Three laws, not one: understanding the landscape
Canadian online compliance is not governed by a single statute. Three separate legal frameworks — each with its own administrator, its own consent standard, and its own enforcement mechanism — apply in parallel to most Canadian business websites. Understanding that they are distinct is the first step to complying with all of them.
PIPEDA (the Personal Information Protection and Electronic Documents Act) is federal privacy legislation. It governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. It is administered by the Office of the Privacy Commissioner of Canada.
CASL (Canada's Anti-Spam Legislation) is federal legislation governing commercial electronic messages — emails, text messages, and certain in-app messages sent for commercial purposes. It is administered by the Canadian Radio-television and Telecommunications Commission (CRTC), with enforcement shared with the Competition Bureau and the Office of the Privacy Commissioner.
Quebec Law 25 (formally, An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information) is provincial privacy legislation that applies to any organization — regardless of where it is based — that collects personal information about Quebec residents. It is administered by the Commission d'accès à l'information (CAI). It came into full force in September 2023 and is, in several respects, stricter than PIPEDA.
A business based in Ontario, sending newsletters to subscribers across Canada, with a website visited by Quebec residents, is subject to all three laws simultaneously. That is not an unusual situation — it is the normal operating environment for most Canadian online businesses.
PIPEDA: the privacy foundation
PIPEDA applies to any private-sector organization engaged in commercial activity that collects, uses, or discloses personal information. Personal information is defined broadly: any information about an identifiable individual. An email address, an IP address, a name, a purchase history — all qualify.
The law is organized around ten Fair Information Principles: accountability, identifying purposes, consent, limiting collection, limiting use and retention, accuracy, safeguards, openness, individual access, and the ability to challenge compliance. For a website operator, the most immediately relevant are consent (you need it before collecting personal information), purpose limitation (you can only use data for the purpose for which it was collected), and safeguards (you must protect personal information with security appropriate to its sensitivity).
PIPEDA also requires mandatory breach reporting. If your website is compromised and personal information is exposed in a way that creates a real risk of significant harm to individuals, you must report to the Privacy Commissioner and notify affected individuals. Failure to report is itself an offence.
Three provinces — British Columbia, Alberta, and Quebec — have provincial privacy legislation that the federal government has deemed substantially similar to PIPEDA. For organizations operating entirely within one of those provinces, the provincial law typically takes precedence. In practice, for any business operating online with visitors from multiple provinces, PIPEDA remains the baseline federal framework, and Quebec Law 25 adds requirements on top of it for Quebec-based interactions.
CASL: the email and marketing layer
CASL governs commercial electronic messages (CEMs) — any electronic message sent to an electronic address that encourages participation in a commercial activity, whether or not there is an expectation of profit. This covers newsletters, promotional emails, transactional emails that include upsells, and most B2B marketing communications.
The core requirement is consent. CASL recognizes two categories: express consent and implied consent. Express consent requires a clear affirmative action — the recipient checked a box, filled out a sign-up form — with a clear description of the messages they are consenting to receive, and the name and contact information of the sender. Pre-ticked checkboxes do not constitute express consent. Implied consent applies in narrower circumstances: when you have an existing business relationship with someone (a customer who made a purchase or inquiry within the past two years), or when the recipient has published their address and has not stated they do not want to receive CEMs.
Every CEM must include the sender's name and contact information, a functioning unsubscribe mechanism, and honoring of unsubscribe requests within ten business days. These requirements apply even when implied consent is the basis for sending.
CASL enforcement has produced significant fines. The CRTC has issued penalties exceeding $1 million against individual organizations. The law also includes a private right of action — allowing individuals to sue for violations — though this provision has not yet come into force. CASL is not a law with soft teeth.
CASL's two-year clock. Implied consent based on an existing business relationship expires two years after the most recent transaction or inquiry. After that, you need express consent to keep sending. Many businesses inadvertently violate CASL by continuing to email lapsed customers without realizing the implied consent window has closed.
