Canada Cookie Compliance 2026: What PIPEDA, CASL, and Quebec Law 25 Require for Website Tracking
Most website owners assume Canada has a permissive, opt-out approach to tracking — similar to the US. It doesn't. Quebec's Law 25 is the only privacy law in North America that requires explicit opt-in consent before any tracking technology fires. Fines reach CAD $25 million or 4% of global revenue. And it applies to you even if your business has never set foot in Quebec.
In this article
- Canada's three overlapping privacy laws
- PIPEDA: the federal baseline
- CASL: tracking as "software installation"
- Quebec Law 25: North America's strictest cookie standard
- The gap most websites don't know exists
- Territorial scope: it applies to you even outside Canada
- Canada vs GDPR vs CIPA: how the standards compare
- What a compliant configuration looks like
- Canadian compliance checklist
- Frequently asked questions
Canada doesn't have one privacy law for websites — it has three, operating simultaneously at federal and provincial levels. Understanding which applies to your site, and in what combination, is the starting point for any compliance decision. The short version: PIPEDA sets the federal baseline (relatively permissive), CASL covers tracking technologies as a form of software installation (stricter on process), and Quebec's Law 25 is the most demanding — requiring explicit opt-in consent before any tracking technology fires, in a way that's directly comparable to the EU's GDPR. This article is informational and not legal advice; consult qualified counsel for your specific situation.
Canada's three overlapping privacy laws
PIPEDA
Personal Information Protection and Electronic Documents Act. Canada's federal privacy law for private-sector organisations. Sets baseline consent and transparency requirements for collecting, using, and disclosing personal information including through cookies and tracking technologies.
Allows implied consent in some low-risk tracking scenarios. Less demanding than Law 25 or GDPR. Currently being modernised — the proposed Consumer Privacy Protection Act (CPPA) would significantly tighten standards, but has not yet been enacted.
Opt-out acceptable in some casesCASL
Canada's Anti-Spam Legislation. Primarily known for email marketing rules, but CASL also applies to tracking technologies. It defines tracking scripts and pixels as "computer programs" — meaning installing them on a visitor's device without consent may constitute an unlicensed software installation.
Requires express consent before installing tracking software on someone's device. No private right of action (enforcement is by the CRTC), but fines reach CAD $10 million per violation for organisations.
Express consent for software/scriptsQuebec Law 25
Act to Modernise Legislative Provisions Respecting the Protection of Personal Information (Bill 64). Quebec's provincial privacy law — but it applies based on where the visitor is located, not where your business is. Fully in force since September 2023.
The strictest privacy standard in North America. Requires explicit opt-in consent before any tracking technology fires. Fines reach CAD $25 million or 4% of worldwide turnover. Includes a private right of action — individuals can sue directly.
Explicit opt-in — no exceptions for trackingPIPEDA: the federal baseline
PIPEDA applies to any private-sector organisation that collects, uses, or discloses personal information in the course of commercial activity in Canada — including foreign businesses targeting Canadian users. If your website tracks Canadian visitors through cookies, analytics tools, or advertising pixels, PIPEDA applies to you.
PIPEDA's consent model is more permissive than GDPR or Law 25. It allows implied consent in some scenarios where the information is not sensitive, the collection would be reasonably expected, and there is little likelihood of harm. For basic analytics that don't collect sensitive data, PIPEDA has sometimes been interpreted to allow a disclosure-plus-opt-out approach rather than active opt-in.
However, two things have changed this calculus in 2026:
- The Office of the Privacy Commissioner of Canada (OPC) has taken an increasingly GDPR-aligned position, finding that tracking technologies used for advertising and profiling purposes require meaningful consent — not merely implied acceptance. The OPC's 2019 report on consent explicitly called for stronger opt-in requirements for sensitive uses of personal data.
- If any of your Canadian visitors are located in Quebec, Law 25 — not PIPEDA — sets the applicable standard, and that standard is explicit opt-in. In practice, you cannot serve separate consent experiences to Quebec vs. non-Quebec Canadian visitors without sophisticated geo-targeting. The pragmatic choice for any website with meaningful Canadian traffic is to apply the Quebec standard across all Canadian visitors.
