Website Privacy Law in Canada: A Guide for Business Owners
If your business has a website that collects any personal information, website privacy law in Canada applies to you. That includes contact forms, email signups, analytics tracking, and online purchases.
The rules are less strict than what you've seen from Europe's GDPR, but they're real. PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada's federal privacy law, and it sets out specific requirements for how you handle personal data on your website.
This guide covers what PIPEDA requires, when you need cookie consent, and why Quebec's Law 25 creates extra obligations for businesses that serve customers across provincial lines.
The Current State of Canadian Privacy Law
PIPEDA has been Canada's federal privacy law since 2000. You may have heard about Bill C-27, which proposed replacing PIPEDA with the Consumer Privacy Protection Act (CPPA). That bill died on the Order Paper (opens in a new tab) when Parliament was prorogued on January 6, 2025, and it was not reintroduced after the April 2025 federal election (opens in a new tab). The Carney government has signalled that new privacy legislation (opens in a new tab) will be introduced separately from AI regulation, but as of February 2026, no standalone replacement has been tabled.
That matters: a lot of content online tells businesses to "prepare for CPPA compliance," but PIPEDA is still the law in force.
Here's how privacy law breaks down across Canada:
| Jurisdiction | Law | Applies to |
|---|---|---|
| Federal (including Ontario) | PIPEDA | Private-sector commercial activities |
| Quebec | Law 25 (Act respecting the protection of personal information in the private sector, as amended) | Organisations carrying on an enterprise and processing personal information in Quebec contexts |
| British Columbia | PIPA | Private-sector organisations in BC |
| Alberta | PIPA | Private-sector organisations in Alberta |
Ontario does not have its own private-sector privacy law. If your business is in Ontario, you operate under PIPEDA for commercial activities. The Office of the Privacy Commissioner of Canada (opens in a new tab) has a full breakdown of how federal and provincial laws interact.
What PIPEDA Requires for Your Website
PIPEDA is built around 10 Fair Information Principles (opens in a new tab) that govern how you collect, use, and disclose personal information. Five of those principles have direct implications for your website.
1. A clear privacy policy
Your website needs a privacy policy that explains:
- What personal information you collect (names, emails, phone numbers, IP addresses, cookies)
- Why you collect it (contact requests, analytics, marketing)
- How you use and store it
- Who you share it with (analytics providers, email platforms, payment processors)
- How long you keep it
- How someone can access or correct their information
The Canadian Federation of Independent Business (opens in a new tab) recommends making your privacy policy easy to find and written in plain language. Don't bury it. Link to it from your footer on every page.
Our guide to writing a privacy policy for your business website walks through each of these sections with examples and specific guidance for Ontario businesses.
2. A designated privacy officer
Under PIPEDA, your organisation must designate someone responsible for privacy compliance. For most small businesses, this is the owner. The OPC's guidance for businesses (opens in a new tab) says this person's contact information should be publicly available so people can reach them with questions or requests.
3. Meaningful consent before collecting personal data
PIPEDA requires that people know about and consent to the collection of their personal information. The key word is "meaningful." The OPC's Guidelines for Obtaining Meaningful Consent (opens in a new tab) (2018) spell out what this looks like: people need to understand what they're agreeing to.
On your website, that looks like:
- Contact forms should state how you'll use the information submitted
- Email signup forms should explain what subscribers will receive
- If you're collecting information for a specific purpose, you can't use it for something else without getting new consent
4. Breach notification
If a privacy breach creates a "real risk of significant harm" to individuals, section 10.1 of PIPEDA (opens in a new tab) requires you to notify affected people and report the breach to the Privacy Commissioner as soon as feasible. Section 10.3 (opens in a new tab) also requires you to keep records of every breach, including breaches that do not trigger notification.
Under Section 28 of PIPEDA (opens in a new tab), knowingly failing to report a breach or maintain breach records is an offence. Indictable offences carry fines up to $100,000 per violation, while summary conviction offences carry up to $10,000.
5. Respond to access requests
If someone asks what personal information you hold about them, section 8(3) of PIPEDA (opens in a new tab) requires you to respond with due diligence and no later than 30 days after receiving the request. Section 8(4) allows limited extensions in specific circumstances.
The Cookie Consent Question
You've seen the cookie banners on European websites and might wonder if your Canadian site needs one too.
It depends on what your cookies do.
Cookie consent decision flow for Canadian websites showing explicit opt-in before loading when non-essential tracking is used, and Law 25 baseline when actively serving Quebec customers.
What PIPEDA says about cookies
PIPEDA doesn't mention cookies by name. It covers "personal information," which the Privacy Commissioner defines (opens in a new tab) as information about an identifiable individual. Cookies that collect this kind of data fall under PIPEDA's consent requirements.
