What cookies actually are
A cookie is a small text file that a website stores in a visitor's browser. Cookies range in purpose from essential (keeping you logged in, remembering shopping cart contents) to analytical (tracking how many people visited which pages) to advertising (building a profile of your browsing behaviour across multiple sites to serve targeted ads).
Consent obligations under privacy law are not triggered by cookies themselves but by whether those cookies collect, use, or disclose personal information. An essential cookie that maintains a session token is not collecting personal information in any meaningful sense — it is a technical necessity. An advertising cookie that connects your browser identity to your purchase history, location data, and browsing patterns across dozens of sites is clearly collecting and disclosing personal information, potentially to many third parties.
Most consent discussions skip this distinction and treat all cookies as requiring identical consent. The result is banner fatigue, clickthrough without comprehension, and compliance theatre that does not actually protect user privacy. The more useful question is: what information does this cookie collect, who does it share it with, and does that use require consent under applicable law?
PIPEDA and federal cookie requirements
Canada's federal privacy law — the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA — governs the collection, use, and disclosure of personal information in the course of commercial activity. It applies to most private-sector organisations in Canada, except in provinces that have their own substantially similar legislation (currently British Columbia, Alberta, and Quebec for provincial private-sector activity).
PIPEDA requires meaningful consent for the collection, use, or disclosure of personal information. For cookies, this means: if your cookies collect personal information (analytics that can be tied to individual users, advertising identifiers, session data combined with account information), you need meaningful consent for that collection.
PIPEDA distinguishes between express and implied consent. Express consent is clear, specific, and affirmative — the user actively agrees to something. Implied consent is inferred from actions and context — if someone provides their email address to receive a newsletter, they have implicitly consented to receiving it. For cookies that collect personal information for advertising or tracking purposes, the Office of the Privacy Commissioner (OPC) has indicated that express consent is expected, not implied.
PIPEDA does not have a cookie-specific banner requirement. What it requires is that consent be meaningful — that the person understands what they are consenting to and has a real choice. A consent banner where the only obvious option is "Accept" and the "Reject" or preference controls require several clicks to find does not satisfy meaningful consent even if it technically offers options.
PIPEDA is being replaced. The Consumer Privacy Protection Act (CPPA) was introduced in Parliament as part of Bill C-27 and is intended to replace PIPEDA. As of mid-2026, C-27 has passed third reading in the House but has not yet received Royal Assent. CPPA would introduce stricter consent requirements, algorithmic transparency rules, and significantly higher penalties. The broad consent principles described here apply under both the current and proposed legislation, but the specifics will change when CPPA comes into force.
Quebec Law 25: stricter rules for Quebec visitors
Quebec's Act Respecting the Protection of Personal Information in the Private Sector — commonly called Law 25 or Bill 64 — is the strictest privacy law in Canada for websites that collect data from Quebec residents. It applies to any organisation collecting personal information about people in Quebec, regardless of where the organisation is based. A business in British Columbia with Quebec customers is subject to Law 25 for those customers.
Law 25 is the piece of Canadian legislation that most directly parallels GDPR in its cookie consent requirements. Specifically, it requires that consent to the collection of personal information through technology functions (including cookies) must be:
Freely given. Refusing consent cannot result in denial of the service, and the default must not be to consent — opt-in is required, not opt-out.
Clear and informed. The person must understand what they are consenting to, including which personal information is being collected, the purposes, and who it will be shared with.
Specific. Blanket consent to "all uses of personal information" is not sufficient. Consent for analytics must be separate from consent for advertising.
Withdrawn as easily as given. If the person consented through a banner, they must be able to withdraw that consent through an equally simple process.
Law 25 also has a specific provision that cookies and similar technologies must not be activated before consent is obtained (with exceptions for strictly necessary functions). This means pre-ticked boxes, implied consent on page load, and banners that load advertising trackers while displaying the consent question are non-compliant.
The Commission d'accès à l'information (CAI), Quebec's privacy regulator, can impose penalties of up to $25 million or 4% of worldwide turnover — the same order of magnitude as GDPR penalties — for serious violations.
