Table of Contents
Identity theft in Canada, under Section 402.2 of the Criminal Code, makes it a crime to obtain or possess someone else’s personal identity information with the intention of using it to commit a serious fraud-related offence. This is classified as a hybrid offence, meaning the Crown can choose to proceed either by summary conviction (less serious) or by indictment (more serious). Under the national Uniform Crime Reporting system, identity theft is recorded as UCR code 2165. In practical terms, identity theft Canada law targets behaviour at the early “information” stage—before the fraud may actually happen—so police and courts can intervene earlier to protect victims.
The Legal Definition
“Every person commits an offence who obtains or possesses another person's identity information with intent to use it to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.”
This wording from Criminal Code, s. 402.2(1) sets out three core ingredients the Crown must prove beyond a reasonable doubt: (1) the accused obtained or possessed identity information, (2) that information belonged to another real person, and (3) the accused intended to use that information to commit an indictable offence involving fraud, deceit, or falsehood (for example, fraud, identity fraud, or other deception-based crimes).
“Identity information” is defined broadly in section 402.1 of the Criminal Code. It includes almost any data that can identify a person: names, addresses, dates of birth, driver’s licence numbers, credit and debit card numbers, bank account details, passwords, government ID numbers, as well as biometrics like fingerprints, voiceprints, retina/iris images, and DNA profiles. Under identity theft Canada law, simply having another person’s identity data is not enough—there must be a proven intention to use it in a fraud-related indictable offence. This is what separates criminal identity theft from ordinary, lawful possession of someone’s information (for example, an employer or family member holding documents with permission).
Penalties & Sentencing Framework
- Offence type: Hybrid (can be prosecuted by summary conviction or by indictment)
- Mandatory minimum penalty: None
- Maximum penalty (indictable): 5 years' imprisonment
- Maximum penalty (summary): Up to 2 years less a day imprisonment, or a fine up to $5,000, or both (under s. 787)
Because identity theft is a hybrid offence, the Crown decides whether to proceed summarily or by indictment based on the seriousness of the conduct, the scale of the scheme, the number of victims, and the amount of harm or loss involved. Proceeding by indictment exposes the accused to a maximum of five years in prison, placing this crime in the mid-range of property and fraud offences. Proceeding summarily caps jail at two years less a day and/or a $5,000 fine, which is more typical of smaller, less sophisticated incidents.
There is no mandatory minimum sentence for identity theft under Section 402.2. Judges therefore have a wide range of options: they can grant a discharge (in rare, very minor cases), impose a fine, probation, a conditional sentence (jail served in the community) where legally permitted, or custody up to the applicable maximum. The absence of a minimum also allows courts to tailor sentence length and conditions to factors such as prior record, the level of planning, the number and vulnerability of victims, the financial and emotional harm caused, and any steps taken to make restitution.
Sentencing judges must apply the general principles in Part XXIII of the Criminal Code (ss. 718 and following). In identity theft cases, this often means emphasizing denunciation (public condemnation of the conduct), deterrence (discouraging the offender and others from similar crimes), and restitution where possible. Under section 738, courts can order offenders to reimburse victims’ out-of-pocket expenses for re-establishing their identity, including replacing documents and correcting credit records. In more serious cases, or where identity theft is part of a broader fraud or document-forgery scheme, identity theft charges are often combined with related offences such as identity fraud (s. 403), forgery, or unlawful possession of government documents, and the overall sentence reflects the total pattern of criminal conduct.