Quebec Law 25: the strictest standard
Quebec Law 25 applies to any organization — based anywhere — that collects personal information about Quebec residents by technological means. If any meaningful portion of your website visitors are in Quebec, Law 25 applies to you.
The law introduced several requirements that go beyond what PIPEDA demands. A privacy impact assessment (PIA) is required before implementing any new technology that collects personal information — which covers deploying a new contact form, installing a new analytics tool, or adding a chat widget. The PIA does not need to be elaborate for a small business, but it must be documented.
Law 25 requires explicit consent for non-essential cookies and tracking technologies. A cookie banner with "Accept" and "Decline" options is the minimum. Continuing to track visitors who have not consented — which is standard practice with Google Analytics deployed without a consent layer — is a Law 25 violation for Quebec visitors.
Every organization subject to Law 25 must have a published privacy policy on its website, a named privacy officer (for a small business, this can be the owner), and a process for handling requests to access, correct, and delete personal information. Law 25 also introduced the right to data portability — individuals can request their data in a structured, commonly used format — and the right to be forgotten, meaning requests for deletion of personal information must be honored in most circumstances.
Enforcement sits with the CAI, which can impose administrative monetary penalties up to $10 million or 2% of worldwide turnover for violations, and up to $25 million or 4% of worldwide turnover for serious offences. These are among the stiffest privacy penalties in Canadian law, comparable in structure to the EU's GDPR regime. The CAI began active enforcement in 2024 and has demonstrated a willingness to pursue complaints from individuals and conduct proactive investigations.
Where the three laws overlap — and where they diverge
The three laws converge around consent. All three require that you obtain meaningful agreement from individuals before collecting their personal information or sending them marketing communications. But they define meaningful consent differently and apply it to different activities.
PIPEDA allows implied consent for non-sensitive personal information in contexts where the purpose is obvious — a contact form submission implicitly consents to being contacted. CASL allows implied consent for marketing emails to existing customers for up to two years. Quebec Law 25 requires explicit, affirmative consent for non-essential data collection and tracking, regardless of whether the information is sensitive.
This divergence creates a hierarchy in practice. For Quebec visitors, the Law 25 standard for explicit consent is stricter than PIPEDA's implied consent standard. A website that relies on implied consent for analytics (which is arguably permissible under PIPEDA) needs a proper consent layer for Quebec visitors. The safest approach is to build to the most demanding standard — Law 25 — and let that cover your PIPEDA obligations as well.
CASL occupies its own lane. It does not govern privacy in the PIPEDA sense — it does not care about how you store personal information, how long you retain it, or how you secure it. It cares about whether you had consent before sending a commercial electronic message, whether your messages include the required identification and unsubscribe mechanism, and whether you honored unsubscribe requests promptly. You can be fully PIPEDA and Law 25 compliant while simultaneously violating CASL if your email practices are not in order.
What your website actually needs to do
Translating three overlapping legal frameworks into concrete website requirements is easier than it sounds, because many of the requirements point toward the same practical implementations.
Your website needs a real privacy policy — not a generic template, but a document that accurately describes what personal information you collect (contact form data, analytics, cookies), why you collect it, who you share it with (your web host, your email marketing platform, your analytics provider), how long you retain it, and how individuals can access, correct, or request deletion of their information. The policy must name a privacy contact. Link it from your footer on every page. This satisfies PIPEDA's openness principle and Law 25's published policy requirement.
Your website needs a cookie consent mechanism if you use tracking technologies. For visitors outside Quebec, a disclosure-based approach (telling people you use analytics in your privacy policy, with an opt-out) may satisfy PIPEDA. For Quebec visitors, explicit opt-in consent for non-essential cookies is required. A consent management platform that presents a proper Accept/Decline interface and withholds analytics scripts until consent is given is the right implementation. Build it once and apply it to all visitors.