CASL and tracking technology
Canada's Anti-Spam Legislation (CASL) is primarily known as a law about commercial email, but it also covers "computer programs" — software installed on a computer system. A tracker that installs persistent cookies, local storage objects, or other forms of client-side storage is arguably covered by CASL's provisions on software installation.
CASL requires express consent before installing a computer program on another person's computer. The application of this to cookies is not fully settled in Canadian case law, and CASL enforcement related to web tracking has been limited. However, the Canadian Radio-television and Telecommunications Commission (CRTC), which enforces CASL, has cited tracking technology in investigations. The safer position — consistent with CASL's intent — is to treat non-essential cookies as requiring the same express consent CASL requires for software installation.
When GDPR applies to Canadian websites
GDPR applies to the processing of personal data of individuals in the European Economic Area, regardless of where the processing organisation is based. If your Canadian website has visitors from EU countries — or targets EU residents — GDPR may apply to you.
For most small Canadian businesses with primarily local or national audiences, the practical GDPR exposure is low. But if your website sells to EU customers, runs EU-targeted advertising, or processes data about EU residents in any systematic way, you should treat GDPR as applicable. Under GDPR, the cookie consent requirements are among the strictest: pre-ticked boxes are prohibited, declining cookies must be as easy as accepting them, and cookie walls that block access unless you consent are generally not permitted.
What a compliant cookie approach looks like
A genuinely compliant approach for a Canadian website involves several components that go beyond adding a banner.
Audit your cookies. Before writing any consent text, know what cookies your site actually sets. Your browser's developer tools (the Application or Storage panel) can show you all cookies on a page. Many websites set dozens of cookies from third-party scripts — analytics platforms, embedded maps, social sharing buttons, advertising networks — that the website owner is not fully aware of.
Categorise them. Identify which cookies are strictly necessary (session management, security), which are functional (remembering user preferences), which are analytical (site usage statistics), and which are advertising or tracking. Strictly necessary cookies do not require consent. The rest, under Law 25 and PIPEDA meaningful consent requirements, do.
Do not load non-essential cookies before consent. This is the most common failure. Many "consent management" implementations display the banner while simultaneously loading all the analytics and advertising scripts it is supposedly asking about. The scripts need to be blocked until affirmative consent is given.
Make accept and reject equally accessible. Under Law 25 and the spirit of PIPEDA, the reject option needs to be as easy to find and use as the accept option. A prominent "Accept All" button paired with a small greyed-out link to "Manage preferences" does not meet this standard.
Provide granular controls. Allow users to accept analytics without accepting advertising, or vice versa. Bundling all non-essential cookies into a single accept/reject choice is not considered granular consent.
Honour the choice and remember it. Once a user makes a choice, that choice should persist. Resetting consent on every visit, or asking again after a cookie clears, undermines the premise of meaningful consent.
What does not count as meaningful consent
A cookie banner that says "We use cookies to improve your experience" with only an "Accept" button does not obtain consent — it announces an outcome that has already happened. This pattern is still common on Canadian websites and does not satisfy PIPEDA, let alone Law 25.
Pre-ticked checkboxes are not consent under any Canadian privacy law. A checkbox labelled "Allow analytics cookies" that is checked by default and requires the user to uncheck it is not meaningful consent — it is assuming consent and requiring effort to withdraw it.
"Continued use of this site constitutes acceptance of cookies" notices at the bottom of a page do not constitute consent. Browsing a website is not a consent action, and clicking through pages to find content is not the same as affirmatively agreeing to data collection.
Refusing access to the site unless the user accepts all cookies — a cookie wall — is specifically prohibited under Quebec Law 25 and is inconsistent with PIPEDA's principle that consent cannot be a condition of service unless the information is necessary for providing that service. Advertising cookies are never necessary for the basic provision of information.
A useful heuristic: if you removed the banner and asked a random visitor whether they had agreed to have their behaviour tracked across the internet for advertising purposes, would they say yes? If the answer is no, the consent mechanism is not working. The goal is not to get users to click past a notice — it is for them to genuinely understand and agree to what you are doing with their data.