Common Defenses
-
Lack of intent
The Crown must prove that the accused not only possessed another person’s identity information, but also intended to use it to commit an indictable offence involving fraud, deceit, or falsehood. If the defence can raise a reasonable doubt about this intent—such as showing the information was held for a legitimate purpose, by accident, or without any plan to use it dishonestly—then the offence is not made out. For example, someone who finds a wallet and keeps it overnight before turning it in may be criticized morally, but without proof of an intention to commit fraud, they are not guilty of identity theft under Section 402.2. -
Mistaken identity
Identity theft cases often involve digital evidence, multiple devices, or shared living or workspaces. The defence can argue that the Crown has misidentified the accused as the person who actually obtained or possessed the identity information. This may involve alibi evidence, demonstrating that other individuals had access to the same computer or storage media, or showing that IP addresses, logins, or physical documents could have been linked to the wrong person. If the court is unsure who actually had the criminal possession and intent, an acquittal must follow. -
Lack of evidence
It is not enough for the Crown to show suspicious circumstances. The prosecution must prove: (1) the data qualifies as “identity information” under section 402.1, (2) it belonged to a real, identifiable person, and (3) the accused intended to use it in an indictable fraud-related offence. If any link is missing—such as unclear ownership of the data, absence of evidence tying the accused to the files, or no credible proof of a fraudulent plan—the defence can argue that the Crown has not met the burden of proof beyond a reasonable doubt. -
Consent from the alleged victim
If the person whose identity information is in issue authorized the accused to hold or use that information for a legitimate reason (for example, granting a spouse, business partner, or caregiver access to banking or personal documents), then mere possession is not criminal. The key question remains whether the accused intended to use the information for a fraud-related indictable offence. Where the defence can show genuine consent and an absence of fraudulent intent—such as routine handling of documents in a workplace or trusted family context—identity theft is not established. -
Unlawful search and seizure
Identity theft investigations often rely on searches of computers, phones, cloud accounts, or residences. Under section 8 of the Canadian Charter of Rights and Freedoms, individuals are protected against unreasonable search and seizure. If police obtained identity information through an invalid warrant, exceeded the scope of a warrant, conducted a search without lawful authority, or otherwise violated Charter rights, the defence may seek exclusion of the evidence under section 24(2). If critical identity information is excluded because of an unlawful search, the remaining Crown case may collapse. -
Duress
Duress may apply where an accused only obtained or possessed identity information because they were threatened with immediate death or bodily harm if they refused. Under section 17 of the Criminal Code and the common law, the defence must show serious, present threats and a lack of safe avenues of escape. Although subject to strict limits, if credible evidence shows that the accused committed the identity theft conduct only because of coercion and in fear for their safety, a court may find them not criminally responsible.
Real-World Example
Imagine someone finds a discarded credit card or a document with full credit card details and decides to keep it with plans to use the account information for unauthorized online purchases. Even before they make a single fraudulent transaction, simply possessing that card or data with the intent to commit credit card fraud can amount to identity theft under Section 402.2. Police who recover the card, see it saved in the person’s phone, or uncover messages where the person discusses using it for purchases could rely on that evidence to show the necessary fraudulent intent. If the person actually goes on to use the information to impersonate the cardholder and complete transactions, they may also face separate charges of fraud (s. 380) or identity fraud (s. 403) in addition to identity theft. The courts would assess all the surrounding facts—planning, number of attempts, any loss to the victim, and steps to conceal the conduct—when deciding both guilt and sentence.
Record Suspensions (Pardons)
Because identity theft under Section 402.2 is a hybrid offence, it is treated as either a summary or indictable offence depending on how the Crown proceeds, and this affects record suspension (pardon) timelines. For hybrid offences proceeded with summarily, the waiting period for a record suspension is generally shorter than for indictable matters. Where the Crown proceeds by indictment, identity theft is treated as an indictable property/fraud-type offence and is subject to the longer waiting period applicable to indictable convictions under the Criminal Records Act. In all cases, an applicant must have fully completed their sentence (including any probation and restitution) and remained crime-free during the applicable waiting period. The Parole Board of Canada then assesses the application, considering public safety, the nature of the offence, and the person’s rehabilitation. A record suspension does not erase the conviction, but it can separate it from most routine criminal record checks, which can be significant for employment and travel involving identity-sensitive roles such as banking, IT, and government work.
Related Violations
- Identity Fraud (Criminal Code, s. 403)
- Forgery
- Fraud (Criminal Code, s. 380)
