Canada's PIPEDA (Personal Information Protection and Electronic Documents Act) is not structured like the GDPR. Rather than laying out detailed rules in numbered articles, PIPEDA delegates much of the heavy lifting to Schedule 1 - a set of 10 fair information principles originally drawn from the CSA Model Code for the Protection of Personal Information, developed in 1996. These principles form the legal backbone of how private-sector organisations in Canada must handle personal data.
For website owners, every cookie set, every analytics script loaded, and every form submitted falls under these principles.
Where the 10 Principles Come From
The fair information principles predate PIPEDA itself. A 45-member committee at the Canadian Standards Association developed them in 1996, drawing on internationally recognised data protection concepts. When Parliament enacted PIPEDA in 2000, it incorporated these principles as Schedule 1, giving them the force of law under section 5(1).
The Office of the Privacy Commissioner of Canada (OPC) treats these principles as binding obligations. In 2023-2024, the OPC received over 1,200 complaints under PIPEDA and published findings on 47 formal cases. High-profile investigations - including a joint inquiry with the UK's ICO into the 23andMe data breach (PIPEDA Findings #2025-001) and a finding against Google's search engine (PIPEDA Findings #2025-002) - demonstrate that these principles carry real enforcement weight.
Principle 1: Accountability
An organisation is responsible for personal information under its control and must designate someone accountable for compliance. For a website, this means someone - often called a Chief Privacy Officer or privacy lead - must own the data protection programme.
Accountability extends beyond your own servers. If you use third-party processors (payment gateways, email platforms, cloud hosting), you remain responsible for how they handle data. Clause 4.1 of Schedule 1 requires comparable protection through contractual or other means, and the OPC expects organisations to advise individuals when their information may be processed in another jurisdiction.
Principle 2: Identifying Purposes
You must identify the purposes for collecting personal information before or at the time of collection. On a website, this translates to clearly stating why you collect data - in your privacy policy, in your cookie banner, and at the point of collection itself.
Vague statements like "we collect data to improve our services" are insufficient. If you are collecting an email address to send a newsletter, say so. If _ga cookies are tracking page views for analytics, declare that specific purpose. The OPC found Home Depot in violation of PIPEDA for sharing customer emails and purchase data with Meta for advertising measurement without informing customers - a textbook failure of this principle.
Principle 3: Consent
This is the principle that most directly affects cookie banners and tracking scripts. Section 6.1 of PIPEDA states that consent is only valid if a reasonable person would understand the nature, purpose, and consequences of the collection.
PIPEDA recognises two consent types: express (opt-in) and implied (opt-out). Sensitive data - health information, financial records, precise geolocation - requires express consent. For less sensitive data collected in ways that align with reasonable expectations, implied consent may suffice. The Federal Court of Appeal confirmed in 2024 that Facebook violated PIPEDA by failing to obtain meaningful consent when a third-party app collected user data for purposes most people would not expect.
For cookies specifically, the OPC's guidance on online behavioural advertising states that any collection or use of browsing activity must happen with the individual's knowledge and consent. Technologies that prevent users from opting out - zombie cookies, super cookies, and device fingerprinting - should not be used for advertising if no viable control mechanism exists.
Consent and Cookies: Where PIPEDA Differs from the GDPR
| Aspect | PIPEDA (Canada) | GDPR / ePrivacy (EU) |
|---|---|---|
| Consent model | Express or implied, depending on sensitivity | Prior opt-in for all non-essential cookies |
| Implied consent for analytics | Allowed if data is not sensitive and expectations are reasonable | Not permitted - opt-in required |
| Cookie banner required? | Not explicitly, but practically necessary to demonstrate consent | Yes, under the ePrivacy Directive |
| Withdrawal of consent | Must be possible at any time | Must be as easy as giving consent |
| Maximum penalties | CAD 100,000 per offence (current PIPEDA) | Up to 20 million EUR or 4% of global turnover |
Principle 4: Limiting Collection
Collect only what you need. Clause 4.4 states that collection must be limited to what is necessary for the identified purposes, using fair and lawful means.
On a practical level, your website should not be loading 30 tracking scripts if you only need basic analytics. A cookie scan often reveals third-party cookies the site owner did not know existed - remnants of old plugins, embedded widgets, or advertising tags from previous campaigns.
Principle 5: Limiting Use, Disclosure, and Retention
Personal information must not be used or disclosed for purposes other than those for which it was collected, unless the individual consents or the law requires it. Data should only be retained as long as necessary.
This principle catches many website owners off guard. You collected email addresses for order confirmations, then added them to a marketing list without fresh consent. Or you kept analytics data indefinitely because "storage is cheap." Setting clear retention periods in your privacy policy and configuring your analytics platform to auto-delete data after a defined window directly addresses Clause 4.5 of Schedule 1.
Principle 6: Accuracy
Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is used. For website operators, this matters when maintaining customer accounts, mailing lists, or user profiles.
The OPC's 2025 investigation into Google's search engine explored whether accuracy obligations extend to third-party content. The Commissioner found they do not cover the underlying content of linked articles - but the case shows how broadly accuracy questions can arise.
