Skip to main content

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

PIPEDA — Canada's Privacy Law

What the Personal Information Protection and Electronic Documents Act means for websites, cookies, and consent.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy law. It’s been around since 2000, making it one of the oldest data protection laws in the world.

If you process the personal information of Canadian residents for commercial purposes, PIPEDA applies. Your location doesn’t matter.

PIPEDA is built around meaningful consent, a standard that tracks closely with the GDPR. This means individuals must understand:

  • What you’re collecting
  • Why you’re collecting it
  • What the consequences of collection are

Not valid: buried disclosures, vague language, pre-ticked boxes, and “by using this site you agree” banners.

There are two types of consent under PIPEDA:

  • Express consent: Required for sensitive data (health, financial, biometrics, data of children under 13). Explicit opt-in.
  • Implied consent: Acceptable for non-sensitive data within reasonable expectations. But you must still inform users about data practices.

Who must comply

  • Any private-sector organization worldwide that processes Canadian residents’ data for commercial purposes
  • Federally regulated organizations: banks, airlines, telecoms, broadcasters
  • All businesses in Northwest Territories, Yukon, and Nunavut (no provincial equivalents)

The 10 principles

PIPEDA is structured around 10 principles:

  1. Accountability: you’re responsible, designate someone
  2. Identifying purposes: tell people why, before collecting
  3. Consent: meaningful, informed, revocable
  4. Limiting collection: only what you need
  5. Limiting use, disclosure, retention: don’t repurpose data, delete it when done
  6. Accuracy: keep it correct
  7. Safeguards: protect it
  8. Openness: publish your privacy practices
  9. Individual access: let people see their data
  10. Challenging compliance: people can complain

Provincial laws

Three provinces have their own “substantially similar” privacy laws that replace PIPEDA for intra-provincial matters:

  • British Columbia: PIPA BC
  • Alberta: PIPA Alberta
  • Quebec: Law 25 (private sector), more strict than PIPEDA, now fully enforced

If you operate in these provinces, you deal with the provincial law for in-province data and PIPEDA for inter-provincial/international transfers.

What this means for cookies

Under PIPEDA, cookies and tracking technologies collect personal information. IP addresses, device identifiers, and browsing history are all “personal information,” which puts Canadian law in the same conversation as the GDPR vs CCPA vs ePrivacy debate over what counts as personal data.

That means:

  • You must disclose what cookies you use and why
  • You must obtain meaningful consent for non-essential tracking
  • You must allow people to withdraw consent easily

Cross-border transfers

If you transfer data outside Canada, you’re responsible for its protection. You must use contractual or other means to ensure a comparable level of protection, the same cross-border obligation you’ll find under POPIA in South Africa.

Penalties

Fines can reach CAD 100,000 per violation for the most serious infractions. The OPC (Office of the Privacy Commissioner) investigates; the Federal Court can order corrective action and award damages.

How Zest handles it

Zest covers PIPEDA compliance: clear consent collection, documented records, easy withdrawal, and the ability to configure consent levels that match Canadian standards.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.