CookieConfig
Log inSign up
Back to Documentation

PIPEDA Compliance

Personal Information Protection and Electronic Documents Act (Canada)

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law that governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities. PIPEDA came into effect in 2001 and applies across Canada, with some exceptions for provinces that have substantially similar provincial privacy laws.

PIPEDA is built on 10 fair information principles and applies to most private-sector organizations that collect, use, or disclose personal information in the course of commercial activities. This includes the use of cookies and tracking technologies on websites.

When Does PIPEDA Apply?

Federal Jurisdiction

PIPEDA applies to:

  • Private-sector organizations operating within federal jurisdiction across Canada (e.g., banks, airlines, telecommunications)
  • Organizations that collect, use, or disclose personal information across provincial or national borders
  • Organizations in provinces without substantially similar provincial laws

Provincial Laws

Some provinces have their own substantially similar privacy laws that apply instead of PIPEDA for activities within the province:

  • Alberta: Personal Information Protection Act (PIPA)
  • British Columbia: Personal Information Protection Act (PIPA)
  • Quebec: Act Respecting the Protection of Personal Information in the Private Sector (Law 25 as of September 2023)

Important: Even in these provinces, PIPEDA applies to activities that cross provincial/national borders. If you operate a website accessible across Canada or internationally, PIPEDA likely applies.

Exemptions

PIPEDA does NOT apply to:

  • Federal, provincial, or territorial government institutions (covered by separate public sector privacy laws)
  • Personal information for personal or domestic purposes
  • Organizations collecting employee personal information in provinces with substantially similar laws (employee data is covered by provincial legislation)

PIPEDA's 10 Fair Information Principles

PIPEDA is based on 10 principles that form the foundation of Canadian privacy law:

1. Accountability

Organizations are responsible for personal information under their control and must designate someone to be accountable for compliance. This person is typically called a Privacy Officer or Chief Privacy Officer.

  • You must have policies and procedures to protect personal information
  • Staff must be trained on privacy practices
  • You remain accountable even when personal information is processed by third parties (e.g., analytics providers, ad networks)

2. Identifying Purposes

Organizations must identify the purposes for which personal information is collected at or before the time of collection.

  • You must clearly explain WHY you're using cookies and tracking technologies
  • Purposes must be documented and communicated to users
  • If you want to use data for new purposes not originally identified, you need new consent

3. Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

  • Express Consent: Explicit opt-in consent (required for sensitive information)
  • Implied Consent: Can be inferred from actions or inaction (only appropriate for less sensitive information)
  • Consent can be withdrawn at any time
  • You must make it easy for individuals to withdraw consent

For Cookies: The type of consent required depends on the sensitivity of the information collected and how it's used. Marketing cookies typically require express consent, while some functional cookies may rely on implied consent if properly disclosed.

4. Limiting Collection

The collection of personal information must be limited to what is necessary for the identified purposes. Information must be collected by fair and lawful means.

  • Don't collect data "just in case" - only use cookies that serve a specific, necessary purpose
  • Minimize the number of tracking technologies you use
  • Regularly audit and remove unnecessary cookies

5. Limiting Use, Disclosure, and Retention

Personal information must not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law. Personal information must be retained only as long as necessary.

  • Only use cookie data for the purposes you disclosed
  • Set appropriate expiration dates for cookies
  • Delete or anonymize data when it's no longer needed
  • Don't share cookie data with third parties without consent

6. Accuracy

Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is used.

  • Ensure tracking data accurately reflects user behavior
  • Provide mechanisms for users to correct inaccurate information
  • Regularly validate and update data

7. Safeguards

Personal information must be protected by security safeguards appropriate to the sensitivity of the information.

  • Use HTTPS to encrypt cookie data in transit
  • Implement access controls for databases containing personal information
  • Ensure third-party processors have adequate security measures
  • Have breach response procedures in place

8. Openness

Organizations must make information about their policies and practices regarding personal information readily available to individuals.

  • Have a clear, accessible privacy policy
  • Explain your cookie practices in plain language
  • Make it easy for users to contact you with privacy questions
  • Publish contact information for your Privacy Officer

9. Individual Access

Upon request, individuals must be informed of the existence, use, and disclosure of their personal information and be given access to that information. Individuals can challenge the accuracy and completeness of their information and have it amended as appropriate.

