ConsentPixel – Privacy · Verified

Canada · Privacy Law · PIPEDA & Law 25

Canada Cookie Compliance 2026: What PIPEDA, CASL, and Quebec Law 25 Require for Website Tracking

Most website owners assume Canada has a permissive, opt-out approach to tracking — similar to the US. It doesn't. Quebec's Law 25 is the only privacy law in North America that requires explicit opt-in consent before any tracking technology fires. Fines reach CAD $25 million or 4% of global revenue. And it applies to you even if your business has never set foot in Quebec.

By the ConsentPixel — Privacy · Verified team July 2026 12 min read For Canadian websites and any site with Canadian traffic
CAD $25M
Maximum fine under Quebec Law 25 — or 4% of worldwide revenue, whichever is higher
Opt-in only
Quebec Law 25 is the only North American privacy law requiring explicit opt-in consent for tracking cookies — stricter than PIPEDA's opt-out baseline
Territorial
Law 25 applies based on where the visitor is located — not where your business is. Quebec residents = in scope, regardless of your country

Canada doesn't have one privacy law for websites — it has three, operating simultaneously at federal and provincial levels. Understanding which applies to your site, and in what combination, is the starting point for any compliance decision. The short version: PIPEDA sets the federal baseline (relatively permissive), CASL covers tracking technologies as a form of software installation (stricter on process), and Quebec's Law 25 is the most demanding — requiring explicit opt-in consent before any tracking technology fires, in a way that's directly comparable to the EU's GDPR. This article is informational and not legal advice; consult qualified counsel for your specific situation.

Canada's three overlapping privacy laws

Federal · Canada-wide

PIPEDA

Personal Information Protection and Electronic Documents Act. Canada's federal privacy law for private-sector organisations. Sets baseline consent and transparency requirements for collecting, using, and disclosing personal information including through cookies and tracking technologies.

Allows implied consent in some low-risk tracking scenarios. Less demanding than Law 25 or GDPR. Currently being modernised — the proposed Consumer Privacy Protection Act (CPPA) would significantly tighten standards, but has not yet been enacted.

Opt-out acceptable in some cases
Federal · Canada-wide

CASL

Canada's Anti-Spam Legislation. Primarily known for email marketing rules, but CASL also applies to tracking technologies. It defines tracking scripts and pixels as "computer programs" — meaning installing them on a visitor's device without consent may constitute an unlicensed software installation.

Requires express consent before installing tracking software on someone's device. No private right of action (enforcement is by the CRTC), but fines reach CAD $10 million per violation for organisations.

Express consent for software/scripts
Provincial · Quebec only (but territorial)

Quebec Law 25

Act to Modernise Legislative Provisions Respecting the Protection of Personal Information (Bill 64). Quebec's provincial privacy law — but it applies based on where the visitor is located, not where your business is. Fully in force since September 2023.

The strictest privacy standard in North America. Requires explicit opt-in consent before any tracking technology fires. Fines reach CAD $25 million or 4% of worldwide turnover. Includes a private right of action — individuals can sue directly.

Explicit opt-in — no exceptions for tracking

PIPEDA: the federal baseline

PIPEDA applies to any private-sector organisation that collects, uses, or discloses personal information in the course of commercial activity in Canada — including foreign businesses targeting Canadian users. If your website tracks Canadian visitors through cookies, analytics tools, or advertising pixels, PIPEDA applies to you.

PIPEDA's consent model is more permissive than GDPR or Law 25. It allows implied consent in some scenarios where the information is not sensitive, the collection would be reasonably expected, and there is little likelihood of harm. For basic analytics that don't collect sensitive data, PIPEDA has sometimes been interpreted to allow a disclosure-plus-opt-out approach rather than active opt-in.