The Privacy Commissioner's guidelines on online behavioural advertising (opens in a new tab) clarify how consent works for tracking:
Implied consent (opt-out) is acceptable when:
- The information collected is not sensitive
- The collection purpose is clearly explained in your privacy policy
- Users have a clear and accessible way to opt out
- The opt-out takes effect immediately
Explicit consent (opt-in) is required when:
- You're collecting sensitive personal information
- The data use goes beyond what a user would reasonably expect
- You're tracking users for targeted advertising across websites
Based on those OPC guidelines (opens in a new tab), a standard analytics setup (like Google Analytics with IP anonymisation) can generally operate under implied consent, as long as your privacy policy discloses it. But retargeting pixels, third-party ad trackers, and cross-site behavioural tracking need explicit consent.
What about CASL?
CASL (Canada's Anti-Spam Legislation) is mainly about commercial electronic messages and software installation rules. Under CASL section 10(8) (opens in a new tab), consent to the installation of certain programs — including cookies, HTML code, and JavaScript — is deemed to be given when a person's conduct reasonably indicates consent. Whether cookies technically qualify as "computer programs" under CASL is debated among privacy practitioners, but the provision is commonly referenced in this context. For cookie banners on business websites, PIPEDA and Quebec Law 25 are usually the more relevant frameworks. Our guide to CASL email marketing rules covers the consent and message requirements in detail.
The practical answer
Most Ontario business websites don't need a full GDPR-style cookie popup. Adding a consent banner does come with trade-offs — you'll lose some analytics data from visitors who opt out, and the extra step creates friction. But if your site runs advertising or cross-site tracking scripts, the legal risk of skipping consent is worse than the data loss. What you do need:
- A privacy policy that clearly discloses your use of cookies and tracking
- An easy way for users to opt out of non-essential tracking
- Explicit consent before running retargeting or cross-site advertising scripts
- No tracking users before they've had a chance to understand what's being collected
If your website uses Google Analytics, a contact form, and nothing else, your privacy policy disclosure is likely sufficient. If you're running Facebook Pixel, Google Ads remarketing, or other third-party advertising trackers, you need a consent tool. Our guide to cookie consent for Canadian websites covers how to choose and set one up.
Quebec's Law 25: The Stricter Standard
If your business serves customers in Quebec, or your website collects personal information from Quebec residents, a different set of rules applies.
Quebec's Act respecting the protection of personal information in the private sector (opens in a new tab), commonly called Law 25, sets a stricter baseline than PIPEDA in several areas. It's closer to GDPR than PIPEDA is.
Key differences from PIPEDA:
| Requirement | PIPEDA | Quebec Law 25 |
|---|---|---|
| Cookie consent | Implied consent often acceptable | Explicit opt-in generally expected for non-essential tracking |
| Privacy by default | Not required | Required. Tracking must be off by default |
| Data portability | Not required | Must provide data in machine-readable format within 30 days |
| Privacy impact assessments | Not required | Required for new systems involving personal data |
| Maximum penalties | $100,000 per offence | $25,000,000 or 4% of global turnover, whichever is greater |
Does Law 25 apply to you? If your Ontario business actively serves Quebec customers and collects personal information from them, it can apply. The law focuses on organisations carrying on an enterprise and processing personal information in that context, so applicability depends on your activities and legal nexus, not only whether someone in Quebec can open your site.
This is the one area where a cookie consent banner makes clear sense for Ontario businesses. If you serve a pan-Canadian market, your safest approach is to set up Quebec-compliant consent for all visitors.
What Your Website Needs: A Practical Checklist
Your requirements depend on your situation.
Website privacy compliance checklist for Canada covering baseline requirements for all business websites, analytics and ad script consent controls, and Quebec-specific obligations.
Every Canadian business website
- Privacy policy page linked from your site footer, written in plain language
- Disclosure of cookies you use and their purpose, in your privacy policy
- Contact information for your privacy officer (often the business owner)
- Consent on forms stating how submitted information will be used
- A breach response plan so you know what to do if personal data is exposed
- A process for access requests so you can respond within 30 days
If you use advertising or tracking scripts
- Cookie consent tool before loading non-essential scripts
- Clear opt-out option that takes effect immediately
- Separate consent for different purposes (analytics vs. advertising)
If you serve Quebec customers
- Opt-in consent for non-essential tracking cookies
- Privacy by default where tracking is off until the user enables it
- Data portability process to provide personal data in machine-readable format on request
- Privacy impact assessments for any new data collection systems
What We Build Into Every Site
We build privacy compliance into every site we deliver:
- We customise a privacy policy to match what your site actually collects, not a generic boilerplate that tries to cover everything.
