Canada – SetupAnalytics

// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Canada under federal PIPEDA. Provincial regimes (Quebec Law 25, Alberta PIPA, BC PIPA) and CASL marketing rules are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

NATIONAL · 2001-01-01

PIPEDA

PIPEDA (S.C. 2000, c. 5) — Canada

1 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

PIPEDA

Personal Information Protection and Electronic Documents Act

Federal private-sector privacy law for commercial activities + federally-regulated employers (banks, telecoms, airlines, inter-provincial transport). Displaced in Quebec, Alberta, and British Columbia by 'substantially similar' provincial laws for intra-provincial commercial activity.

Schedule 1 (Principles 1-10) Ten Fair Information Principles — accountability, identifying purposes, consent, limiting collection/use/disclosure/retention, accuracy, safeguards, openness, individual access, challenging compliance
§ 6.1 Consent — valid only if individual would reasonably understand the nature, purpose, and consequences of collection/use/disclosure
§ 10.1 Mandatory Breach Notification — in force 1 Nov 2018; report to OPC + notify affected individuals when 'real risk of significant harm' (RROSH)
§ 10.3 Breach record-keeping — controllers must maintain records of every breach for 24 months regardless of notification threshold
§ 28 Offence — knowingly contravening §10.1 (notification) or §27.1 (whistleblower retaliation) — up to CAD $100,000 on indictment

S.C. 2000, c. 5 — in force commercial-sector since 1 Jan 2004; latest substantive amendment Digital Privacy Act (S.C. 2015, c. 32).

Mandatory Breach Notification

Breach of Security Safeguards Regulations (SOR/2018-64)

Mandatory report to OPC + notification to affected individuals when a breach of security safeguards creates 'real risk of significant harm' (RROSH). Record-keeping obligation for all breaches (24 months) regardless of harm threshold. Knowing failure to report or record = offence up to CAD $100,000.

§ 2 Report to OPC — written, as soon as feasible, in the prescribed form
§ 3 Notification to individual — as soon as feasible, conspicuous, in plain language
§ 6 Records — retain for 24 months from the day organization determined the breach occurred

PIPEDA §10.1 + Regulations effective 1 November 2018

CASL

An Act to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages reliance on electronic means of carrying out commercial activities (Canada's Anti-Spam Legislation)

Express opt-in required for commercial electronic messages (email, SMS, in-app, social DMs) sent to a Canadian recipient or from a Canadian computer. Identification + unsubscribe mechanism mandatory. CRTC enforces — fines up to CAD $10M per violation (organizations) / $1M (individuals). Implied-consent windows: existing business relationship 24 months, conspicuous publication while role-relevant.

§ 6 CEM rules — express consent + sender identification + unsubscribe link working ≥60 days
§ 8 Software installation — express consent for installs that change device behaviour
§ 10 Consent requirements — express vs implied (existing business / non-business relationship 24 months)
§ 20 Administrative monetary penalties — up to CAD $10M (organization) / $1M (individual) per violation

S.C. 2010, c. 23 — in force 1 July 2014 (CEM provisions); 15 January 2015 (software-installation provisions); private right of action suspended indefinitely (Order in Council 2017-7-7)

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL

OPC · Office of the Privacy Commissioner of Canada

Federal commercial-sector PIPEDA enforcement + federal public-sector Privacy Act oversight. Issues findings (well-founded / not well-founded / settled) — no direct power to levy administrative fines under PIPEDA. Federal Court (on commissioner or complainant application under §14) can order remedies and damages.

https://www.priv.gc.ca/

Coordination body

FPT Privacy Commissioners · Federal-Provincial-Territorial Privacy Commissioners

Annual joint resolutions and joint investigations between OPC and provincial commissioners — non-binding but de facto authoritative. Joint investigations frequently used for cross-jurisdiction matters (Facebook 2019 with BC; Tim Hortons 2022 with QC + AB + BC).

