Canada has no cookie-specific law. There is no equivalent of the EU's ePrivacy Directive spelling out when a website may or may not drop a tracking pixel onto a visitor's device. What Canada does have is PIPEDA - the Personal Information Protection and Electronic Documents Act - a broad, principles-based privacy statute that has been in force since 2000 and still governs private-sector data handling at the federal level.
The short version: if your cookies collect information that can identify a person, PIPEDA applies, and you need some form of consent. But the type of consent - and therefore the type of banner - depends on what those cookies actually do.
How PIPEDA Defines Personal Information (and Why Cookies Matter)
PIPEDA defines personal information as any information about an identifiable individual. The Office of the Privacy Commissioner (OPC) has stated explicitly that data collected through online tracking and targeting for behavioural advertising purposes generally constitutes personal information under this definition. IP addresses, device identifiers, browsing history, and the profiles built from cookie data all fall within scope.
This is the critical point for website owners. A session cookie that keeps a shopping cart alive might not identify anyone on its own. But an analytics cookie like _ga from Google Analytics, which assigns a unique client ID and tracks page views across sessions, almost certainly does. So does any advertising cookie that builds a cross-site profile - _fbp from Meta, IDE from Google DoubleClick, or any similar tracker.
Once a cookie collects personal information, PIPEDA's ten Fair Information Principles kick in - most importantly, the principles of consent, identifying purposes, and limiting collection.
The Implied Consent Model: Where PIPEDA Differs from the GDPR
Under the EU's GDPR and the ePrivacy Directive, the rule is straightforward: no non-essential cookie may be set until the user gives explicit, affirmative consent. Pre-ticked boxes do not count. Continued browsing does not count. The banner must block everything until the visitor clicks "Accept".
PIPEDA takes a different approach. Section 6.1 requires that consent be "meaningful" - the individual must understand the nature, purpose, and consequences of the collection. But the form of that consent can vary. PIPEDA recognises two types:
| Consent Type | When It Applies | What It Looks Like in Practice |
|---|---|---|
| Express (opt-in) | Sensitive information, or where the collection would not be within the individual's reasonable expectations | A cookie banner that blocks non-essential cookies until the user actively agrees |
| Implied (opt-out) | Non-sensitive information, where the purpose is clear, and the individual can reasonably expect the collection | A visible notice explaining cookie use, with a clear and immediate opt-out mechanism |
The OPC's 2011 guidance on online behavioural advertising confirmed that opt-out consent for tracking cookies can be acceptable - but only if several conditions are met. The purposes must be made obvious and not buried in a privacy policy. Individuals must be informed at or before the time of collection. And the opt-out must take effect immediately and be consistent across sessions.
That last requirement matters. If a visitor opts out of tracking but the cookie reappears on the next visit, the consent is no longer valid.
When Implied Consent Is Not Enough
Implied consent has limits. The OPC has drawn clear lines around situations where express, opt-in consent is required, even under PIPEDA's more flexible framework.
Sensitive information. If cookies collect or infer health data, financial details, political opinions, or sexual orientation, express consent is mandatory. The OPC's 2014 findings against Google for serving targeted ads based on a user's browsing of health-related websites confirmed this position - inferring that someone researches sleep apnea treatments and then targeting ads accordingly crosses the sensitivity threshold.
Children. The OPC has stated that organisations should avoid tracking children and tracking on websites aimed at children altogether. Obtaining meaningful consent from young users for behavioural advertising is extremely difficult in practice, and the Commissioner's guidance treats it as a near-prohibition.
Unexpected purposes. The Home Depot case is instructive. The company shared customer email addresses and purchase data with Meta for advertising measurement. The OPC found that customers who provided emails for receipts could not have reasonably expected that data to be reused for marketing analytics. Express consent was required and had not been obtained.
In the 2024 Federal Court of Appeal ruling involving Facebook, the court upheld the OPC's finding that broad, vague privacy policies do not satisfy the meaningful consent requirement. Consent must be specific enough that users understand what they are agreeing to.
CASL and Cookies: The Software Installation Layer
PIPEDA is not the only federal law relevant to cookies. Canada's Anti-Spam Legislation (CASL) regulates the installation of "computer programs" on another person's device during commercial activity. The CRTC has confirmed that cookies, JavaScript, and HTML tracking code all fall within CASL's definition of computer programs.
