What PIPEDA is
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law. It governs how organisations collect, use, and disclose personal information in the course of commercial activity. It's enforced by the Office of the Privacy Commissioner of Canada (OPC).
PIPEDA is older than GDPR but newer guidance from the OPC — particularly on online tracking, behavioural advertising, and meaningful consent — has brought practical requirements much closer to the European model.
Who PIPEDA applies to
- All private-sector organisations engaged in commercial activity in Canada.
- Inter-provincial and international transfers of personal information.
- Federally regulated employers (banks, telcos, airlines, broadcasters) for employee data as well.
Quebec, Alberta, and BC have substantially similar provincial laws that supersede PIPEDA within the province for intra-provincial activity. If you operate in those provinces you need to comply with both.
Meaningful consent
PIPEDA's central principle is that consent must be meaningful. The OPC's 2018 guidance on consent says consent is meaningful only when the user actually understands what they're agreeing to. Practical implications:
- Disclose the purposes, parties, and consequences before the user makes a choice — not buried in a 30-page privacy policy.
- Match the form of consent to the sensitivity: express opt-in for cross-site behavioural advertising; implied consent may suffice for genuinely first-party necessary cookies.
- Make withdrawal as easy as the original consent.
PIPEDA + CASL + provincial laws
Two adjacent laws often come up alongside PIPEDA:
- CASL — Canada's Anti-Spam Legislation, which governs commercial electronic messages and the installation of computer programs (including some tracking software). CASL fines have been substantial.
- Quebec Law 25 — modernised Quebec's privacy regime in stages through 2023–2024. Stricter than PIPEDA on cookie consent and mandatory DPO appointment.
Common violations CookieGap detects
- Cross-site advertising trackers loaded without express opt-in consent.
- Cookies persisting after the user opts out.
- Privacy policy missing, or vague on third-party recipients.
- No reject mechanism — users can only accept or close the banner.
Penalties
PIPEDA itself has limited fining authority — historical enforcement has relied on public findings, ombudsperson recommendations, and reputational pressure. Bill C-27 (the proposed CPPA) would introduce GDPR-scale fines (up to 5% of global revenue or CAD $25M). Quebec's Law 25 already has fines up to CAD $25M or 4% of global turnover — meaning Quebec is now the strictest privacy regime in North America.
Frequently asked questions
Is consent under PIPEDA opt-in or opt-out?
Both, depending on sensitivity. PIPEDA uses a flexible 'meaningful consent' standard: the more sensitive the data and the more unexpected the use, the stronger the consent required. For cross-site behavioural advertising, the OPC's guidance is clear that express opt-in consent is the appropriate standard.
Does PIPEDA require a cookie banner?
PIPEDA doesn't prescribe a banner specifically, but the practical effect of the OPC's guidance on online tracking is that any non-essential cookie or tracker requires meaningful — usually express — consent. Most Canadian sites land on a GDPR-style banner as the cleanest way to comply.
Quebec has its own privacy law — does PIPEDA still apply there?
Yes, but with overlap. Quebec's Law 25 (formerly Bill 64) modernised provincial privacy law and is now stricter than PIPEDA in several areas — explicit consent for cookies, privacy impact assessments, mandatory DPOs. Sites serving Quebec residents need to satisfy both regimes.
Is the Privacy Commissioner aggressive on cookies?
The OPC has been active on online tracking and has published joint guidance with provincial commissioners on consent for online behavioural advertising. Enforcement has historically been advisory and reputational, but the upcoming Consumer Privacy Protection Act (CPPA) — the proposed PIPEDA replacement — would introduce GDPR-scale fines.
What's the status of the proposed CPPA?
Bill C-27, which would replace PIPEDA with the Consumer Privacy Protection Act (CPPA), has been working through Parliament since 2022. Whether or not it passes in its current form, the direction is clear: stronger consent rules, real fines, and a private right of action. Building to a GDPR-equivalent standard now is the safer path.
See where your site stands
Run a free CookieGap scan and get a PIPEDA compliance report in under a minute.
Scan your site freeThis guide is informational only and does not constitute legal advice. Privacy laws evolve frequently — always confirm current obligations with qualified counsel before making compliance decisions.