Privacy Regulations in North America

8 privacy and data protection laws across North America

PIPEDA
Canada
Flag of CA
Opt-inFederal

Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.

Quebec Law 25
Quebec, Canada
Flag of CA
Opt-inState

The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.

COPPA
United States
Flag of US
Opt-in

COPPA is the primary US federal law protecting children's online privacy. It requires verifiable parental consent before collecting personal information from children under 13. Persistent identifiers including cookies are classified as personal information. The 2025 amendments expand protections significantly.

Alberta PIPA
Alberta, Canada
Flag of CA
Opt-inState

Alberta's PIPA is recognized as substantially similar to PIPEDA, covering provincially regulated private-sector organizations. The OIPC has binding order-making power — stronger than PIPEDA's OPC which issues only recommendations. Express consent is required for sensitive data, implied for non-sensitive.

HIPAA
United States
Flag of US
Sector-specific

HIPAA protects health information privacy. OCR's 2022 guidance clarified that marketing pixels and tracking technologies on healthcare websites can constitute impermissible PHI disclosure. Cookie consent banners do NOT satisfy HIPAA authorization requirements. Enforcement now targets browser-based tracking.

BC PIPA
British Columbia, Canada
Flag of CA
Opt-inState

British Columbia's PIPA is recognized as substantially similar to PIPEDA. The OIPC can investigate complaints, conduct audits, issue binding orders, and require compliance. Nonprofits engaging in commercial activities are also covered. Organizations must destroy personal information once the original purpose is fulfilled.

GLBA
United States
Flag of US
Opt-out

GLBA requires financial institutions to explain information-sharing practices and give customers the right to opt out of sharing with certain third parties. The updated Safeguards Rule mandates comprehensive security programs. Most US state privacy laws exempt GLBA-regulated entities.

FERPA
United States
Flag of US
Opt-in

FERPA protects student education records at federally funded institutions. Written consent is required before disclosing personally identifiable information from education records. The sole enforcement mechanism is withdrawal of federal education funding — a penalty so severe it has never been imposed.