The proposed Consumer Privacy Protection Act (CPPA) would replace PIPEDA with a substantially tighter framework — stricter consent requirements, higher penalties (up to 5% of global revenue or CAD $25 million), and stronger individual rights. The CPPA has not yet been enacted as of July 2026, but its direction is clear: Canadian federal law is moving toward the Quebec/GDPR standard, not away from it. Building to Law 25's opt-in standard now positions your site for CPPA compliance when it arrives.
CASL: tracking technologies as software installation
CASL is widely known as Canada's anti-spam law — most website owners think of it only in the context of email marketing. But CASL has a less well-known provision that applies directly to website tracking: Section 8 prohibits installing a "computer program" on another person's computer without express consent.
The CRTC (the regulator that enforces CASL) has indicated that tracking technologies — JavaScript pixels, cookies, browser-based scripts — can fall within the definition of "computer programs" under CASL. This means that installing Meta Pixel, Google Analytics, TikTok Pixel, or any tracking script on a Canadian visitor's browser without express consent may constitute an unlicensed software installation under CASL, independently of any PIPEDA analysis.
CASL enforcement has been relatively limited on the tracking side compared to the email side, but the legal basis for fines exists and the CRTC has signalled increasing interest in tracking-related compliance. Maximum fines under CASL reach CAD $10 million per violation for organisations.
For any Canadian visitor with Quebec location, all three laws apply simultaneously. Law 25 requires explicit opt-in before tracking. CASL requires express consent before installing tracking scripts. PIPEDA requires transparency and meaningful consent for personal data collection. The most demanding standard — Law 25's explicit opt-in — satisfies all three if implemented correctly. One configuration, three laws covered.
Quebec Law 25: North America's strictest cookie standard
Quebec Law 25 (formally the Act to Modernise Legislative Provisions Respecting the Protection of Personal Information, known as Bill 64 during its legislative passage) came fully into force in September 2023. It is built on a principle of confidentiality by default: no tracking technology may be activated unless the visitor has expressly consented in advance. There is no implied consent pathway for tracking under Law 25.
What Law 25 requires specifically for cookies and tracking
- Explicit opt-in before any tracking fires. No tracking technology — not Google Analytics, not Meta Pixel, not a session replay tool — may load until the visitor has actively accepted. This is the same prior-consent standard as the EU's ePrivacy Directive, applied in a North American context.
- Granular, purpose-specific consent. Consent must be given separately for each purpose. Analytics consent does not cover advertising tracking. The visitor must be able to accept one category while declining another.
- Reject must be as easy as accept. The consent mechanism must make refusal as easy as acceptance — a prominent Accept button with a buried Reject option fails Law 25's standard, as it does under GDPR.
- Clear information before consent. Visitors must be informed of the specific tracking technologies in use and their purposes before making a consent choice. Vague references to "third-party cookies" are insufficient — the specific tools (Google Analytics, Meta Pixel) must be identified.
- Withdrawal at any time. Visitors must be able to change or revoke their consent at any time with the same ease as giving it. A preference centre accessible from every page satisfies this requirement.
- Consent records. Organisations must be able to demonstrate that consent was obtained. Timestamped consent logs tied to specific sessions are required.
- French language. For Quebec visitors, privacy notices, consent banners, and disclosures must be available in French. An English-only banner does not satisfy Law 25's transparency requirements for Quebec residents.
Law 25's private right of action
Unlike PIPEDA, GDPR, and most US state privacy laws, Law 25 includes a private right of action — individuals can sue organisations directly for breaches, without going through a regulator. Minimum damages start at CAD $1,000 per individual. For a class action covering all Quebec visitors to a non-compliant website over a multi-year period, the aggregate exposure is substantial. This is the closest equivalent Canada has to CIPA's private right of action in California — and it creates similar demand-letter risk dynamics.
The gap most websites don't know exists
The most common misconception about Canadian privacy compliance is: "Canada uses PIPEDA, PIPEDA allows opt-out, therefore my cookie notice that says 'by using this site you consent to cookies' is fine." This is wrong in two important ways.