However, two things have changed this calculus in 2026:

  • The Office of the Privacy Commissioner of Canada (OPC) has taken an increasingly GDPR-aligned position, finding that tracking technologies used for advertising and profiling purposes require meaningful consent — not merely implied acceptance. The OPC's 2019 report on consent explicitly called for stronger opt-in requirements for sensitive uses of personal data.
  • If any of your Canadian visitors are located in Quebec, Law 25 — not PIPEDA — sets the applicable standard, and that standard is explicit opt-in. In practice, you cannot serve separate consent experiences to Quebec vs. non-Quebec Canadian visitors without sophisticated geo-targeting. The pragmatic choice for any website with meaningful Canadian traffic is to apply the Quebec standard across all Canadian visitors.
PIPEDA is being replaced

The proposed Consumer Privacy Protection Act (CPPA) would replace PIPEDA with a substantially tighter framework — stricter consent requirements, higher penalties (up to 5% of global revenue or CAD $25 million), and stronger individual rights. The CPPA has not yet been enacted as of July 2026, but its direction is clear: Canadian federal law is moving toward the Quebec/GDPR standard, not away from it. Building to Law 25's opt-in standard now positions your site for CPPA compliance when it arrives.

CASL: tracking technologies as software installation

CASL is widely known as Canada's anti-spam law — most website owners think of it only in the context of email marketing. But CASL has a less well-known provision that applies directly to website tracking: Section 8 prohibits installing a "computer program" on another person's computer without express consent.

The CRTC (the regulator that enforces CASL) has indicated that tracking technologies — JavaScript pixels, cookies, browser-based scripts — can fall within the definition of "computer programs" under CASL. This means that installing Meta Pixel, Google Analytics, TikTok Pixel, or any tracking script on a Canadian visitor's browser without express consent may constitute an unlicensed software installation under CASL, independently of any PIPEDA analysis.

CASL enforcement has been relatively limited on the tracking side compared to the email side, but the legal basis for fines exists and the CRTC has signalled increasing interest in tracking-related compliance. Maximum fines under CASL reach CAD $10 million per violation for organisations.

The CASL + PIPEDA + Law 25 stack

For any Canadian visitor with Quebec location, all three laws apply simultaneously. Law 25 requires explicit opt-in before tracking. CASL requires express consent before installing tracking scripts. PIPEDA requires transparency and meaningful consent for personal data collection. The most demanding standard — Law 25's explicit opt-in — satisfies all three if implemented correctly. One configuration, three laws covered.

Quebec Law 25: North America's strictest cookie standard

Quebec Law 25 (formally the Act to Modernise Legislative Provisions Respecting the Protection of Personal Information, known as Bill 64 during its legislative passage) came fully into force in September 2023. It is built on a principle of confidentiality by default: no tracking technology may be activated unless the visitor has expressly consented in advance. There is no implied consent pathway for tracking under Law 25.

What Law 25 requires specifically for cookies and tracking

  • Explicit opt-in before any tracking fires. No tracking technology — not Google Analytics, not Meta Pixel, not a session replay tool — may load until the visitor has actively accepted. This is the same prior-consent standard as the EU's ePrivacy Directive, applied in a North American context.
  • Granular, purpose-specific consent. Consent must be given separately for each purpose. Analytics consent does not cover advertising tracking. The visitor must be able to accept one category while declining another.
  • Reject must be as easy as accept. The consent mechanism must make refusal as easy as acceptance — a prominent Accept button with a buried Reject option fails Law 25's standard, as it does under GDPR.
  • Clear information before consent. Visitors must be informed of the specific tracking technologies in use and their purposes before making a consent choice. Vague references to "third-party cookies" are insufficient — the specific tools (Google Analytics, Meta Pixel) must be identified.
  • Withdrawal at any time. Visitors must be able to change or revoke their consent at any time with the same ease as giving it. A preference centre accessible from every page satisfies this requirement.
  • Consent records. Organisations must be able to demonstrate that consent was obtained. Timestamped consent logs tied to specific sessions are required.
  • French language. For Quebec visitors, privacy notices, consent banners, and disclosures must be available in French. An English-only banner does not satisfy Law 25's transparency requirements for Quebec residents.