2018-12 · Online consent guidelines — OPC 'Guidelines for obtaining meaningful consent' — mandatory layered notice + just-in-time disclosure for non-obvious uses; effective 1 Jan 2019.
2022-06 · Tim Hortons app — joint findings — Joint OPC + CAI + OIPC AB + OIPC BC investigation: continuous geolocation tracking via Tim Hortons app violated PIPEDA + provincial laws; consent invalid because users would not reasonably expect tracking when app closed.
2023-01 · Home Depot Canada — OPC finding: Home Depot Canada shared in-store e-receipt email-hashes with Meta for ad-matching without meaningful consent — well-founded; settlement included process changes.
2023-12 · ChatGPT joint investigation — OPC + CAI + OIPC AB + OIPC BC launched joint investigation into OpenAI's compliance with Canadian privacy laws (data scraping, consent for training). Ongoing 2026.

https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/

Notable enforcement

Canadian privacy enforcement looks structurally different from EU. The OPC issues 'findings' (well-founded / well-founded and resolved / not well-founded / settled / discontinued) but cannot levy fines directly under PIPEDA. Penalties require either (a) Federal Court application under §14 for damages and orders, or (b) prosecution under §28 for the narrow offences of failing to record/report breaches or retaliating against whistleblowers. The result: high-profile reputational findings (Facebook, Tim Hortons, Home Depot, ChatGPT) without nine-figure fines. CASL is the exception — CRTC has direct administrative-monetary-penalty power up to CAD $10M and uses it (Compu-Finder $1.1M reduced to $200K, Kellogg $60K, nCrowd settlements). Quebec is a separate universe post-Law 25: CAI has GDPR-style fining power up to CAD $25M or 4% turnover, but enforcement is ramping slowly. Bill C-27/CPPA would have given OPC direct AMP power and elevated PIPEDA fines to GDPR levels — its January 2025 death means the federal status quo persists indefinitely.

GA4 status

GA4 is broadly usable in Canada with PIPEDA's consent baseline (meaningful consent + clear notice + opt-out). The OPC takes a pragmatic stance — cookie banners are not legally mandatory at federal level, but layered notice with just-in-time disclosure for non-obvious uses is expected per the 2018 Meaningful Consent Guidelines. Post-DPF transfers to Google US are accountable under PIPEDA Schedule 1 Principle 1; Quebec Law 25 §17 adds a pre-transfer PIA requirement for Quebec residents. No GA4-specific OPC ruling exists as of 2026.

DPA	Stance
OPC	Pragmatic — meaningful consent + accountability for transfer chain; no banner mandate.
CAI (QC)	Strictest — Law 25 §17 requires pre-transfer PIA; explicit consent expected for non-essential cookies.
OIPC AB	Aligned with OPC pragmatic posture; Alberta PIPA mirrors PIPEDA.
OIPC BC	Aligned with OPC; active on joint investigations (Facebook, Tim Hortons).

Cross-border transfers + Schrems II

Canada is a third country recognized as 'adequate' by the European Commission under PIPEDA (Decision 2002/2/EC, last reviewed 2024). For outbound transfers from Canada, PIPEDA imposes the accountability principle (Schedule 1, Principle 1) — controllers remain accountable for personal information transferred to third parties for processing, regardless of jurisdiction. The OPC 2009 Guidelines on Transborder Data Flows require contractual safeguards proportionate to sensitivity. Quebec Law 25 §17 adds a stricter regime — pre-transfer Privacy Impact Assessment required for transfers outside Quebec, with weighted analysis of receiving jurisdiction's privacy framework.

No federal mandatory clauses. OPC accepts vendor-by-vendor contractual provisions provided they bind the recipient to comparable safeguards. Quebec CAI has issued model PIA templates for §17 transfer assessments. Most Canadian controllers use vendor-supplied DPAs (Google, AWS, Microsoft) augmented with Canada-specific addenda.