First, even under PIPEDA, a "by continuing to browse" notice does not constitute meaningful consent for tracking technologies used for advertising or profiling — the OPC's guidance is clear that passive implied consent does not satisfy PIPEDA's requirements for sensitive uses. Second, and more critically, if any of your visitors are in Quebec, Law 25 applies and requires explicit opt-in — regardless of what PIPEDA might otherwise allow.
In practice: any website with meaningful Canadian traffic has Quebec visitors. Canada's population is approximately 24% Quebec. A website with 235 Canadian monthly sessions likely has 50–60 Quebec sessions per month. Those sessions are subject to Law 25's explicit opt-in standard. The only practical way to serve those visitors compliantly without building a Quebec-specific consent flow is to apply the Law 25 standard to all Canadian visitors — which is what a properly configured CMP with Canadian geo-targeting does.
Territorial scope: it applies to you even outside Canada
Law 25's territorial reach is based on the location of the individual whose data is being processed — not the location of the organisation. This is identical to GDPR's extraterritorial reach and to the post-Briskin expansion of CIPA's scope in California.
A business in London, Austin, Sydney, or Berlin has no Canadian office, no Canadian employees, and no Canadian marketing campaign — but if Quebec residents visit its website and tracking technologies fire before their consent, Law 25 applies. The Commission d'accès à l'information du Québec (CAI) has cross-border enforcement authority and has signalled intent to pursue organisations outside Quebec that handle Quebec residents' data without compliance.
The practical question for any website is simple: can Quebec residents access your site? If yes — Law 25 applies to those sessions.
Canada vs GDPR vs CIPA: how the standards compare
| Factor | Quebec Law 25 | GDPR (EU) | CIPA (California) | PIPEDA (Federal Canada) |
|---|---|---|---|---|
| Consent model | Explicit opt-in | Explicit opt-in | Prior affirmative consent | Implied in some cases |
| Tracking before consent | Prohibited | Prohibited | Prohibited | Allowed in limited scenarios |
| Max fine | CAD $25M or 4% revenue | €20M or 4% revenue | $5,000 per violation (private) | Currently limited (CPPA raises this) |
| Private right of action | Yes — from CAD $1,000/person | No (regulator enforces) | Yes — $5,000/violation | No (OPC enforces) |
| Territorial reach | Based on visitor location | Based on visitor location | Based on visitor location (post-Briskin) | Based on visitor location |
| Language requirement | French required for Quebec | User's language recommended | None specified | None specified |
| Consent records required | Yes | Yes | Yes (for defence) | Recommended |
| One CMP configuration covers all? | Yes — Law 25's opt-in standard satisfies GDPR, CIPA, and PIPEDA simultaneously | |||
The bottom row of that table is the most important practical point. Law 25's explicit opt-in before any tracking fires is the strictest standard across all four jurisdictions. A consent management platform configured to meet Law 25 — blocking all tracking before consent, with granular categories, timestamped logs, and a withdrawal mechanism — simultaneously satisfies GDPR for EU visitors, CIPA for California visitors, and PIPEDA for all Canadian visitors. One configuration, global coverage.
What a compliant configuration looks like
For a website with Canadian traffic, a Law 25-compliant configuration requires the following — all of which are identical to what GDPR compliance requires:
- All non-essential tracking blocked before the banner loads. Open your site in a clean browser session and check the network tab. Zero requests to Google Analytics, Meta Pixel, TikTok, LinkedIn Insight Tag, or any other tracking tool should appear before any visitor interaction. The CMP must enforce this at the script level — not merely display a notice while scripts load in the background.
- Accept and Reject with equal visual prominence. Both options must be visible on the first layer of the banner with equal button weight. Quebec's CAI has adopted the same position as France's CNIL on this: buried Reject options constitute invalid consent because they are not freely given.
- Named tools in the banner. The banner must identify specific tracking tools — not just "analytics and advertising cookies." Quebec visitors must understand that Google Analytics, Meta, and TikTok specifically will receive their data.
- French language option. For Quebec compliance, your consent banner must be available in French. This is a Law 25-specific requirement that GDPR and CIPA do not impose. If your CMP supports language detection, configure it to display French for Quebec/Canada visitors.
- Granular consent categories. Analytics and advertising must be separate consent categories. A single "non-essential cookies" toggle is insufficient — the visitor must be able to accept analytics while declining advertising independently.