Law 25's private right of action

Unlike PIPEDA, GDPR, and most US state privacy laws, Law 25 includes a private right of action — individuals can sue organisations directly for breaches, without going through a regulator. Minimum damages start at CAD $1,000 per individual. For a class action covering all Quebec visitors to a non-compliant website over a multi-year period, the aggregate exposure is substantial. This is the closest equivalent Canada has to CIPA's private right of action in California — and it creates similar demand-letter risk dynamics.

The gap most websites don't know exists

The most common misconception about Canadian privacy compliance is: "Canada uses PIPEDA, PIPEDA allows opt-out, therefore my cookie notice that says 'by using this site you consent to cookies' is fine." This is wrong in two important ways.

First, even under PIPEDA, a "by continuing to browse" notice does not constitute meaningful consent for tracking technologies used for advertising or profiling — the OPC's guidance is clear that passive implied consent does not satisfy PIPEDA's requirements for sensitive uses. Second, and more critically, if any of your visitors are in Quebec, Law 25 applies and requires explicit opt-in — regardless of what PIPEDA might otherwise allow.

In practice: any website with meaningful Canadian traffic has Quebec visitors. Canada's population is approximately 24% Quebec. A website with 235 Canadian monthly sessions likely has 50–60 Quebec sessions per month. Those sessions are subject to Law 25's explicit opt-in standard. The only practical way to serve those visitors compliantly without building a Quebec-specific consent flow is to apply the Law 25 standard to all Canadian visitors — which is what a properly configured CMP with Canadian geo-targeting does.

Canada's three-law stack — Law 25 sets the practical floor PIPEDA (Federal) — applies Canada-wide · Opt-out acceptable in some low-risk tracking scenarios All Canadian visitors · baseline standard CASL (Federal) — tracking scripts may require express consent as "software installation" All Canadian visitors · stricter on tracking scripts specifically Quebec Law 25 (Provincial) — explicit opt-in BEFORE any tracking fires Quebec residents only — but ~24% of all Canadian traffic · sets practical floor for any CMP
Law 25 applies only to Quebec residents — but because ~24% of Canadian traffic is from Quebec, applying the Law 25 standard to all Canadian visitors is the only practical compliance approach.

Territorial scope: it applies to you even outside Canada

Law 25's territorial reach is based on the location of the individual whose data is being processed — not the location of the organisation. This is identical to GDPR's extraterritorial reach and to the post-Briskin expansion of CIPA's scope in California.

A business in London, Austin, Sydney, or Berlin has no Canadian office, no Canadian employees, and no Canadian marketing campaign — but if Quebec residents visit its website and tracking technologies fire before their consent, Law 25 applies. The Commission d'accès à l'information du Québec (CAI) has cross-border enforcement authority and has signalled intent to pursue organisations outside Quebec that handle Quebec residents' data without compliance.

The practical question for any website is simple: can Quebec residents access your site? If yes — Law 25 applies to those sessions.

Canada vs GDPR vs CIPA: how the standards compare

FactorQuebec Law 25GDPR (EU)CIPA (California)PIPEDA (Federal Canada)
Consent modelExplicit opt-inExplicit opt-inPrior affirmative consentImplied in some cases
Tracking before consentProhibitedProhibitedProhibitedAllowed in limited scenarios
Max fineCAD $25M or 4% revenue€20M or 4% revenue$5,000 per violation (private)Currently limited (CPPA raises this)
Private right of actionYes — from CAD $1,000/personNo (regulator enforces)Yes — $5,000/violationNo (OPC enforces)
Territorial reachBased on visitor locationBased on visitor locationBased on visitor location (post-Briskin)Based on visitor location
Language requirementFrench required for QuebecUser's language recommendedNone specifiedNone specified
Consent records requiredYesYesYes (for defence)Recommended
One CMP configuration covers all?Yes — Law 25's opt-in standard satisfies GDPR, CIPA, and PIPEDA simultaneously

The bottom row of that table is the most important practical point. Law 25's explicit opt-in before any tracking fires is the strictest standard across all four jurisdictions. A consent management platform configured to meet Law 25 — blocking all tracking before consent, with granular categories, timestamped logs, and a withdrawal mechanism — simultaneously satisfies GDPR for EU visitors, CIPA for California visitors, and PIPEDA for all Canadian visitors. One configuration, global coverage.