  • Provide users with access to their consent history
  • Allow users to see what data has been collected
  • Respond to access requests within 30 days (or explain why more time is needed)
  • Very limited exceptions where access can be denied (e.g., legal privilege, confidential commercial information)

10. Challenging Compliance

Individuals can challenge an organization's compliance with PIPEDA to the designated individual (Privacy Officer) and, if not satisfied, to the Privacy Commissioner of Canada.

  • Have a complaints procedure in place
  • Respond to complaints promptly and seriously
  • Inform complainants they can escalate to the Privacy Commissioner

Cookie Consent Under PIPEDA

PIPEDA doesn't have specific "cookie law" provisions like the EU's ePrivacy Directive, but cookies fall under PIPEDA's general consent requirements. The Office of the Privacy Commissioner of Canada (OPC) has provided guidance on online tracking and cookies.

OPC Guidance on Consent for Cookies

According to OPC guidance:

  • Express Consent: Required when cookies collect sensitive information or are used for purposes individuals wouldn't reasonably expect (e.g., behavioral advertising, cross-site tracking)
  • Implied Consent: May be acceptable for less sensitive functional cookies IF users are properly informed and can easily opt out
  • Meaningful Consent: Consent must be informed and specific. Users must understand what they're consenting to
  • No Bundled Consent: Don't make access to your site conditional on accepting all cookies (cookie walls are problematic)

What Type of Consent Do You Need?

Strictly Necessary Cookies (No Consent Required)

Cookies essential for website functionality typically don't require consent because they're necessary for the service the user is requesting:

  • Session cookies for logged-in users
  • Shopping cart cookies
  • Load balancing cookies
  • Security and fraud prevention cookies

Functional Cookies (Implied Consent May Be Sufficient)

Cookies that enhance functionality but aren't strictly necessary may rely on implied consent IF:

  • Users are clearly informed about these cookies (e.g., in a cookie notice)
  • The purpose is clearly explained
  • Users can easily opt out
  • The data collected isn't sensitive

Examples: language preferences, volume settings for video players, UI customization

Analytics Cookies (Express Consent Recommended)

Analytics cookies (Google Analytics, Adobe Analytics, etc.) typically require express consent because:

  • They collect detailed behavioral data
  • Data is often shared with third parties
  • They track users across pages and sessions
  • Users may not reasonably expect this level of tracking

Marketing/Advertising Cookies (Express Consent Required)

Marketing and advertising cookies always require express (opt-in) consent because:

  • They collect sensitive behavioral information
  • They're used for targeted advertising
  • They often involve cross-site tracking
  • Data is shared with multiple third parties
  • Users would not reasonably expect this use

Best Practices for PIPEDA Cookie Compliance

  1. Use a Layered Approach: Provide brief information in the cookie banner with a link to detailed information in your privacy policy
  2. Granular Controls: Allow users to accept/reject different cookie categories, not just "all or nothing"
  3. No Pre-Checked Boxes: For express consent, boxes must be unchecked by default
  4. Clear Language: Explain what cookies do in plain language, avoiding technical jargon
  5. Easy Opt-Out: Make it as easy to reject cookies as to accept them
  6. Ongoing Access: Allow users to change their preferences at any time
  7. Document Consent: Keep records of consent with timestamps

How CookieConfig Ensures PIPEDA Compliance

CookieConfig is designed to help you meet PIPEDA's consent and transparency requirements:

Consent Management (Principle 3)

  • Express Consent Options: Users can actively opt in to analytics and marketing cookies
  • Granular Control: Separate categories for Necessary, Functional, Analytics, and Marketing cookies
  • Clear Information: Banner explains what cookies do before consent is requested
  • Easy Withdrawal: Users can change preferences at any time with equal ease
  • Consent Before Placement: Non-essential cookies are blocked until consent is obtained

Identifying Purposes (Principle 2)

  • Category Descriptions: Each cookie category clearly explains its purpose
  • Customizable Text: You can specify exactly how you use cookies
  • Privacy Policy Link: Direct link from banner to full privacy policy

Limiting Collection (Principle 4)

  • Script Blocking: Only approved cookies/scripts are loaded
  • Category-Based Controls: Users can accept only necessary cookies, rejecting others
  • Minimal Data Collection: CookieConfig itself collects minimal personal information

Openness (Principle 8)

  • Transparent Banner: Clear, prominent cookie notice
  • Detailed Documentation: Link to privacy policy from banner
  • Cookie Details: Users can see which cookies are in each category

Individual Access (Principle 9)

  • Consent History: Users can view their consent decisions
  • Easy Modification: Change preferences at any time
  • Data Export: Consent records can be exported for user access requests

Accountability (Principle 1)

  • Audit Logs: Complete logging of all consent decisions with timestamps
  • Compliance Reports: Generate PDF/CSV reports for privacy audits
  • Third-Party Management: Track which third-party scripts are being loaded based on consent

Implementation Checklist

  1. Appoint a Privacy Officer

    Designate someone responsible for PIPEDA compliance and publish their contact information.

