PIPEDA - Canada Privacy & Cookie Consent Guide

Back to Regulations Guide

Key Facts

Effective Date

January 1, 2004

Enacted

April 13, 2000

Enforcing Authority

Office of the Privacy Commissioner of Canada (OPC)

Consent Model

Opt-in

Fulfillment Time

30 days

Applies To

Private-sector organizations across Canada in commercial activities (except Quebec, Alberta, BC for intra-provincial)

Overview

PIPEDA is Canada's federal private-sector privacy law, based on 10 fair information principles. It requires express consent for sensitive information and allows implied consent for less sensitive data. The proposed replacement (CPPA) died in January 2025, with a new bill expected carrying penalties up to CAD $25M or 5% of global revenue.

What This Means for Your Website

Meaningful consent is required — express for sensitive data, implied for non-sensitive with reasonable expectations
OPC guidance specifically addresses cookies and online behavioral advertising
A designated privacy officer must be accountable for compliance
Breach notification is required for breaches posing real risk of significant harm
PIPEDA does not apply in Quebec, Alberta, or BC for intra-provincial commercial activities

Key Requirements

The OPC enforces PIPEDA with penalties up to CAD $100,000 per violation. Consumer requests must be fulfilled within 30 days. The expected replacement bill would increase penalties to CAD $25 million or 5% of global revenue. PIPEDA applies federally but yields to substantially similar provincial legislation.

How ConsentStack Handles This

ConsentStack detects Canadian visitors and applies PIPEDA-compliant consent with express opt-in for sensitive data categories, supporting the meaningful consent standard.

Penalties

Up to CAD $100,000 per violation; Federal Court can order compliance and award damages.

Maximum Fine

CA$100,000 per violation

Key Requirements

Obtain meaningful consent — express for sensitive, implied for non-sensitive
Identify purposes at or before collection
Limit collection to what is necessary
Safeguard personal information with appropriate security
Provide individuals access to their personal information
Designate a privacy officer accountable for compliance

Notable Provisions

CPPA (Bill C-27) died January 2025
New bill expected with CAD $25M or 5% revenue penalties
Does not apply in Quebec, Alberta, BC for intra-provincial activities

Related Regulations (3)

Quebec Law 25Quebec, Canada

The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.

Alberta PIPAAlberta, Canada

Alberta's PIPA is recognized as substantially similar to PIPEDA, covering provincially regulated private-sector organizations. The OIPC has binding order-making power — stronger than PIPEDA's OPC which issues only recommendations. Express consent is required for sensitive data, implied for non-sensitive.

BC PIPABritish Columbia, Canada

British Columbia's PIPA is recognized as substantially similar to PIPEDA. The OIPC can investigate complaints, conduct audits, issue binding orders, and require compliance. Nonprofits engaging in commercial activities are also covered. Organizations must destroy personal information once the original purpose is fulfilled.

Other North America Regulations

CCPACalifornia, United States

The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.

CPRACalifornia, United States

The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.

MODPAMaryland, United States

The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

TDPSATexas, United States

The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

CPAColorado, United States

Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.

Quebec Law 25Quebec, Canada

Frequently Asked Questions

Does PIPEDA apply across all of Canada?

PIPEDA applies federally for commercial activities, except in Quebec, Alberta, and BC which have substantially similar provincial laws for intra-provincial activities.

What happened to PIPEDA's replacement?

The CPPA (Bill C-27) died when Parliament prorogued in January 2025. A replacement with penalties up to CAD $25M or 5% of revenue is expected.

Does PIPEDA address cookies?

Yes. OPC guidance addresses cookies and online behavioral advertising. Meaningful consent is required for personal information collection through cookies.

What are the PIPEDA penalties?

Up to CAD $100,000 per violation currently. The expected replacement would dramatically increase penalties.

Stay compliant with PIPEDA

ConsentStack helps you implement Opt-in consent for Canada (Federal) automatically.

Get started free