Which regulatory agencies enforce this type of clause?

{'agency': 'State_AG', 'reason': "The Office of the Privacy Commissioner of Canada and Quebec's Commission d'accès à l'information are the relevant enforcement authorities for cross-border transfer violations under PIPEDA and Quebec Law 25.", 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this Cross-Border Data Transfers clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar Cross-Border Data Transfers clauses across approximately 55 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

Cross-Border Data Transfers — Instacart

Share 𝕏 Share in Share 🔒 PDF

What it is

Instacart may transfer your personal data to servers or partners located in countries outside your own, including from Canada to the United States, where different privacy laws apply.

Consumer impact (what this means for users)

Canadian Instacart users' personal data is transferred to the United States, where it is subject to US surveillance laws and may not benefit from the same level of privacy protection as under Canada's PIPEDA.

Cross-platform context

See how other platforms handle Cross-Border Data Transfers and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

If your data is transferred to the US from Canada, it becomes subject to US government access laws and may receive fewer legal protections than under Canadian privacy law.

View original clause language

Cross-Border Transfers

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: Cross-border transfers from Canada to the US are governed by PIPEDA (S.C. 2000, c. 5, Schedule 1, Principle 4.1.3), which requires organizations to use contractual or other means to provide comparable protection to personal information transferred to third parties in other jurisdictions. Canada's Law 25 (Quebec) imposes heightened transfer restrictions including privacy impact assessments. The EU GDPR Chapter V framework (Arts. 44-49) applies if EU residents' data is involved, though the policy appears primarily US/Canada focused. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

State AG

The Office of the Privacy Commissioner of Canada and Quebec's Commission d'accès à l'information are the relevant enforcement authorities for cross-border transfer violations under PIPEDA and Quebec Law 25.
File a complaint →

Provision details

Document information

Document

Instacart Privacy Policy

Entity

Instacart

Document last updated

April 29, 2026

Tracking information

First tracked

April 18, 2026

Last verified

April 18, 2026

Record ID

CA-P-002841

Document ID

CA-D-00136

Evidence Provenance

Source URL

https://www.instacart.com/privacy

Wayback Machine

View archived versions →

SHA-256

1820e1895d1605ebc16eff3b8fdeb7771e97e65214aedd6a6e598e4b96e3cb08

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Instacart | Document: Instacart Privacy Policy | Record: CA-P-002841
Captured: 2026-04-18 10:07:50 UTC | SHA-256: 1820e1895d1605eb…
URL: https://conductatlas.com/platform/instacart/instacart-privacy-policy/cross-border-data-transfers/
Accessed: May 2, 2026

Classification

Severity

Medium

Cross-Border Data Transfers