- If your site uses analytics or third-party tools, we configure them to respect consent preferences. Scripts don't fire until consent conditions are met.
- We don't add tracking or analytics unless there's a clear business reason. Fewer scripts means less to disclose and less compliance risk.
- Contact forms include clear language about how submitted data will be used, and form data is transmitted securely.
We wrote about how our security setup works in a separate post. Privacy and security overlap more than most people expect — a data breach is both a security failure and a privacy violation.
If your contact forms trigger email workflows, our guide to SPF, DKIM, and DMARC explains how to reduce spoofing and phishing risk around customer communications.
Common Mistakes
No privacy policy at all. This is the most basic PIPEDA violation, and it's common. If your website has a contact form, you need a privacy policy.
Copying a US or EU template. Privacy policies written for GDPR or CCPA reference laws and requirements that don't apply in Canada. Use a policy that references PIPEDA and, if applicable, Quebec's Law 25. We explain why template policies fall short and what to do instead in our privacy policy writing guide.
Ignoring Quebec. If your Ontario business actively markets to or serves Quebec customers, Law 25 may apply even if you're based outside Quebec. Many businesses miss this cross-jurisdiction risk.
If you're rebuilding your site, include privacy and consent requirements in your website redesign checklist so legal content and scripts are reviewed before launch.
Using Google Analytics without disclosure. Google Analytics collects IP addresses and browsing behaviour. Your privacy policy needs to disclose this. If you've configured GA4, check whether your implementation uses anonymised data or full data collection. It matters for your consent obligations. Our guide to Google Analytics privacy in Canada covers how to configure GA4 for compliance.
No opt-out mechanism. PIPEDA requires that users can withdraw consent. If someone can sign up for your email list on your website, there must be a clear way to unsubscribe. If your site uses tracking cookies, there should be a way to opt out.
The Bottom Line
Every business website that collects personal information needs to comply with PIPEDA, and businesses serving Quebec customers face the stricter requirements under Law 25. If you take away one thing from this post, make it this list:
- Have a privacy policy that explains what you collect and why
- Designate a privacy officer and publish their contact information
- Get meaningful consent before collecting personal data
- Disclose cookies and tracking in plain language
- Give users a clear way to opt out
- Know what to do if a breach happens
- If you serve Quebec, set up opt-in consent for tracking
This post is educational information, not legal advice. Privacy requirements depend on your specific business, the data you collect, and the jurisdictions you serve. For legal interpretation of your obligations, consult a qualified privacy lawyer.
Need Help With Website Privacy Compliance?
If you're not sure whether your website meets PIPEDA requirements, or whether Quebec's Law 25 applies to your business, we can take a look. We'll review your current setup and explain what we find in plain terms.
Get a free website privacy review: Contact us at info@ylx.ca
We review your site's technical privacy setup and identify gaps. For legal interpretation of your specific obligations, we recommend consulting a privacy lawyer.
Analysis FAQ.
Does my Canadian website need a cookie consent banner?
Not necessarily. Under PIPEDA, implied consent is acceptable for non-sensitive cookies like basic analytics, as long as your privacy policy clearly explains what you collect and why. You do need explicit consent for tracking cookies used in targeted advertising. If you serve Quebec residents, opt-in consent for non-essential tracking cookies is generally expected.
What is PIPEDA and does it apply to my business?
PIPEDA is Canada's federal privacy law governing how private-sector organisations collect, use, and disclose personal information during commercial activities. It applies to businesses in Ontario and most other provinces. Alberta, British Columbia, and Quebec have their own substantially similar provincial laws.
What privacy features does my website legally need?
At minimum, your website needs a privacy policy explaining what personal information you collect and why, a designated privacy officer with published contact information, a process for handling access requests within 30 days, and a breach notification procedure. If you use cookies, you need clear disclosure of what they do.
Does Quebec's Law 25 apply to Ontario businesses?
It can, especially if you actively serve Quebec customers and collect their personal information. Scope depends on your business activities and legal nexus, not just whether your site is visible in Quebec. Law 25 sets stricter consent and governance requirements, with penalties that can reach $25 million or 4% of global turnover.
Tagged with
Further Reading
Related Analysis.
Cookie Consent for Canadian Websites: What You Actually Need
Not every Canadian website needs a cookie banner. Here's when consent is required under PIPEDA and Quebec's Law 25, and how to set one up properly.
Bill C-27 Failed: What Canadian Businesses Do Next
Bill C-27 is dead. Learn what still applies under PIPEDA, where Quebec Law 25 raises compliance risk, and what your business website should change this quarter.
Google Analytics Privacy in Canada: Is Your Setup Compliant?
GA4 is on most business websites, but most setups need changes for Canadian privacy law. Learn how to configure Google Analytics for PIPEDA and Law 25.