Databending
Privacy Policies, Cookie Consent and CASL: What Your Canadian Website Actually Needs in 2026
Published July 2, 2026
Author Will Coulter
Start a Project →

Privacy Policies, Cookie Consent and CASL: What Your Canadian Website Actually Needs in 2026

Most small business websites in Canada are missing legally required pages. Here's a plain-language guide to PIPEDA, CASL, Quebec's Law 25, and cookie consent — what applies to you, what it costs to ignore, and what to actually put on your site.

⚡ Quick Summary (TL;DR)

If your website has a contact form, an email list, or analytics, Canadian privacy law already applies to you. PIPEDA requires meaningful consent and a clear privacy policy, CASL governs every marketing email you send (with penalties up to $10 million per violation), and Quebec's Law 25 adds EU-style opt-in rules if you have customers in Quebec. This is a plain-language walkthrough of what a small business site in Ontario actually needs. It is not legal advice, but it will tell you which questions to ask.

Here’s a quick test. Open your website, scroll to the footer, and look for a privacy policy link. Now click it.

If there’s no link, you’re in the majority of small business sites we audit, and you have a gap worth closing. If the link is there but it opens a generic template that mentions California residents and the GDPR while never mentioning Canada, you’re in the second-biggest group. Somebody copied a policy from a US template site in 2019 and nobody has read it since, including you.

I get why. Privacy compliance is nobody’s idea of a fun afternoon, and if you run a bakery in Windsor or a contracting company in the GTA, “read the Personal Information Protection and Electronic Documents Act” is never making it to the top of the to-do list. So here’s the version I wish someone had written for our clients: what the rules actually are, who they apply to, and what to do about them in practical terms.

One thing before we start: we’re a web design studio, not a law firm. This post is a map, not legal advice. For anything with real stakes, talk to a lawyer who does Canadian privacy work.

PIPEDA: the baseline for almost everyone

PIPEDA is Canada’s federal private-sector privacy law, and it applies to organizations that collect, use, or disclose personal information in the course of commercial activity. That threshold is low. A contact form asking for a name and email? Personal information. An online booking system? Personal information. Google Analytics assigning visitors an identifier? You’re in the conversation.

The core PIPEDA obligations for a typical small business website come down to a few things:

  • Tell people what you collect and why. This is the actual job of a privacy policy: what information the site collects, what you use it for, who you share it with (your email platform, your analytics provider, your payment processor), how long you keep it, and how someone can ask about their data.
  • Get meaningful consent. The Office of the Privacy Commissioner has been clear that consent only counts if a reasonable person would actually understand what they’re agreeing to. Burying tracking disclosures on page nine of a template doesn’t clear that bar.
  • Protect what you collect. If you hold customer data, you’re responsible for safeguarding it. This is where privacy law and website security turn out to be the same conversation.

The practical upshot: your privacy policy should be written for your site, naming the actual tools you use. A policy that mentions your real stack (say, “we use Google Analytics and Mailchimp”) is both more compliant and more trustworthy than a 6,000-word template that covers hypothetical practices you don’t have.

CASL: the one with the scary numbers

Canada’s Anti-Spam Legislation covers commercial electronic messages, which mostly means marketing email and texts. It’s been around since 2014, businesses still get caught by it constantly, and the penalties are the largest in this post short of Quebec’s: up to $10 million per violation for businesses. Real CRTC enforcement in recent years has landed between $5,000 and $250,000 for typical violations, which is smaller but still an awful week for a small business.

The rule that surprises people: unlike the American CAN-SPAM law, CASL is opt-in. You need consent before you email someone commercially, not just an unsubscribe link after. And “I have their email address because they contacted us once” is not blanket consent, though it can create a time-limited implied consent in some cases (this is exactly the kind of nuance where a lawyer earns their fee).

For your website, CASL translates to a few concrete rules. Don’t use pre-checked newsletter boxes; consent has to be an active choice. Keep records of when and how each subscriber opted in, which decent email platforms do automatically. Every commercial email needs your business identification and a working unsubscribe. And be careful with purchased lists. Buying email lists in Canada is close to buying liability.

Quebec’s Law 25: relevant even in Ontario

“But I’m in Ontario” is the usual response to Law 25, and it’s the wrong one. Quebec’s modernized privacy law applies based on whose data you’re handling, not where your office is. If your Windsor ecommerce store ships to Montreal, or your Toronto SaaS product has Quebec users, Law 25 is in scope for those customers.