What a compliant configuration looks like

For a website with Canadian traffic, a Law 25-compliant configuration requires the following — all of which are identical to what GDPR compliance requires:

  • All non-essential tracking blocked before the banner loads. Open your site in a clean browser session and check the network tab. Zero requests to Google Analytics, Meta Pixel, TikTok, LinkedIn Insight Tag, or any other tracking tool should appear before any visitor interaction. The CMP must enforce this at the script level — not merely display a notice while scripts load in the background.
  • Accept and Reject with equal visual prominence. Both options must be visible on the first layer of the banner with equal button weight. Quebec's CAI has adopted the same position as France's CNIL on this: buried Reject options constitute invalid consent because they are not freely given.
  • Named tools in the banner. The banner must identify specific tracking tools — not just "analytics and advertising cookies." Quebec visitors must understand that Google Analytics, Meta, and TikTok specifically will receive their data.
  • French language option. For Quebec compliance, your consent banner must be available in French. This is a Law 25-specific requirement that GDPR and CIPA do not impose. If your CMP supports language detection, configure it to display French for Quebec/Canada visitors.
  • Granular consent categories. Analytics and advertising must be separate consent categories. A single "non-essential cookies" toggle is insufficient — the visitor must be able to accept analytics while declining advertising independently.
  • Timestamped consent records. Every consent event must be logged: when the choice was made, what banner version was shown, which categories were accepted or declined. These records are your defence in a CAI investigation or a private right of action.
  • Accessible preference centre. Withdrawal of consent must be as easy as giving it. A preference centre accessible from every page — not just the footer — satisfies this requirement.

Canadian compliance checklist

Canada Cookie Compliance Checklist

PIPEDA · CASL · Quebec Law 25 · Updated for 2026 · Not legal advice

Audit — what's firing?

Network tab test. Open your site in a clean browser with no cookies or extensions. Filter network requests for google-analytics.com, connect.facebook.net, analytics.tiktok.com, snap.licdn.com, and other tracker domains. If any fire before a consent interaction — non-compliant under Law 25 and likely CASL.
Identify all tracking tools in use. List every analytics, advertising, session replay, and heatmapping tool installed on your site. Categorise each as strictly necessary (exempt) or non-essential (requires consent). If you're unsure whether a tool is strictly necessary — it isn't.

Consent banner

Accept and Reject are equally prominent on the first banner layer. Both buttons must be visible without clicking "Manage preferences." Equal size, equal visual weight, on the same layer.
All non-essential categories default to off. No pre-ticked boxes. Visitors must actively enable analytics, advertising, and any other non-essential category.
Named tools disclosed. The banner text (not just the linked privacy policy) identifies specific tracking tools in use — Google Analytics, Meta Pixel, etc. — and their purpose.
French language banner available for Quebec visitors. If your CMP supports geo-based language detection, configure French display for Canadian visitors. At minimum, provide a French version of the consent banner accessible from the banner itself.
Granular categories — analytics and advertising are separate. Visitors must be able to accept one without accepting the other.

Technical enforcement

CMP blocks all non-essential scripts before consent. The CMP must prevent script execution — not just display a notice. Verify in DevTools that zero tracking requests appear before consent.
Preference centre accessible from every page. A persistent link from the footer or cookie icon allowing visitors to update or withdraw consent at any time.
Returning visitor consent state restores before scripts fire. For returning visitors with a previous consent choice, the CMP must read and apply that state before any tracking scripts load on the new session.

Records and proof

Timestamped consent logs stored. Every consent event logged with: timestamp, banner version shown, categories accepted or declined, session identifier. Exportable for regulatory inquiry or litigation defence.
Privacy policy updated. Names all third-party tracking tools, explains data flows to US servers (Google, Meta, TikTok), and explains how visitors can withdraw consent. Required under both PIPEDA and Law 25.