Topic: International transfers

Employee data

Employee monitoring — federal vs provincial split

PIPEDA covers employee data only for federally-regulated employers (banks, telecoms, airlines, inter-provincial transport, federal Crown corporations) — roughly 10% of the Canadian workforce. Provincially-regulated employees in Quebec, Alberta, and British Columbia are covered by provincial private-sector laws (Law 25, AB PIPA, BC PIPA respectively). In other provinces (Ontario, Manitoba, Saskatchewan, Atlantic provinces), employee data in the private sector falls into a regulatory gap — only common-law privacy torts ('intrusion upon seclusion' since Jones v. Tsige 2012 ONCA) and contract law apply. Analytics tools that can monitor staff (Hotjar on internal dashboards, productivity pixels, server-side staff-behaviour logs) trigger PIPEDA only for federally-regulated employers; for everyone else, provincial law or no statutory regime applies.

Key thresholds

Child consent age

13 years

Article 27 representative

Not required

Marketing consent

Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 12 · 6 green · 5 yellow · 1 red

Vendor	Status	Rationale
	GREEN	Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII).
	GREEN	Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config.
	GREEN	EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany.
	GREEN	German-hosted, cookieless, GDPR-aligned by design.
	GREEN	EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required.
	GREEN	Open-source, cookieless, fully self-hostable. Default-green when self-hosted.
	YELLOW	Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
	YELLOW	EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
	YELLOW	Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green.
	YELLOW	EU residency available on paid plans; default cloud is US. Identifies users by default — needs config.
	YELLOW	EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
	RED	Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.

Consent management platforms · 5 · 5 green · 0 yellow · 0 red

Vendor	Status	Rationale
	GREEN	Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
	GREEN	Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
	GREEN	Open-source, self-hosted. No managed updates — site owner maintains vendor list.
	GREEN	GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
	GREEN	German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.

Tag managers · 1 · 0 green · 1 yellow · 0 red

Vendor	Status	Rationale
	YELLOW	Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended.

Session replay · 3 · 0 green · 0 yellow · 3 red

Vendor	Status	Rationale
	RED	Full session capture — highest-risk category. Explicit consent + DPIA + strict retention.
	RED	Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent.
	RED	Session replay + Microsoft tracking. DPIA + explicit consent required.

Ad pixels · 3 · 0 green · 0 yellow · 3 red

Vendor	Status	Rationale
	RED	Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
	RED	Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
	RED	PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.

Server-side · 3 · 2 green · 1 yellow · 0 red

Vendor	Status	Rationale
	GREEN	EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
	GREEN	EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
	YELLOW	"EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE

Canada vs United States

COMPARE

Canada vs California

COMPARE

Canada vs United Kingdom

COMPARE

Canada vs European Union

Common questions

Is Google Analytics legal in Canada in 2026?

Yes, with meaningful consent under PIPEDA. The OPC has no GA4-specific ruling and takes a pragmatic stance: layered privacy notice + just-in-time disclosure for non-obvious uses (per the 2018 Meaningful Consent Guidelines) + opt-out mechanism. Cookie banners are not legally mandatory at federal level, but meaningful consent for non-obvious processing is. For Quebec residents, Law 25 §17 adds a pre-transfer Privacy Impact Assessment requirement before sending data to Google's US servers.

What happened to Bill C-27 / the CPPA?

Bill C-27 (Digital Charter Implementation Act, including the proposed Consumer Privacy Protection Act and AI and Data Act) died on the Order Paper when Parliament was prorogued on 6 January 2025. Following the 28 April 2025 federal election, the bill was not revived under the new mandate. PIPEDA remains the federal private-sector regime indefinitely. Any future reform would need to be reintroduced as a new bill — there is no published timeline as of May 2026.

How does PIPEDA differ from Quebec Law 25?

PIPEDA is the federal commercial-sector law — consent + 10 Fair Information Principles + mandatory breach notification + accountability for transfers — but no direct OPC fining power. Quebec Law 25 (the modernized Act respecting the protection of personal information in the private sector, formerly Bill 64) is GDPR-style: privacy officer designation, mandatory PIA before transfers outside Quebec (§17), data portability (since Sep 2024), automated-decision transparency, and CAI fining power up to CAD $25M or 4% global turnover. Law 25 displaces PIPEDA for intra-Quebec commercial activity.

Do I need a Privacy Officer under PIPEDA?

