Is a privacy policy legally required in Canada?
Under PIPEDA — Canada's federal private-sector privacy law — organizations that collect personal information in the course of commercial activities are required to be open about their privacy practices. This openness principle is operationalized as a requirement to have a documented, accessible privacy policy. It is not optional if your website collects any personal information, which includes contact form submissions, newsletter signups, account registrations, or analytics data.
PIPEDA does not use the words "privacy policy" explicitly — it refers to "readily available" information about policies and practices. In practice, the Office of the Privacy Commissioner of Canada has consistently interpreted this to mean a written privacy policy accessible on your website.
If your business operates in or collects data from Quebec residents, Quebec's Law 25 adds more specific requirements for what the policy must contain and how it must be presented.
Beyond privacy law, CASL — Canada's anti-spam law — has its own disclosure requirements related to commercial electronic messages, and some of those disclosures are typically handled within or alongside a privacy policy.
What PIPEDA requires your policy to include
PIPEDA's openness principle requires that your organization make readily available specific information about its policies and practices relating to the management of personal information. The Office of the Privacy Commissioner has identified the following as required content.
Your policy must identify who in your organization is accountable for compliance with privacy obligations — the name or position of your privacy officer or the person responsible for privacy matters. It must describe what personal information you collect and from whom. It must explain the purposes for which you collect personal information, before or at the time of collection. It must describe how you obtain consent and explain individuals' right to withdraw consent. It must describe how individuals can access and correct their personal information in your records. It must explain what personal information you disclose to third parties and why. It must describe your security safeguards for protecting personal information. It must specify how long you retain personal information and how you dispose of it. It must explain how individuals can submit complaints to your organization about your privacy practices, and how they can escalate to the Privacy Commissioner of Canada if they are not satisfied.
Additional requirements if you serve Quebec
If your website collects personal information from Quebec residents — which applies to any Canadian website accessible to Quebec — Law 25 adds requirements that go beyond PIPEDA. Your policy must additionally include the contact information for the person responsible for protecting personal information in your organization (not just their title — their actual contact details must be published). It must describe the rights of individuals under Quebec law, including the right to access, correction, deletion, and portability. It must include retention periods for each category of personal information — not a vague "reasonable period" but an actual timeframe. It must describe any automated decision-making processes that use personal information and significantly affect individuals.
Law 25 also requires that the policy be written in clear and simple language — plain language that a non-specialist can understand. Dense legal boilerplate does not satisfy this requirement.
Section-by-section: what to include
The following is a practical guide to structuring a privacy policy for a typical Canadian small business website. These are the sections that address the legal requirements, written in the order that flows most naturally for a reader.
Introduction and scope. Who you are, what your website is, and what this policy covers. If your business operates under a different name than your legal entity, clarify both. State clearly that this policy applies to personal information collected through your website and any related communications.
Who is responsible for privacy. Name or title the person responsible for privacy in your organization, and provide a way to contact them — typically an email address. This is a required element under Law 25 and considered best practice everywhere else.
What personal information we collect. List every category of personal information you actually collect. Typical small business website categories include: contact information submitted through forms (name, email, phone, message content); information submitted when booking or purchasing (address, payment details if applicable); information collected automatically by your analytics platform (IP address, browser type, pages visited, time on site, device type); and any information collected through cookies or similar technologies. Be specific — "various personal information" is not acceptable.
Why we collect it (purposes). For each category of information, explain the purpose. "Responding to contact form enquiries," "sending the newsletter you signed up for," "improving our website through aggregate analytics data," and "processing your order" are legitimate, specific purposes. "Marketing purposes" without further specificity is not.
How we obtain consent. Explain your consent mechanisms. Submitting a contact form constitutes consent to use that information to respond — but you need to have made that clear at the point of submission (with a note near the form). Signing up for a newsletter requires express consent. If you are relying on implied consent for analytics data collection from site visitors, explain that, and explain how visitors can opt out.
