request.
Active transaction or purpose. If the prospect is in the middle of an application cycle — for example, they applied through OUAC and are awaiting an admissions decision — the institution may retain data necessary to complete that process. Once the admissions cycle concludes, this ground lapses and the data should be reviewed against retention policy.
Legal obligation. Federal or provincial law may require retention of specific records — for example, financial records under the Income Tax Act, accreditation documentation, or records relevant to an active human rights complaint. Retention must be scoped to the specific data the legal obligation requires, not the entire prospect file. A useful test: if you had to justify each retained field to the OPC, could you?
Legal claims. Where a prospect has raised a formal complaint about admissions conduct, retaining the relevant file until the matter is resolved is lawful. Once the complaint is concluded, this ground no longer applies.
Security and fraud detection. Retention is permitted where data is genuinely and actively used for fraud prevention or cybersecurity purposes. Prospective student contact data held in a marketing CRM rarely meets this standard.
Partial retention is both permitted and often the correct response. A prospect's CRM record may contain some data subject to a legal hold and other data — behavioural scoring, marketing preferences, campaign tags — that serves no lawful purpose. Retain only what the legal obligation genuinely requires; delete the rest. Blanket refusal where partial deletion is possible is inconsistent with both PIPEDA's accountability principle and Law 25's requirements. Document the specific legal basis for every retained data point and communicate it to the individual within the response deadline.
A Five-Step Process for Handling Deletion Requests
Step 1 — Acknowledge the request (Day 1). Confirm receipt in writing immediately. Under PIPEDA, the 30-day clock begins on the date of receipt. Under Law 25, the same timeline applies. Your acknowledgement should include a reference number and the date by which you will respond. For institutions with a designated Privacy Officer — mandatory under Law 25, recommended under PIPEDA — the request should be routed to them on Day 1.
Step 2 — Verify identity (Days 1–5). Confirm that the person making the request is who they say they are. For prospect data, matching the requestor's email address to the record in your systems is ordinarily sufficient. Verification measures must be proportionate to the sensitivity of the data; excessive documentation requirements are themselves a potential breach of the purpose limitation principle. For students who applied through OUAC, ApplyAlberta, or EducationPlannerBC, the application email is your primary identifier.
Step 3 — Map the data (Days 5–15). Identify every system holding the prospect's personal information: your CRM, email marketing platform (including CASL consent records), chatbot logs, event registration data, shared spreadsheets from education fairs, and any vendor systems that received the data. A prospect at a mid-size Canadian university can have personal information distributed across 8 to 12 distinct systems. Your Privacy Impact Assessment documentation — required under Law 25 for any technology system processing personal information — is the operational foundation for this step.
Step 4 — Apply the legal analysis (Days 15–25). For each data set, determine whether PIPEDA, Law 25, or applicable provincial PIPA permits retention based on a specific exception. Document your analysis in writing. Where deletion is required, schedule it. Where partial retention is justified, identify precisely which fields are retained, under which legal ground, and for how long.
Step 5 — Execute, confirm, and document (Days 25–30). Delete all personal information for which no retention ground exists, across every system and vendor. Issue written confirmation to the individual specifying what was deleted and — where relevant — what was retained and why. Retain a record of the request, the analysis, and the response for accountability purposes. If you require the full 60-day period, notify the individual of the extension, and the reason for it, before Day 30. Under Law 25, the response period is also 30 days with a 10-day extension available.
Retention Periods for Prospect Data
PIPEDA and Law 25 both require that personal information be retained only as long as necessary for the purpose for which it was collected. The OPC's guidance on retention recommends that institutions establish written retention schedules and enforce them systematically. The following periods represent operationally defensible benchmarks for Canadian institutions.
First-contact data (enquiry form, chatbot conversation, education fair registration): 12 months from last active contact if the prospect has not progressed to an application. Beyond 12 months, no active recruitment purpose remains for most prospects.
Active pipeline data (open house attendee, campus tour registrant, partially completed OUAC or ApplyAlberta application): up to 24 months from last engagement, aligned with the two-year admissions cycle common in Canadian universities.
Rejected or withdrawn application data: 6 months from the date the outcome was communicated. Accreditation and quality assurance requirements typically require aggregate outcome data, not individual prospect files.
CASL consent records: retain for as long as is necessary to demonstrate compliance with commercial electronic messaging obligations — typically 3 years from the consent event or its withdrawal. This is a record that consent was obtained, not a basis for retaining the underlying personal information beyond its stated purpose.
The outer limit: 3 years from last active contact is the maximum defensible retention period for any prospect data under PIPEDA's accountability and retention limitation principles and Law 25. Data held beyond this point carries material enforcement risk — and when a deletion request arrives, it will be harder to justify retention for data the institution should already have purged.