The bottom line

Canada's approach to website tracking is not the permissive opt-out model most website owners assume. Quebec Law 25 — North America's strictest privacy standard — requires explicit opt-in consent before any tracking technology fires, with fines up to CAD $25 million, a private right of action starting at CAD $1,000 per person, and territorial reach that applies to any website whose Quebec visitors can be tracked. Approximately 24% of Canadian web traffic originates from Quebec. Any website with meaningful Canadian traffic has Quebec visitors and is in scope. The compliance configuration that satisfies Law 25 — prior opt-in technically enforced, granular categories, timestamped logs, equal reject prominence, French language option — is identical to what GDPR requires for EU visitors and what a well-configured CMP delivers for CIPA in California. The same ConsentPixel implementation that already handles your GDPR and CIPA compliance extends to Canadian visitors automatically. One pixel, one configuration, every jurisdiction covered. This is informational, not legal advice; consult qualified counsel for specific situations.

See what fires before consent on your site for Canadian visitors

ConsentPixel — Privacy · Verified scans any website and shows exactly which tracking technologies fire before consent — the same check the CAI and plaintiff attorneys run. Free, no card required.

Scan my site free

Frequently asked questions

Does Quebec Law 25 apply to my website if I'm not based in Canada?

Yes. Law 25's territorial scope is based on where the visitor is located, not where the organisation is based. If Quebec residents visit your website and you deploy tracking technologies on them, Law 25 applies — regardless of whether your business is in the US, UK, Europe, or anywhere else. This is identical to how GDPR applies to non-EU businesses serving EU visitors. Not legal advice.

What's the difference between PIPEDA and Quebec Law 25 for cookies?

PIPEDA is Canada's federal baseline and allows implied consent in some low-risk tracking scenarios — meaning a disclosure-plus-opt-out approach may be sufficient for non-sensitive analytics under PIPEDA alone. Quebec Law 25 is stricter: it requires explicit opt-in consent before any tracking technology fires, with no implied consent pathway. Because Law 25 applies to Quebec residents based on their location, and approximately 24% of Canadian web traffic is from Quebec, the practical choice for any website with Canadian traffic is to apply Law 25's opt-in standard to all Canadian visitors. Not legal advice.

Does my consent banner need to be in French for Canadian visitors?

For Quebec visitors specifically, yes. Quebec Law 25 requires that privacy notices, consent banners, and data disclosures be provided in French — not only in English. This is a Law 25-specific requirement that GDPR and CIPA do not impose. An English-only banner does not fully satisfy Law 25's transparency requirements for Quebec residents. A CMP that supports geo-based language detection can automatically display French for Quebec and Canadian visitors. Not legal advice.

Does Google Analytics need consent for Canadian visitors?

Yes — for Quebec visitors under Law 25, and arguably for all Canadian visitors under CASL's position that tracking scripts constitute software installations requiring express consent. Google Analytics is not strictly necessary for website operation and transmits visitor data to Google's US servers. Under Law 25's explicit opt-in standard, GA4 must be blocked until consent is obtained. Not legal advice.

Can I use the same CMP configuration for GDPR, CIPA, and Canadian compliance?

Yes. Quebec Law 25's explicit opt-in standard is the most demanding of the three — and satisfying it automatically satisfies GDPR's prior consent requirement and CIPA's prior consent requirement. A CMP configured to block all tracking before consent, present Accept and Reject with equal prominence, log every consent choice with a timestamp, and support withdrawal through a persistent preference centre meets the requirements of all three simultaneously. ConsentPixel's pixel detects visitor jurisdiction automatically and applies the appropriate banner — Canadian visitors get the Law 25-compliant opt-in flow without any additional configuration on your part.

ConsentPixel — Privacy · Verified
We build CIPA, GDPR, and international privacy-first consent enforcement for websites. This article is informational and not legal advice. Canadian privacy law is evolving rapidly — the CPPA, if enacted, will significantly change the PIPEDA baseline. Consult qualified counsel for specific situations.
Scroll to Top