Who we share your information with. List all third parties that receive personal information from your website. This typically includes your web hosting provider (if they have access to server logs), your email marketing platform (if applicable), your analytics provider (typically Google Analytics or similar), any payment processor, and any CRM or customer management system. For each, explain what information is shared and why. Do not omit services just because they are common — omitting Google Analytics from your privacy policy is one of the most frequently cited PIPEDA failures.
How long we keep your information. Specify actual retention periods for each category of data. "We retain contact form submissions for 24 months, after which they are deleted from our records" is compliant. "We retain information as long as necessary" is not. If you are not sure what retention periods you currently have, this is the section that forces you to establish them.
How we protect your information. Describe your security measures in plain language. You do not need to describe your technical architecture in detail, but you do need to state that your website uses HTTPS, that access to personal data is restricted, and that your data storage is secured. Vague statements like "we take security seriously" are insufficient — describe actual measures.
Your rights. Explain what individuals can do: request access to their information, request correction of inaccurate information, withdraw consent, and — for Quebec residents — request deletion or data portability. Explain how to make these requests and how long you will take to respond. PIPEDA requires a response within 30 days. Law 25 requires acknowledgement of the request within 30 days.
Cookies. If your website uses cookies — and almost all websites do — you need a section (or a separate page) explaining what cookies are used, what they collect, whether they are essential or non-essential, and how visitors can manage or disable them. If you use non-essential cookies (analytics, advertising), you need to explain your consent mechanism for those.
How to contact us and how to complain. Provide a way to contact your privacy officer. Explain that if an individual is not satisfied with your response to their privacy concern, they can contact the Office of the Privacy Commissioner of Canada (for PIPEDA matters) or the Commission d'accès à l'information (for Quebec matters).
When this policy was last updated. Include a "last updated" date. This demonstrates that the policy is maintained and gives readers context for whether it reflects current practices.
The most common failures in Canadian privacy policies
Listing Google Analytics but not explaining that it collects IP addresses. If you use GA4 or Universal Analytics, your analytics platform is collecting IP addresses and behavioural data and sending it to Google's servers, including servers potentially outside Canada. Your policy must disclose this specifically.
Using a template that mentions GDPR but not PIPEDA or Law 25. Many free privacy policy generators are built for European or American compliance. They reference GDPR and CCPA (California Consumer Privacy Act) but do not address Canadian requirements. A GDPR-compliant policy is not automatically PIPEDA-compliant, and it is almost certainly not Law 25-compliant.
Not updating the policy when you add new tools. Adding a live chat widget, a new email marketing platform, a booking system, or a new analytics tool creates new data flows. Your policy must be updated to reflect them.
Vague retention periods. Stating that you keep data "as long as necessary" is not a retention policy — it is an avoidance of having one. Define actual periods and build the administrative process to enforce them.
A privacy policy buried in a footer link using illegible small text. The policy must be readily accessible. A footer link is appropriate, but the link must be clearly labelled "Privacy Policy," must be visible without magnification on mobile devices, and must load a page that is itself readable — good contrast, reasonable font size, no dense paragraphs of legal text with no formatting.
Making your policy accessible and findable
A privacy policy that meets the legal content requirements but is inaccessible to readers with disabilities or difficult to find on your site is not truly compliant with the openness principle. The policy should be readable — this means proper heading structure, adequate contrast, a reasonable font size (at least 16px for body text), and plain language throughout.
The policy link should appear in the footer of every page of your website, not just on the contact page. It should also be linked from any point of data collection — near your contact form, on your newsletter signup, and at checkout if applicable.
Keeping your policy up to date
A privacy policy is not a one-time document. You should review it whenever you add a new tool that touches personal data, when you change how you use or store data, when the law changes (Law 25 was a significant change in 2022 to 2023, and Canada's proposed federal privacy reform under Bill C-27 may create further requirements), and at minimum once per year regardless.
When you update your policy, update the "last updated" date. If you make significant changes that affect how you use data, consider notifying existing contacts — particularly your email list — that your privacy policy has been updated.
A privacy policy that accurately reflects your real practices, written in plain language, and maintained over time is genuinely useful to your users. It builds trust. And it protects you if a complaint is ever filed.