- Timestamped consent records. Every consent event must be logged: when the choice was made, what banner version was shown, which categories were accepted or declined. These records are your defence in a CAI investigation or a private right of action.
- Accessible preference centre. Withdrawal of consent must be as easy as giving it. A preference centre accessible from every page — not just the footer — satisfies this requirement.
Canadian compliance checklist
Canada Cookie Compliance Checklist
PIPEDA · CASL · Quebec Law 25 · Updated for 2026 · Not legal advice
Audit — what's firing?
Consent banner
Technical enforcement
Records and proof
The bottom line
Canada's approach to website tracking is not the permissive opt-out model most website owners assume. Quebec Law 25 — North America's strictest privacy standard — requires explicit opt-in consent before any tracking technology fires, with fines up to CAD $25 million, a private right of action starting at CAD $1,000 per person, and territorial reach that applies to any website whose Quebec visitors can be tracked. Approximately 24% of Canadian web traffic originates from Quebec. Any website with meaningful Canadian traffic has Quebec visitors and is in scope. The compliance configuration that satisfies Law 25 — prior opt-in technically enforced, granular categories, timestamped logs, equal reject prominence, French language option — is identical to what GDPR requires for EU visitors and what a well-configured CMP delivers for CIPA in California. The same ConsentPixel implementation that already handles your GDPR and CIPA compliance extends to Canadian visitors automatically. One pixel, one configuration, every jurisdiction covered. This is informational, not legal advice; consult qualified counsel for specific situations.
See what fires before consent on your site for Canadian visitors
ConsentPixel — Privacy · Verified scans any website and shows exactly which tracking technologies fire before consent — the same check the CAI and plaintiff attorneys run. Free, no card required.
Scan my site freeFrequently asked questions
Does Quebec Law 25 apply to my website if I'm not based in Canada?
Yes. Law 25's territorial scope is based on where the visitor is located, not where the organisation is based. If Quebec residents visit your website and you deploy tracking technologies on them, Law 25 applies — regardless of whether your business is in the US, UK, Europe, or anywhere else. This is identical to how GDPR applies to non-EU businesses serving EU visitors. Not legal advice.
What's the difference between PIPEDA and Quebec Law 25 for cookies?
PIPEDA is Canada's federal baseline and allows implied consent in some low-risk tracking scenarios — meaning a disclosure-plus-opt-out approach may be sufficient for non-sensitive analytics under PIPEDA alone. Quebec Law 25 is stricter: it requires explicit opt-in consent before any tracking technology fires, with no implied consent pathway. Because Law 25 applies to Quebec residents based on their location, and approximately 24% of Canadian web traffic is from Quebec, the practical choice for any website with Canadian traffic is to apply Law 25's opt-in standard to all Canadian visitors. Not legal advice.
Does my consent banner need to be in French for Canadian visitors?
For Quebec visitors specifically, yes. Quebec Law 25 requires that privacy notices, consent banners, and data disclosures be provided in French — not only in English. This is a Law 25-specific requirement that GDPR and CIPA do not impose. An English-only banner does not fully satisfy Law 25's transparency requirements for Quebec residents. A CMP that supports geo-based language detection can automatically display French for Quebec and Canadian visitors. Not legal advice.
Does Google Analytics need consent for Canadian visitors?
Yes — for Quebec visitors under Law 25, and arguably for all Canadian visitors under CASL's position that tracking scripts constitute software installations requiring express consent. Google Analytics is not strictly necessary for website operation and transmits visitor data to Google's US servers. Under Law 25's explicit opt-in standard, GA4 must be blocked until consent is obtained. Not legal advice.
Can I use the same CMP configuration for GDPR, CIPA, and Canadian compliance?
Yes. Quebec Law 25's explicit opt-in standard is the most demanding of the three — and satisfying it automatically satisfies GDPR's prior consent requirement and CIPA's prior consent requirement. A CMP configured to block all tracking before consent, present Accept and Reject with equal prominence, log every consent choice with a timestamp, and support withdrawal through a persistent preference centre meets the requirements of all three simultaneously. ConsentPixel's pixel detects visitor jurisdiction automatically and applies the appropriate banner — Canadian visitors get the Law 25-compliant opt-in flow without any additional configuration on your part.