Principle 7: Safeguards
Personal information must be protected by security safeguards appropriate to its sensitivity. Clause 4.7 covers physical, organisational, and technological measures.
The 23andMe breach investigation (PIPEDA Findings #2025-001) found "numerous deficiencies" - no default multi-factor authentication, insufficient login monitoring, and delayed notification to affected individuals. For website owners, Principle 7 means HTTPS everywhere, secure cookie flags (Secure, HttpOnly, SameSite), and keeping third-party integrations patched.
Principle 8: Openness
Your organisation must make its privacy policies and practices readily available. A privacy policy buried three clicks deep in a footer, written in dense legal language, does not meet the spirit of Clause 4.8.
Your consent mechanism should complement a clear, accessible privacy policy explaining what data you collect, why, who receives it, and how long you keep it. The OPC recommends plain language and a format that avoids unexplained acronyms or ambiguous catchall clauses.
Principle 9: Individual Access
Individuals have the right to know what personal information you hold about them, how it was obtained, and who it has been disclosed to. They can challenge the accuracy of that information. Under PIPEDA, you must respond to access requests within 30 days.
Website owners often overlook that cookie data, analytics profiles, and advertising identifiers constitute personal information under PIPEDA. If a Canadian visitor submits an access request, your answer may need to include browser fingerprints, IP-based geolocation records, and behavioural profiles assembled through marketing pixels.
Principle 10: Challenging Compliance
Individuals must be able to challenge your compliance with these principles. Your organisation needs complaint-handling procedures and must inform people about escalating concerns to the OPC.
While PIPEDA's penalty framework is modest compared to the GDPR - fines cap at CAD 100,000 per offence - the reputational damage from a published finding can be significant. The OPC names organisations publicly when it deems this to be in the public interest.
What Is Changing: The CPPA and Bill C-27
PIPEDA was written in 2000 and has not received a comprehensive update since. The Canadian government attempted to replace it with the Consumer Privacy Protection Act (CPPA) through Bill C-27, but the bill died on the Order Paper when Parliament was prorogued in January 2025. A snap federal election in April 2025 pushed reform further down the road.
A new federal privacy statute is expected in late 2025 or early 2026, with penalties potentially reaching CAD 25 million or 5% of gross global revenue. Until that legislation passes, PIPEDA and its 10 fair information principles remain the federal standard. Organisations operating in Quebec must also comply with Law 25, which imposes stricter requirements including mandatory opt-in consent for non-essential cookies and penalties of up to CAD 10 million or 2% of worldwide turnover.
A Practical Checklist for Website Owners
Mapping the 10 principles to website operations: appoint someone accountable for privacy (1). Document collection purposes in your policy and banner (2). Obtain meaningful consent before non-essential cookies (3). Audit scripts and remove unnecessary trackers (4). Set and enforce retention periods (5). Keep records accurate (6). Secure your site with HTTPS and secure cookie flags (7). Publish a clear privacy policy (8). Handle access requests within 30 days (9). Provide a complaint mechanism referencing the OPC (10).
Frequently Asked Questions
Does PIPEDA require a cookie consent banner on my website?
PIPEDA does not explicitly mandate a banner, but it requires meaningful consent before collecting personal information. Because cookies collect data like IP addresses and browsing behaviour, a consent banner is the most practical way to meet this obligation.
Can I rely on implied consent for analytics cookies under PIPEDA?
Potentially, yes - if the data collected is not sensitive and the collection aligns with what a reasonable visitor would expect. You still need to be transparent about what you collect and provide an opt-out mechanism. The OPC guidance on online behavioural advertising outlines these conditions.
What is the maximum fine for violating PIPEDA's fair information principles?
Under current PIPEDA, organisations that commit offences can be fined up to CAD 100,000 per violation. The proposed CPPA would have raised this to CAD 25 million or 5% of global revenue. Until new legislation passes, the CAD 100,000 cap applies, but the Federal Court can also award damages to individuals.
Do the 10 fair information principles apply to my website if I am outside Canada?
PIPEDA applies to any private-sector organisation that collects, uses, or discloses personal information of Canadians in the course of commercial activity. If your website targets Canadian visitors, sets cookies on their devices, or processes their data for commercial purposes, the principles likely apply to you.
How does PIPEDA's consent requirement differ from the GDPR?
The GDPR and the ePrivacy Directive require prior opt-in consent for all non-essential cookies. PIPEDA allows implied consent in some situations - particularly for less sensitive data where collection aligns with reasonable expectations. Express consent is still needed for sensitive personal information.
Is PIPEDA being replaced by the CPPA?
Bill C-27, which contained the CPPA, died when Parliament was prorogued in January 2025. A new federal privacy statute is expected to be introduced in late 2025 or early 2026, but until it passes, PIPEDA remains in force. The 10 fair information principles are expected to carry forward into any replacement law.
Get Your Cookie Compliance Right
If your website collects data from Canadian visitors, the 10 fair information principles are your compliance baseline. Kukie.io scans your site for cookies and third-party trackers, categorises them, and generates a consent banner that gives visitors a genuine choice.