Your contact form needs a purpose statement. A single sentence near the submit button explaining what the information will be used for — "We use this information to respond to your enquiry and will not add you to a mailing list without your consent" — satisfies PIPEDA's purpose identification requirement at the point of collection.
Your email marketing list needs documented consent records. For every subscriber, you should be able to demonstrate when they signed up, what they consented to, and the mechanism through which consent was obtained. Most reputable email marketing platforms (Mailchimp, Klaviyo, Campaign Monitor) maintain these records automatically if you configure opt-in forms correctly. Verify that your forms do not pre-tick the subscribe checkbox, that your consent language is specific, and that your unsubscribe link works and is honored promptly.
Enforcement: what non-compliance costs
PIPEDA enforcement is complaint-driven and historically measured. The Privacy Commissioner can investigate, recommend remediation, and refer matters to Federal Court — which can issue orders and award damages. Fines for PIPEDA violations reach $100,000 per offence. Mandatory breach reporting violations carry the same maximum.
CASL enforcement is more aggressive. Administrative monetary penalties can reach $1 million per violation for individuals and $10 million per violation for organizations. The CRTC has demonstrated willingness to use these powers, with several high-profile enforcement actions against businesses of all sizes.
Quebec Law 25 enforcement is the most consequential in terms of maximum penalties — up to $25 million or 4% of worldwide turnover for serious violations. The CAI has been active since Law 25 came into full force and has published guidance indicating it will prioritize proactive investigations, not just complaints. Businesses with Quebec customers who have not implemented cookie consent or published an adequate privacy policy are exposed.
Reputational risk compounds regulatory risk. A privacy complaint that becomes public — through a regulatory finding, a press report, or a social media post from a frustrated customer — damages trust in ways that are difficult to quantify and slow to repair. Privacy compliance is also increasingly a prerequisite for B2B relationships and government contracts, where vendors are routinely asked to demonstrate their privacy practices before being engaged.
An integrated compliance checklist
The following steps address the core requirements of all three laws for a typical Canadian small business website. This is not legal advice — complex situations warrant professional guidance — but for most businesses, this checklist covers the essentials.
Publish a specific privacy policy. Describe what you collect, why, who you share it with, retention periods, and how individuals can exercise their rights (access, correction, deletion, portability for Law 25). Name a privacy contact. Link from every page footer.
Implement cookie consent. Deploy a consent management platform that withholds non-essential cookies and tracking scripts until the visitor actively accepts. Build to the Law 25 standard — explicit opt-in — and apply it to all visitors. This satisfies both Law 25 and the spirit of PIPEDA for analytics.
Add purpose statements to forms. Every form that collects personal information should explain what the information is used for, at the point of collection. One sentence is sufficient.
Audit your consent records for email marketing. Ensure every subscriber on your list has a documented consent record showing when, how, and to what they consented. Remove contacts whose implied consent window has expired. Verify your unsubscribe mechanism works and that requests are honored within ten business days.
Document a data retention policy. Decide how long you retain contact form submissions, email list records, and customer data. Apply the policy consistently. Delete or anonymize records that have outlived their purpose.
Secure your personal data. HTTPS across your entire site, secure storage for form submissions, strong and unique credentials for all administrative access, and a plan for keeping your website software patched and current.
Create a privacy contact and complaint process. A dedicated email address, a named responsible individual, and a documented process for responding to access requests within 30 days. For Law 25, the privacy officer must be identifiable — this can be you, named in the privacy policy.
Canadian online compliance is not optional and it is not a one-time project. PIPEDA, CASL, and Quebec Law 25 all continue to evolve — Canada's Consumer Privacy Protection Act (CPPA), which will eventually replace PIPEDA, is working its way through Parliament and will introduce significant changes including direct monetary penalties. Building compliance practices now, against the current requirements, positions your business to adapt as the framework continues to tighten. The businesses that struggle are not those with complex data operations — they are the ones that never built the habit of asking what their website does with personal information and whether that use has been properly authorized.