Under Canada’s current PIPEDA and the upcoming CPPA (Consumer Privacy Protection Act), organizations are required to obtain meaningful consent before collecting, using, or disclosing personal information—this includes data collected via cookies and similar tracking technologies. How do you manage consent?
PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada’s federal privacy law that governs how private-sector organizations handle personal data during commercial activities. It has been the main privacy framework since 2000.
CPPA (Consumer Privacy Protection Act) is Canada’s proposed new privacy law that would replace PIPEDA. It is part of Bill C-27, which aims to modernize federal privacy protections, enhance enforcement powers, and align Canada with global data protection standards like the GDPR.
Whether operating under PIPEDA or preparing for CPPA, businesses must:
Obtain valid and informed consent before collecting or using personal information.
Limit data collection to what is necessary for stated purposes.
Protect personal information using appropriate safeguards.
Provide individuals access to their data and correct inaccuracies.
Maintain clear privacy policies and practices.
Under CPPA, businesses must also:
Allow data mobility (data portability between organizations).
Implement transparent algorithms if using automated decision-making.
Enable users to request data deletion.
CPPA introduces higher standards, more robust consent rules, and serious penalties for violations.
To be compliant with PIPEDA/CPPA, you should:
Conduct an audit:
Perform a full audit of data collection and sharing practices and identify personal data collected and its purposes
Update privacy policy:
Review and update privacy and cookie policies.
Implement consent management:
Implement cookie consent banners and opt-out flows to automate consent capture and preference management
Ensure data minimization:
Limit data collection to what is necessary for legitimate business purposes
Ensure consumer rights:
Inform individuals about why and how their personal information is collected and used, and establish mechanisms to respond to consumer rights requests within 45 days
Appoint a privacy officer:
Implement accountability measures and appoint an individual responsible for privacy
Perform Data Protection Assessments:
Safeguard privacy with regard to targeted advertising, data sales, profiling, or processing sensitive data.
If your answers are uncertain or negative, your organization may not be compliant and should update its privacy practices.
The laws apply to:
All private-sector organizations across Canada involved in commercial activities.
Foreign businesses offering goods, services, or collecting data from Canadians.
Organizations in federally regulated sectors (e.g., banks, airlines, telecoms).
Provincial privacy laws may take precedence in BC, Alberta, and Quebec, but only if deemed “substantially similar” to federal law.
PIPEDA and CPPA both state that consumers have the right to:
Consumers have the right to be told why their personal information is being collected, used, or disclosed at or before the time of collection.
Organizations must obtain meaningful consent (explicit or implied, depending on the situation) before collecting, using, or disclosing personal information.
Consumers can request access to their personal information held by an organization, including details on how it is being used and to whom it has been disclosed.
Individuals have the right to request corrections to their personal information if it is inaccurate or incomplete.
Consumers can ask to have their personal data deleted.
Consumers may withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice.
Consumers can request their data be provided in a usable format.
Consumers have the right to expect that their personal information will be protected by appropriate security measures to prevent unauthorized access, collection, use, disclosure, or destruction.
Consumers should be informed and enabled to challenge outcomes (under CPPA).
Organizations may only collect, use, or disclose personal information for reasonable purposes that a reasonable person would consider appropriate in the circumstances.
These rights empower Canadians to control their digital privacy and demand accountability from businesses.
Cookies that collect identifiable information—such as device IDs, location data, or behavior profiles—fall under both PIPEDA and CPPA’s definitions of personal data. Therefore:
Consent is required before collecting this information through cookies.
You must clearly explain what cookies do, what data is collected, and why.
You must provide users with a real choice—opt-in or manage preferences.
Under CPPA, deceptive or coercive practices around consent (e.g., dark patterns) will be explicitly prohibited.
Cookie banners must be clear, provide specific information about data use, and allow users to opt in or manage preferences before any non-essential cookies are activated. The CPPA strengthens these consent requirements with more explicit transparency and accountability obligations.
Under PIPEDA:
The Privacy Commissioner can investigate and publicly report non-compliance but has limited enforcement power.
Serious violations may be referred to federal court.
Under the proposed CPPA:
The Privacy Commissioner would gain order-making powers.
A new Data Tribunal could impose fines up to 10 million CAD or 3% of global revenue, whichever is higher.
Intentional violations could lead to criminal penalties.
To check your compliance with the PIPEDA and CPPA, organizations should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party practices:
Review third-party data-sharing practices
Readiness for compliance demands a robust consent management platform like CookieHub. A CMP helps businesses comply with PIPEDA and CPPA by capturing valid consent, managing user preferences, and maintaining detailed consent logs for audit and accountability.
These laws govern the collection, use, and disclosure of personal information in the course of commercial activities by private-sector organizations across Canada, including international businesses dealing with Canadians.
Personal data refers to any information that can identify an individual, including names, contact details, IP addresses, location data, and behavioral profiles.
Sensitive data includes financial, health, biometric, and other information that, if misused, could cause significant harm or distress to individuals.
The Office of the Privacy Commissioner of Canada (OPC) oversees PIPEDA and will enforce CPPA when it comes into effect.
Non-commercial entities (e.g., charities), government institutions, and individuals handling data for personal use are generally exempt. Some provinces have their own privacy laws that may override PIPEDA in specific sectors.
More information can be had from the Office of the Privacy Commissioner of Canada’s website for full details, compliance tools, and legislative updates.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