AI Chatbots, CRM Systems, and the Deletion Challenge
Deletion requests expose the multi-system complexity of modern enrolment management. A prospect who engaged with your institution via an AI chatbot may have personal information stored across: the chatbot platform's conversation logs; your CRM lead record; your email marketing platform (with associated CASL consent records); your event management system; and any third-party vendors — including U15 partner data-sharing arrangements or Maclean's Rankings submission data — to which information was disclosed.
Schools partnered with Skolbot handle a median of 195 qualified leads per month (Source: Skolbot Benchmark 2024–2025, panel of 18 institutions). At that volume, even a 1% deletion request rate generates approximately 2 requests per month, each requiring a cross-system investigation. Under Law 25, the obligation to respond is time-bound and backed by significant penalties; institutions without systematic data mapping routinely miss at least one system during deletion processing.
Four technical measures are essential for managing deletion requests on AI and CRM data:
1. A unified prospect identifier. Every system must use a common identifier — typically the prospect's email address or a CRM-generated ID — so that a single deletion request can be mapped across all platforms without manual cross-referencing.
2. A documented data inventory. Under Law 25, institutions must maintain records of all personal information systems. This documentation is also the operational map for Step 3 of the deletion process. See our guide on protecting prospect data under Canadian privacy law for the full framework.
3. Vendor deletion clauses in data processing agreements. Your agreements with CRM vendors, chatbot providers, email platforms, and any other service providers receiving prospect data must require those providers to delete data on your instruction. Under PIPEDA's accountability principle and Law 25's requirements for transfers outside Quebec, contractual protections are mandatory — not optional. Without a deletion mechanism in your vendor contract, you cannot fulfil your statutory obligation.
4. Documented deletion procedures per system. Some platforms offer API-based deletion of individual records; others require manual procedures or support tickets. Document the procedure for every system before a deletion request arrives, not while the 30-day clock is running.
For cookie and tracking data, deletion obligations intersect with consent management and CASL compliance. Our cookie consent guide for schools addresses those interactions in detail.
FAQ
Does a prospective student need to give a reason for their deletion request?
Under Law 25, no — a Quebec resident can request erasure without providing justification, and the burden of invoking an exception falls on the institution. Under PIPEDA, the framework is slightly different: the right to deletion arises primarily from consent withdrawal or purpose expiry, and the individual may need to specify the basis for the request. In practice, treat all deletion requests as valid and assess whether a retention ground applies. Asking for justification as a gatekeeping measure is not consistent with PIPEDA's accountability principle.
How does Law 25 differ from PIPEDA for deletion requests?
Law 25 introduces an explicit right to de-indexation and erasure (Arts. 28–31) that PIPEDA does not contain. Law 25 also requires a designated Privacy Officer, mandatory Privacy Impact Assessments for technology systems, and higher penalties. For Quebec-resident prospects, Law 25 governs even if your institution is headquartered in another province. For non-Quebec prospects at institutions outside Quebec, PIPEDA (or provincial PIPA in Alberta/BC) applies, with its more limited deletion right. Institutions recruiting nationally should align their processes to Law 25's higher standard — it also simplifies compliance with the forthcoming CPPA when Bill C-27 is enacted.
What if a prospect applied through OUAC — does the deletion request cover OUAC data?
No. OUAC is a separate data controller for the information it holds on the OUAC platform. Your deletion obligation extends only to personal information your institution holds directly. Inform the prospect that requests relating to data held by OUAC, ApplyAlberta, or EducationPlannerBC must be directed to those organisations separately. Document this distinction in your response.
Does CASL consent withdrawal equal a deletion request?
Not automatically. A prospect who unsubscribes from your commercial electronic messages under CASL has withdrawn consent for marketing email — but has not necessarily requested deletion of all personal information your institution holds. These are two separate rights. An unsubscribe must be honoured within 10 business days under CASL. A deletion request under PIPEDA or Law 25 triggers the full 30-day response process. In practice, many prospects mean both when they ask to "stop receiving contact" — your intake process should clarify this and handle both obligations in parallel where both are intended.
How should we document deletion requests for accountability purposes?
Retain a record of: the date the request was received; the identity verification method used; the systems checked; the legal analysis for any retained data; and the date and content of your response. This record should be maintained for at least 3 years and should not itself contain the personal information that was deleted. The record is not a retention of the deleted data — it is documentation of your compliance process, which the OPC or CAI may request in the event of a complaint.
To audit your institution's full privacy compliance posture — governance, consent, security, vendor contracts, and AI obligations — use our privacy audit checklist for schools.
Discover how Canadian schools improve student recruitment with Skolbot