  2. Conduct a Cookie Audit

    Identify all cookies and tracking technologies on your website. Classify them by category and sensitivity.

  3. Install CookieConfig

    Place the CookieConfig script in your website's <head> section BEFORE any tracking scripts.

  4. Configure Cookie Categories

    Set up your cookie categories in the CookieConfig dashboard:

    • Necessary: Essential cookies (no consent required)
    • Functional: Enhancement cookies (implied consent may be sufficient)
    • Analytics: Tracking and analytics (express consent recommended)
    • Marketing: Advertising and targeting (express consent required)
  5. Update Your Privacy Policy

    Ensure your privacy policy complies with PIPEDA's Openness principle and includes:

    • What personal information you collect (including via cookies)
    • Why you collect it (identify purposes)
    • How you use it
    • Who you share it with (including third-party analytics/ad providers)
    • How long you keep it
    • How users can access and correct their information
    • How users can withdraw consent
    • Your security measures
    • Contact information for your Privacy Officer
    • How to file a complaint
  6. Customize Your Cookie Banner

    Update the banner text to clearly explain your cookie usage. Consider offering both English and French versions if you operate nationally.

  7. Establish Data Subject Request Procedures

    Create processes to handle requests from Canadian users to:

    • Access their personal information (respond within 30 days)
    • Correct inaccurate information
    • Withdraw consent
    • File complaints
  8. Implement Security Safeguards

    Ensure you have appropriate security measures:

    • HTTPS encryption
    • Secure database access controls
    • Regular security audits
    • Breach response procedures
    • Third-party processor agreements with security requirements
  9. Test Your Implementation

    Verify that:

    • The banner appears before non-essential cookies are set
    • Rejecting cookies actually blocks tracking scripts
    • Users can easily access and change their preferences
    • Consent is being properly logged
  10. Train Your Staff

    Ensure your team understands PIPEDA requirements and your organization's privacy policies and procedures.

  11. Regular Reviews

    Periodically review your cookie usage, privacy policy, and consent mechanisms to ensure ongoing compliance.

Enforcement and Penalties

The Office of the Privacy Commissioner of Canada (OPC) is responsible for overseeing and enforcing PIPEDA. The OPC has investigative powers and can issue findings and recommendations.

Enforcement Process

  1. Complaint Investigation: The OPC investigates complaints from individuals or initiates investigations on its own
  2. Findings: The OPC issues findings and can recommend corrective actions
  3. Federal Court: If an organization doesn't comply with recommendations, the OPC or a complainant can apply to Federal Court
  4. Court Orders: Federal Court can order an organization to correct its practices and award damages

Penalties

Under amendments that came into force in 2015 (PIPEDA Breach Notification Regulations):

  • Administrative Monetary Penalties (AMPs): Up to $100,000 per violation for certain offenses
  • Court-Ordered Damages: Federal Court can award damages to individuals harmed by PIPEDA violations
  • Reputational Harm: OPC findings are public and can damage your reputation

Offenses Subject to AMPs

The following can result in fines up to $100,000:

  • Failure to report a breach of security safeguards to the OPC when required
  • Failure to notify affected individuals of a breach when required
  • Failure to keep records of breaches
  • Knowingly destroying personal information that is subject to an access request
  • Obstructing the Privacy Commissioner during an investigation

Recent Enforcement Actions

  • Facebook/Cambridge Analytica (2019): OPC found Facebook violated PIPEDA through inadequate consent practices and safeguards
  • Clearview AI (2021): OPC found Clearview AI violated PIPEDA by collecting facial recognition data without consent
  • Tim Hortons (2022): OPC found Tim Hortons collected excessive location data through its app without adequate consent
  • Online Tracking: OPC has increasingly focused on consent for cookies and online tracking technologies

Quebec's Law 25

As of September 22, 2023, Quebec's Law 25 significantly strengthened privacy requirements in Quebec. If you do business in Quebec, be aware that Law 25:

  • Requires express consent for most cookie tracking (similar to GDPR)
  • Introduces mandatory breach notification (within 72 hours in some cases)
  • Requires privacy impact assessments for high-risk processing
  • Imposes administrative monetary penalties up to $25 million or 4% of global revenue
  • Grants Quebec residents stronger data rights

Law 25 is more stringent than PIPEDA in many respects. If you operate in Quebec, consult with legal counsel about additional requirements.