Yes — PIPEDA Schedule 1 Principle 1 (Accountability) requires every organization to designate an individual accountable for compliance. There is no employee-count threshold. The role is referred to as 'Privacy Officer' or 'Chief Privacy Officer' and can be filled by an existing employee. Quebec Law 25 §3.1 mandates a designated privacy officer (defaults to the highest-ranking executive if not delegated). Alberta PIPA and BC PIPA have similar designation requirements.

Mandatory breach notification — when must I report?

Under PIPEDA §10.1 (in force since 1 November 2018), report a breach to the OPC + notify affected individuals as soon as feasible whenever there is a 'real risk of significant harm' (RROSH) to an individual. Significant harm includes bodily harm, humiliation, damage to reputation, financial loss, identity theft, fraud, loss of opportunity, and damage to property. Independently of the harm threshold, every breach must be recorded and the records retained for 24 months (§10.3 + Regulations §6). Knowing failure to report or record = offence up to CAD $100,000.

What does CASL require for marketing emails to Canadians?

Express opt-in consent before sending any commercial electronic message (email, SMS, in-app message, social DM) to a Canadian recipient or from a Canadian computer. Each message must identify the sender, include valid contact information, and provide a working unsubscribe mechanism honoured within 10 business days and active for at least 60 days. Implied consent windows: existing business relationship 24 months from last transaction, conspicuous publication while role-relevant. CRTC fines: up to CAD $10M per violation (organization) / $1M (individual). Double opt-in is industry best practice but not strictly required by CASL — express opt-in suffices.

Why doesn't the OPC issue fines like the EU?

PIPEDA structurally does not give the OPC direct administrative-monetary-penalty power. The OPC's tools are: (a) findings (well-founded / not well-founded / settled / discontinued), (b) compliance agreements, (c) referral to the Federal Court under §14 for orders and damages, and (d) prosecution under §28 for the narrow offences of failing to record/report breaches or retaliating against whistleblowers (max CAD $100,000). Bill C-27/CPPA would have introduced AMPs up to CAD $10M / 3% turnover and tribunal penalties up to CAD $25M / 5% turnover — that bill died January 2025. Quebec CAI and CRTC (under CASL) do have direct fining power.

Federal vs provincial — which law applies to me?

If you operate intra-provincially in Quebec → Law 25 (CAI). Intra-provincially in Alberta → AB PIPA (OIPC AB). Intra-provincially in British Columbia → BC PIPA (OIPC BC). Otherwise (Ontario, Manitoba, Saskatchewan, Atlantic provinces, territories) or if you cross provincial borders / are federally regulated → PIPEDA (OPC). Federally-regulated employers (banks, telecoms, airlines, inter-provincial transport, Crown corporations) are always under PIPEDA for employee data. Health-information sectoral laws (Ontario PHIPA, Alberta HIA, etc.) overlay where applicable.

Do I need bilingual (English + French) privacy notices?

Federally-regulated organizations (banks, telecoms, airlines, federal Crown corporations) must provide service in both official languages under the Official Languages Act — including privacy notices. Quebec Law 25 + the Charter of the French Language (as amended by Bill 96) require French-language privacy notices for any organization doing business in Quebec, with French being predominant. Other provinces have no bilingual mandate, but websites targeting Quebec residents fall under Bill 96. Practical rule: if you target Quebec or are federally regulated, deploy EN + FR notices with French at least equally prominent.

How does international data transfer work under PIPEDA?

PIPEDA does not require pre-approval or specific clauses for transfers — it relies on the accountability principle (Schedule 1, Principle 1). The transferring organization remains accountable for the personal information regardless of where it is processed. The OPC's 2009 Guidelines on Transborder Data Flows require contractual safeguards proportionate to sensitivity + transparent notice to individuals that data may be processed abroad and subject to foreign law (e.g. US FISA 702). Quebec Law 25 §17 adds a stricter regime: pre-transfer Privacy Impact Assessment with weighted analysis of receiving jurisdiction's privacy framework, applicable to transfers of Quebec residents' personal information outside Quebec.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Canada's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.