And it’s the strictest privacy law in North America. Since September 2023, technology that can identify, locate, or profile a person must be off by default: the user has to actively turn tracking on, which is a genuinely EU-style rule. Penalties scale to $25 million or 4% of worldwide turnover, numbers written for Meta but applicable to everyone.

Realistically, the Commission d’accès à l’information is not kicking down doors in Essex County over an analytics cookie. But if Quebec customers are a meaningful slice of your business, the sensible move is to build to the strictest standard you’re exposed to, which brings us to cookies.

Cookie banners are the most visible piece of privacy law and the most misunderstood. Nobody likes them and most of them are done wrong anyway, so here’s the short version for a Canadian site:

Strictly necessary cookies (login sessions, shopping carts) don’t need consent. Analytics and advertising cookies are where the rules kick in. Under PIPEDA’s meaningful-consent guidance you should be disclosing them clearly and giving people a real choice; under Law 25, for Quebec users, they should be off until someone opts in.

What this means practically depends on your stack. If you run a brochure site with privacy-respecting analytics that don’t track individuals, you may not need a banner at all, just a clear privacy policy. If you run Google Analytics, Meta Pixel, and remarketing tags, you need a proper consent management setup where “decline” actually blocks the trackers. The worst common setup is the decorative banner: a bar that says “we use cookies” with a single OK button while every tracker fires regardless of what you click. That’s not compliance. That’s a screenshot for the plaintiff’s exhibit list.

This layer is one of the things AI website builders and vibe-coded sites skip completely, by the way. We have yet to audit an AI-generated small business site that shipped with working consent management.

While you’re at it: AODA

Different law, same footer. If you’re an Ontario organization with 50 or more employees (and any designated public-sector organization), the AODA requires your site to meet WCAG 2.0 Level AA, and even below that threshold accessibility is worth doing on the merits. We wrote a full guide to AODA website compliance for Ontario small businesses, so I won’t repeat it here, just flagging that “make the website legal” is usually a two-part job in this province: privacy and accessibility.

The realistic to-do list

For a typical Ontario small business website, getting to solid ground looks like this:

  1. Write (or rewrite) your privacy policy to describe your actual site: what you collect, which tools you use, who to contact. Link it in the footer of every page.
  2. Add terms of service if you sell, book, or accept user content through the site. Refund terms and liability limits keep small disputes small.
  3. Audit your trackers. Open your own site with your browser’s dev tools and see what actually loads. Most owners are surprised. Drop what you don’t use.
  4. Set up consent management if you track, wired so that declining actually declines. If Quebec matters to your business, default to off.
  5. Fix your email consent. No pre-checked boxes, keep opt-in records, and clean out list entries you can’t account for.
  6. Designate someone. PIPEDA expects someone to be accountable for privacy. In a five-person company that’s a hat, not a hire, but it should be someone’s hat.

None of this is a growth strategy, and I won’t pretend a privacy policy will rank you higher on Google by itself. What it does is quieter: it makes your business look legitimate to careful customers, keeps you out of avoidable enforcement letters, and means that when something does go wrong, you’re the business that took reasonable steps, which matters enormously in how these things resolve.

When we build sites at Databending, the legal layer ships with the design: policy pages, consent tooling matched to the actual trackers, CASL-safe forms. If your current site is missing some or all of it, that’s one of the faster gaps to close — usually days, not months.


Not sure what your site is missing?

We’ll take a look and give you a straight answer about what’s there, what isn’t, and what’s worth prioritizing, whether we built your site or not.

Talk to Databending

Related reading:


Sources

  1. Office of the Privacy Commissioner of Canada — PIPEDA overview and guidance
  2. CRTC — Frequently Asked Questions about Canada’s Anti-Spam Legislation
  3. CRTC — CASL Guidance on Implied Consent
  4. SendCheckIt — CASL Compliance: The Complete Guide for Canadian Email Marketing
  5. OneTrust — Quebec’s Law 25: What Is It and What Do You Need to Know?
  6. ConsentPixel — Canada Cookie Compliance 2026: PIPEDA, CASL & Quebec Law 25
  7. BDC — Canada’s anti-spam legislation: your questions answered

More Articles

View All →