Common PIPEDA Compliance Mistakes

1. Relying on Implied Consent for Sensitive Tracking

Mistake: Assuming that providing a privacy policy is sufficient consent for analytics and advertising cookies.

Why It's Wrong: Behavioral tracking and targeted advertising are sensitive uses that require express, opt-in consent.

Solution: Require active consent (checkbox, button click) for analytics and marketing cookies. Don't rely on continued browsing as consent.

2. Inadequate Privacy Policy

Mistake: Having a vague privacy policy that doesn't clearly explain cookie usage or having no privacy policy at all.

Why It's Wrong: Violates PIPEDA's Openness principle. Users must be informed about data practices.

Solution: Create a comprehensive privacy policy that clearly explains all cookie types, purposes, and third-party sharing in plain language.

3. Cookie Walls

Mistake: Blocking access to your website unless users accept all cookies.

Why It's Wrong: Makes consent conditional, which may not be considered meaningful consent under PIPEDA.

Solution: Provide access to basic content even if users reject non-essential cookies. Only require truly necessary cookies for core functionality.

4. No Way to Withdraw Consent

Mistake: Not providing users with an easy way to withdraw cookie consent or change preferences after initial choice.

Why It's Wrong: PIPEDA requires that consent can be withdrawn at any time.

Solution: Provide a persistent link (in footer or as floating button) for users to access cookie preferences at any time.

5. Excessive Data Collection

Mistake: Using numerous tracking technologies that collect more data than necessary for stated purposes.

Why It's Wrong: Violates PIPEDA's Limiting Collection principle.

Solution: Regularly audit your cookies and remove unnecessary ones. Only use tracking technologies that serve specific, necessary purposes.

6. Sharing Data Without Disclosure

Mistake: Sharing cookie data with third parties (analytics providers, ad networks) without disclosing this in your privacy policy or obtaining consent.

Why It's Wrong: Violates PIPEDA's consent and disclosure requirements.

Solution: Clearly identify all third parties who receive data from cookies in your privacy policy, and obtain appropriate consent.

7. Indefinite Data Retention

Mistake: Keeping cookie data indefinitely without a defined retention period.

Why It's Wrong: Violates PIPEDA's Limiting Use, Disclosure, and Retention principle.

Solution: Set appropriate expiration dates for cookies. Delete or anonymize data when it's no longer needed for the identified purpose.

8. No Accountability Measures

Mistake: Not having documented privacy policies, procedures, or a designated Privacy Officer.

Why It's Wrong: Violates PIPEDA's Accountability principle.

Solution: Designate a Privacy Officer, document your privacy practices, train staff, and maintain compliance records.

Best Practices for PIPEDA Compliance

  1. Privacy by Design: Build privacy considerations into your website from the start, not as an afterthought
  2. Bilingual Materials: If operating nationally, consider providing privacy policies and cookie notices in both English and French
  3. Regular Training: Ensure all staff who handle personal information understand PIPEDA requirements
  4. Privacy Impact Assessments: Conduct privacy impact assessments when implementing new tracking technologies
  5. Vendor Management: Ensure third-party service providers (analytics, advertising) have adequate privacy and security measures
  6. Document Everything: Keep records of your privacy practices, consent mechanisms, and compliance decisions
  7. Stay Current: Monitor OPC guidance and court decisions to stay updated on evolving requirements
  8. Proactive Compliance: Don't wait for complaints - regularly audit and improve your privacy practices
  9. Transparency: When in doubt, err on the side of more disclosure and transparency
  10. Respond Promptly: Take all privacy inquiries and complaints seriously and respond quickly

Legal Disclaimer

CookieConfig is a tool to help implement cookie consent requirements under PIPEDA and other privacy regulations. However, it is not legal advice. Your specific compliance obligations depend on your business activities, the provinces you operate in, and the types of data you process. We strongly recommend consulting with legal counsel familiar with Canadian privacy law for your specific situation, especially if you operate in multiple provinces or in Quebec (which has additional requirements under Law 25).

Useful Resources