CASL allows consent for cookies to be inferred from the user's conduct - provided it is reasonable to believe they consented. The one concrete example regulators have given: if a visitor disables cookies in their browser settings, the organisation does not have consent to install them. Beyond that, the guidance is thin.
The practical effect is a second, overlapping consent requirement. CASL's maximum penalty for non-compliance with its software installation rules is CAD 10 million for organisations. That figure alone makes it worth taking cookie consent seriously, even if you believe PIPEDA's implied consent threshold gives you room to operate.
Quebec's Law 25: The Stricter Standard Next Door
Any discussion of Canadian cookie consent is incomplete without mentioning Quebec. The province's Law 25 (formerly Bill 64), which came into full effect in September 2024, takes a fundamentally different approach from PIPEDA. It requires explicit, opt-in consent for all tracking technologies that identify, locate, or profile individuals. Cookies must be disabled by default. The "Refuse all" button must be as visible as "Accept all".
The penalties reflect the seriousness: administrative fines of up to CAD 10 million or 2% of global turnover, and penal fines reaching CAD 25 million or 4% of global turnover for more serious offences.
If your website has visitors from Quebec - and unless you are deliberately geo-blocking the province, it almost certainly does - you need to meet Law 25's stricter standard for those users, regardless of what PIPEDA allows elsewhere in Canada. In practice, many businesses find it simpler to adopt an opt-in model nationwide rather than maintain two separate consent flows.
PIPEDA vs GDPR: A Practical Comparison for Cookie Consent
Website owners who already comply with the GDPR's cookie consent requirements will find PIPEDA less prescriptive but not necessarily easier. Here is how the two frameworks compare on the specifics that affect your banner design:
| Requirement | GDPR / ePrivacy Directive | PIPEDA |
|---|---|---|
| Consent model | Opt-in for all non-essential cookies | Opt-out for non-sensitive; opt-in for sensitive |
| Pre-ticked boxes | Prohibited | Not compliant (consent must be meaningful) |
| Cookie wall ("accept or leave") | Generally prohibited | OPC has stated services should not be conditional on consent to unnecessary data collection |
| Right to withdraw consent | Explicit right under Article 7(3) | PIPEDA Principle 4.3.8 - individuals can withdraw at any time with reasonable notice |
| Granular category choices | Required under EDPB guidance | Not explicitly required, but recommended by the OPC for meaningful consent |
| Enforcement body | National DPAs with direct fining power | OPC investigates and reports; cannot directly impose fines (Federal Court can award remedies) |
| Maximum penalty | EUR 20 million or 4% of global revenue | CAD 100,000 per offence (PIPEDA); CAD 10 million (CASL) |
The gap in enforcement power is significant. The OPC can investigate complaints and publish findings, but it cannot directly fine organisations under PIPEDA. It can, however, refer matters to the Federal Court, which has broad remedial powers including ordering corrective action and awarding damages. If your site also serves EU visitors, you will need to meet the stricter lawful basis requirements of the GDPR alongside PIPEDA's consent framework - and configuring Google Consent Mode to respect both sets of rules is essential if you use Google tags.
What the OPC Found in Its 2024 Dark Patterns Sweep
In early 2024, the OPC participated in the Global Privacy Enforcement Network's annual privacy sweep, examining 145 Canadian websites and apps for deceptive design patterns. The results were telling: 97% of sites reviewed globally used at least one deceptive pattern. Among the Canadian sites, 22% offered no option other than "Accept" or "Accept all" for cookies, and 65% made the privacy-protective option harder to find than the data-sharing one.
The sweep signals where the OPC's attention is heading. Dark patterns in cookie banners - asymmetric button sizing, hidden reject options, confusing language - are squarely on the radar.
Bill C-27 and the CPPA: What Happened and What Comes Next
Canada's attempt to replace PIPEDA with the Consumer Privacy Protection Act (CPPA) under Bill C-27 ended when Parliament was prorogued in January 2025. The bill died on the order paper. A snap federal election in April 2025 pushed reform further down the agenda, and the new government confirmed that C-27 would not return in its original form.
A replacement bill is expected in 2026, potentially including fines of up to CAD 25 million or 5% of global revenue. The core themes - stronger consent requirements, enhanced individual rights, and real enforcement teeth - are widely expected to carry forward.
For website owners, the message is clear: build your consent practices to the standard the CPPA would have required, because that is where federal regulation is heading.
What a PIPEDA-Compliant Cookie Banner Looks Like
Given everything above, here is what a compliant approach looks like in practice. The exact implementation depends on what cookies your site uses and which provinces your visitors come from.
