DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

πŸ‡¨πŸ‡¦ North America

Cookie consent in Canada

Consent and privacy law in Canada

In short
Canada's federal private sector law is PIPEDA, enforced by the Office of the Privacy Commissioner, and based on meaningful consent that can be express or implied depending on sensitivity. Quebec stands apart with Law 25, which significantly modernised provincial privacy rules between 2022 and 2024, adding strict consent, breach reporting, privacy by default, and the right to data portability. Law 25 also carries heavy penalties, up to 25 million Canadian dollars or 4 percent of worldwide turnover. Quebec requires that privacy settings be set to the highest level by default and that consent for cookies and profiling be clear. Alberta and British Columbia have their own substantially similar private sector laws.
Authority
Office of the Privacy Commissioner of Canada (OPC)
Status

PIPEDA federally since 2000, with Quebec's Law 25 phased in from 2022 to 2024

Primary law
PIPEDA
Languages

en, fr

Who must comply

Private-sector organizations that collect, use or disclose personal information in commercial activity in Canada.

Penalties

Quebec Law 25 fines up to 25 million Canadian dollars or 4 percent of worldwide turnover

Key obligations

  • Obtain meaningful consent
  • Limit collection to stated purposes
  • Be transparent about practices
  • Provide access to personal information
  • Safeguard the data held

Local guidance

  • Apply PIPEDA federally and Quebec Law 25 for Quebec residents
  • Set privacy settings to the highest level by default in Quebec
  • Provide notices in English and French
  • Prepare for breach reporting and data portability under Law 25

How ConsentX helps

  • Meaningful, plain-language consent
  • Purpose-specific categories
  • Access-request intake
  • Evidence trail
Get started free
yoursite.com
πŸ‡¨πŸ‡¦ Canada

We value your privacy

We ask for your consent before any non-essential cookie, with the rules that apply in your region.

Allow allReject non-essentialManage preferences

This page is a plain-English summary for general information and is not legal advice. Confirm your obligations with qualified local counsel.

How to comply with Canada using ConsentX

  1. 1

    Scan your website

    Run a free scan to find every cookie and tracker on your site, so you know exactly what needs consent under Canada.

  2. 2

    Show a geo-aware consent banner

    Add the ConsentX banner. It detects each visitor region and shows the consent experience that Canada requires, automatically.

  3. 3

    Block trackers until consent

    Keep non-essential cookies and trackers blocked until the visitor agrees, so nothing fires before consent.

  4. 4

    Record tamper-evident proof

    Every choice is stored as a tamper-evident consent receipt you can produce in a Canada audit.

  5. 5

    Handle data requests on time

    Use the built-in DSAR workflow with SLA timers to answer access, deletion and opt-out requests within the legal deadline.

Frequently asked questions

What is Quebec's Law 25?+

Law 25 modernised Quebec's private sector privacy rules between 2022 and 2024. It adds strict consent, mandatory breach reporting, privacy by default, and data portability, with penalties up to 25 million Canadian dollars or 4 percent of worldwide turnover.

Which law applies across Canada?+

PIPEDA applies federally to private sector organisations, enforced by the Office of the Privacy Commissioner. Quebec, Alberta, and British Columbia have their own substantially similar provincial laws.

Governing law

πŸ‡¨πŸ‡¦ PIPEDAπŸ‡¨πŸ‡¦ Law 25

Other countries in North America

πŸ‡ΊπŸ‡Έ United StatesπŸ‡²πŸ‡½ MΓ©xico