·5 min read

canadian privacy law and your website: what small businesses need to know

privacypipedacanadacompliancecookiessmall business

if your website collects any personal information — and if you have a contact form, email newsletter, or analytics, it does — canadian privacy law applies to you. most small business owners have vague awareness that privacy policies are "a thing" without understanding what's actually required.

here's a practical overview.

the law: pipeda and provincial equivalents

canada's federal private sector privacy law is pipeda — the personal information protection and electronic documents act. it governs how businesses collect, use, and disclose personal information in the course of commercial activity.

pipeda applies to most private sector businesses in canada that collect personal information, with some exceptions for certain nonprofit and interpersonal activities.

provincial equivalents: quebec, alberta, and british columbia each have their own privacy legislation that's been deemed "substantially similar" to pipeda, and those laws apply instead of pipeda for businesses operating within those provinces. notably, law 25 in quebec (which came into full force in 2023) has stricter requirements than pipeda and applies to businesses that collect data from quebec residents — including companies based elsewhere in canada.

what pipeda requires for websites

a privacy policy. you must have one and it must be accessible. it needs to explain:

  • what personal information you collect
  • why you collect it (purposes)
  • how it's used and with whom it's shared
  • how long you keep it
  • how users can access or correct their information
  • your contact information for privacy inquiries

consent. you must obtain meaningful consent before collecting personal information. for a contact form, the act of submitting it constitutes consent for you to use that data to respond. for email marketing, you need explicit opt-in (a checked checkbox, not pre-checked).

casl compliance for email marketing. canada's anti-spam legislation (casl) is separate from pipeda but closely related. sending commercial electronic messages to canadians requires express or implied consent. express consent means they signed up for your list. implied consent means they've done business with you in the past two years. buying a list and emailing it is not compliant.

data security. pipeda requires "appropriate" security measures to protect personal information. for websites, this means ssl/https at minimum, secure handling of form data, and not storing sensitive information you don't need.

cookies and tracking

pipeda doesn't explicitly require a cookie banner, but collecting data via cookies for analytics and advertising is covered by its consent principles.

the practical approach used by most canadian small businesses: a simple cookie notice informing visitors that your site uses cookies for analytics purposes, with a link to your privacy policy. this is a lighter touch than the eu's gdpr requirement for granular consent, and it's generally considered adequate for pipeda compliance for most uses.

if you use advertising pixels (facebook, google ads remarketing), you should be explicit that these exist in your privacy policy.

what you actually need on your website

a privacy policy page. not a generic template — a real one that accurately describes your data practices. many small businesses use the canadian specific generators available from legal service providers, or have a lawyer draft one. iubenda and termly offer canadian-compliant templates.

a visible link to it. typically in your footer, on any forms that collect data, and in any email marketing you send.

casl-compliant forms. any form that adds people to an email list needs an unchecked checkbox with language like "I consent to receiving marketing emails from [business name]. I can unsubscribe at any time."

an unsubscribe mechanism. every marketing email must include a clear, functional unsubscribe link. most email marketing platforms (mailchimp, klaviyo, etc.) handle this automatically.

quebec's law 25 deserves special attention

if you serve customers in quebec or collect personal information from quebec residents, law 25 imposes stricter obligations:

  • a privacy impact assessment for certain projects
  • a designated privacy officer
  • more explicit cookie consent requirements
  • a 72-hour notification requirement for privacy breaches
  • specific rights for individuals to access and delete their data

this is more demanding than pipeda and reflects a gdpr-influenced approach. if you have significant business activity in quebec, a review by a privacy lawyer is worthwhile.

the practical bottom line

for a typical small business in ontario or other canadian provinces outside quebec:

  • have an accurate privacy policy visible from your footer
  • use opt-in consent for email lists
  • ensure casl compliance for any email marketing
  • use https everywhere
  • don't collect data you don't need

this isn't a full legal review and doesn't constitute legal advice. if your business collects significant personal data, processes health information, or operates in quebec, consult a lawyer.

nanushi ensures the technical compliance elements — ssl, proper form handling, consent mechanisms — are built correctly into every site we deliver.

ready to start building real apps with a team of passionate developers? join nanushi today and level up your mobile development skills.

learn more