For websites using only strictly necessary cookies (session management, load balancing, CSRF tokens): no banner is technically required, but a clear cookie notice in your privacy policy is still good practice.
For websites using analytics cookies (Google Analytics, Matomo with cookies enabled, Hotjar): at minimum, a visible notice explaining what data is collected and an easy, immediate opt-out. Under Law 25 for Quebec visitors, you need opt-in consent before the cookies load.
For websites using advertising or cross-site tracking cookies (_fbp, IDE, retargeting pixels): express opt-in consent is the safest approach nationwide. The OPC's guidance on behavioural advertising, combined with the sensitivity analysis, makes implied consent risky for this category.
Regardless of the cookie type, the banner should:
- Appear before non-essential cookies are set
- Explain what categories of cookies are used and why
- Offer a genuine choice - not just "Accept all" with a tiny link to manage preferences
- Respect the choice immediately and consistently
- Not make cookie acceptance a condition of using the site
- Provide an easy way to change preferences after the initial choice
- Keep timestamped consent logs for accountability (PIPEDA Principle 4.1 requires you to demonstrate compliance if the OPC investigates)
Run a scan of your site first. Most website owners are surprised by how many cookies are present - a typical e-commerce site might have 20-40 cookies active, many of them set by third-party scripts you may not even be aware of. A cookie scanner will give you a clear inventory to work from.
Frequently Asked Questions
Does PIPEDA require opt-in consent for all cookies?
Not for all cookies. PIPEDA allows implied (opt-out) consent for non-sensitive data where the purpose is clear and the individual can reasonably expect the collection. Express opt-in consent is required for cookies that collect sensitive information, track children, or use data in ways the visitor would not expect.
Can I rely on "continued browsing" as consent under Canadian law?
This is risky. While PIPEDA's implied consent model is more flexible than the GDPR's, the OPC requires that individuals be made clearly aware of cookie purposes before or at the time of collection, with an easy and immediate opt-out. Simply stating "by continuing to browse you accept cookies" in a dismissible banner does not meet the meaningful consent standard, especially for tracking or advertising cookies.
Do I need a separate cookie banner for Quebec visitors?
Quebec's Law 25 requires explicit opt-in consent for all technologies that identify, locate, or profile individuals, with cookies disabled by default. If your website receives visitors from Quebec, those users must see a banner that blocks non-essential cookies until they actively agree. Many businesses adopt opt-in consent for all Canadian visitors rather than maintaining separate flows.
What is the maximum penalty for non-compliance with cookie consent in Canada?
Under PIPEDA, organisations face fines of up to CAD 100,000 per offence. CASL carries penalties up to CAD 10 million for organisations. Quebec's Law 25 can impose administrative fines of up to CAD 10 million or 2% of global turnover, and penal fines of up to CAD 25 million or 4% of global turnover. Future federal legislation is expected to introduce penalties of up to CAD 25 million or 5% of global revenue.
Does Google Analytics require express consent under PIPEDA?
Google Analytics collects IP addresses, device identifiers, and detailed browsing behaviour through cookies like _ga and _gid. The OPC's guidance suggests this type of data collection requires, at minimum, clear notice and an effective opt-out mechanism. For Quebec visitors, express opt-in consent is required under Law 25 before the analytics script loads.
How does CASL affect cookie consent separately from PIPEDA?
CASL regulates the installation of computer programs - including cookies and tracking scripts - on a person's device. It allows consent to be inferred from the user's conduct, but if a user disables cookies in their browser, no consent can be assumed. CASL and PIPEDA operate as overlapping requirements: you need to satisfy both when setting cookies that collect personal information during commercial activity.
Will the new federal privacy law (CPPA) change cookie consent requirements?
Bill C-27, which included the CPPA, died in Parliament in January 2025. A replacement bill is expected in 2026, likely with stricter consent rules, enhanced individual rights, and significantly higher penalties (up to CAD 25 million or 5% of global revenue). The new law is expected to limit the use of implied consent and bring federal rules closer to the GDPR standard. Building to that higher standard now avoids a costly retrofit later.
Get Your Cookie Consent Right
If you are unsure what cookies your site sets or whether your current consent mechanism meets PIPEDA's requirements, start with a scan. Kukie.io detects first-party and third-party cookies, categorises them, and gives you a clear picture of what needs consent - so you can build a banner that satisfies both PIPEDA and Quebec's Law 25 without guessing.
