Privacy Policy

1. Primary Privacy Laws

• PIPEDA (Federal): Governs how private-sector organizations collect, use, and disclose personal information during commercial activities. It applies to most businesses in Canada and international organizations that handle the data of Canadian residents.
• Provincial Laws: In Alberta, British Columbia, and Quebec, provincial statutes replace PIPEDA for activities occurring within those provinces:
  • Quebec Law 25: Currently the strictest in Canada, requiring explicit "opt-in" consent for many tracking technologies and providing a private right of action for residents.
  • Alberta PIPA and BC PIPA: Similar to PIPEDA but with specific local nuances, such as PIPA Alberta's unique cross-border notification requirements.
• CASL (Anti-Spam Law): Governs commercial electronic messages (emails/texts) and requires express or implied consent for marketing. 

2. Mandatory Website RequirementsTo comply with these laws in 2026, websites must implement the following:

• Privacy Policy: Must be readily visible (typically in the footer) and written in plain language.
• Consent Management: Obtain "meaningful consent" at or before the time of collection.
• Cookie Notices: Inform visitors if cookies or tracking technologies are used. Under Quebec Law 25, non-essential cookies must be "off" by default.
• Designated Accountability: Appoint an individual (e.g., Privacy Officer) responsible for compliance and list their contact information in the privacy policy. 

3. Core Compliance Principles (The 10 Principles)Canadian privacy laws are built on these fair information principles: 

1. Accountability: You are responsible for personal info under your control.
2. Identifying Purposes: State why you are collecting data before you collect it.
3. Consent: Knowledge and consent are required for all data processing.
4. Limiting Collection: Collect only what is strictly necessary.
5. Limiting Use/Retention: Only use data for the stated purpose and delete it when no longer needed.
6. Accuracy: Ensure data is correct and up-to-date.
7. Safeguards: Protect data with security measures appropriate to its sensitivity.
8. Openness: Make your specific data policies publicly available.
9. Individual Access: Users have the right to see their data and request corrections.
10. Challenging Compliance: Provide a way for users to complain about your data handling. 

4. Enforcement and PenaltiesFailure to comply can lead to significant financial consequences: 

• Federal (PIPEDA): Fines of up to $100,000 for certain violations, such as failing to report a major data breach.
• Quebec (Law 25): The highest penalties in Canada, with administrative fines up to $25 million or 4% of worldwide turnover.
• CASL: Violations for unsolicited emails can reach $10 million for corporations. 
• Data protection laws in CanadaJan 25, 2023 — * Law. Data protection laws in Canada. In Canada there are at least 29 federal, provincial and territorial privacy sta...Data Protection Laws of the World
• Guide to Doing Business in Canada: Privacy law - Gowling WLGOct 3, 2024 — a. Federal. In Canada, the federal Personal Information Protection and Electronic Documents Act ( PIPEDA ) regulates th...Gowling WLG
• PIPEDA fair information principles - Office of the Privacy ...May 28, 2025 — They give individuals control over how their personal information is handled in the private sector.