Privacy Policy (Canada)
Effective Date: Effective Date
Organization Name ("we," "us," or "our") operates the website located at Website URL (the "Site"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our Site or use our services, in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial privacy legislation in the Province of Province, and the federal laws of Canada. By accessing or using the Site, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Site.
1. ACCOUNTABILITY.
Organization Name is responsible for personal information under its control. Our designated Privacy Officer is Privacy Officer Name, who can be contacted at Privacy Contact Email or Privacy Contact Phone. The Privacy Officer is accountable for our compliance with PIPEDA and applicable provincial privacy legislation, and is responsible for overseeing our personal information handling practices, responding to inquiries, and investigating complaints.
2. IDENTIFYING PURPOSES AND PERSONAL INFORMATION COLLECTED.
We collect the following types of personal information: Types of Personal Information Collected. We identify the purposes for collection at or before the time of collection. The purposes for which we collect, use, and disclose personal information include: Data Use Purposes. We will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law.
3. CONSENT.
We obtain consent through Consent Method. You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. To withdraw consent, please contact our Privacy Officer, Privacy Officer Name, at Privacy Contact Email. We will inform you of the implications of withdrawing consent. An individual's consent is meaningful only if they can reasonably understand the nature, purpose, and consequences of the collection, use, or disclosure of their personal information.
4. LIMITING COLLECTION.
We limit the collection of personal information to that which is necessary for the purposes identified. We collect personal information by fair and lawful means and do not collect information indiscriminately. We do not deceive or mislead individuals about the reasons for collecting personal information.
5. LIMITING USE, DISCLOSURE, AND RETENTION.
We retain personal information Data Retention Period. Personal information that is no longer required to fulfill the identified purposes will be securely destroyed, erased, or made anonymous. We do not use or disclose personal information for purposes other than those for which it was collected, except with consent or as required by law. Third-Party Sharing Policy.
6. CROSS-BORDER TRANSFERS.
Cross-Border Transfer Policy. Where personal information is transferred outside of Canada, we use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. You acknowledge that personal information transferred to another jurisdiction may be subject to the laws of that jurisdiction, including lawful requirements to disclose personal information to government authorities. For more information about our cross-border transfer practices, please contact our Privacy Officer.
7. ACCURACY.
We make reasonable efforts to ensure that personal information is as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. We do not routinely update personal information unless such a process is necessary to fulfill the purposes for which the information was collected. You may request correction of your personal information by contacting our Privacy Officer at Privacy Contact Email.
8. SAFEGUARDS.
We protect personal information with security safeguards appropriate to the sensitivity of the information. These safeguards include: (a) physical measures, such as locked filing cabinets and restricted access to offices; (b) organizational measures, such as limiting access on a need-to-know basis and staff training; and (c) technological measures, such as encryption of data in transit and at rest, firewalls, access controls, and regular security assessments. We promptly investigate and respond to any security breaches.
9. BREACH OF SECURITY SAFEGUARDS.
In accordance with PIPEDA's mandatory breach notification requirements (in force since November 1, 2018), if a breach of security safeguards involving personal information under our control creates a real risk of significant harm to an individual, we will: (a) report the breach to the Office of the Privacy Commissioner of Canada; (b) notify the affected individual(s) as soon as feasible; and (c) notify any other organization or government institution if such notification may reduce the risk of harm. We maintain a record of every breach of security safeguards involving personal information under our control, regardless of whether the breach meets the reporting threshold.
10. COOKIES AND TRACKING TECHNOLOGIES.
Our Site uses Cookie Policy. Cookies are small data files stored on your device that help us improve your experience on the Site. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Site. We provide clear information about our use of cookies at the time of your first visit to the Site.
11. INDIVIDUAL ACCESS AND YOUR RIGHTS.
Under PIPEDA and applicable provincial privacy legislation, you have the right to: (a) request access to the personal information we hold about you; (b) be informed of the use and disclosure of your personal information; (c) request correction of inaccurate or incomplete information; (d) challenge our compliance with these privacy principles; and (e) withdraw your consent, subject to legal or contractual restrictions. To exercise any of these rights, please submit a written request to our Privacy Officer, Privacy Officer Name, at Privacy Contact Email or by mail to Business Address. We will respond to your request within thirty (30) days, or such longer period as may be permitted by law. If we are unable to provide access, we will provide reasons for the refusal.
12. CHALLENGING COMPLIANCE.
You have the right to challenge our compliance with this Privacy Policy and with PIPEDA. Complaints should be directed to our Privacy Officer, Privacy Officer Name, at Privacy Contact Email. We will investigate all complaints and, if a complaint is found to be justified, we will take appropriate measures to resolve the issue, including amending our policies and practices if necessary. If a complaint is not resolved to your satisfaction, you may file a complaint with the Office of the Privacy Commissioner of Canada at 30 Victoria Street, Gatineau, Quebec K1A 1H3, or by telephone at 1-800-282-1376, or with the applicable provincial privacy commissioner.
13. CHANGES TO THIS PRIVACY POLICY.
We reserve the right to update or modify this Privacy Policy at any time. If we make material changes, we will notify you by updating the "Effective Date" at the top of this policy and, where required by applicable law, by sending you a notice via email at the address associated with your account. Your continued use of the Site following the posting of changes constitutes your acknowledgement of such changes. We encourage you to review this Privacy Policy periodically.
14. GOVERNING LAW.
This Privacy Policy shall be governed by and construed in accordance with the laws of the Province of Province and the federal laws of Canada applicable therein, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and any applicable provincial privacy legislation. Any disputes arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of the Province of Province.
15. CONTACT INFORMATION.
If you have any questions about this Privacy Policy, our personal information handling practices, or wish to exercise your privacy rights, please contact us at:
Organization Name
Privacy Officer: Privacy Officer Name
Address: Business Address
Email: Privacy Contact Email
Phone: Privacy Contact Phone
Website: Website URL
AUTHORIZED REPRESENTATIVE.
By signing below, the authorized representative of Organization Name certifies that this Privacy Policy accurately describes the personal information handling practices of the organization as of the Effective Date, in compliance with PIPEDA and applicable provincial privacy legislation.
Organization: Organization Name
Date: Signature Date
Party 1
________________
Signature
Date: ________________
Party 2
________________
Signature
Date: ________________
What Is a Privacy Policy (Canada)?
A Privacy Policy in Canada tells individuals how the organisation collects, uses, discloses, and protects their personal information, governed primarily by PIPEDA and provincial privacy legislation.
At the federal level, PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5) governs the collection, use, and disclosure of personal information by private-sector organizations in the course of commercial activity. PIPEDA is built on 10 fair information principles set out in Schedule 1, including accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance. Every organization subject to PIPEDA must make its privacy practices available in a clear and understandable format.
Quebec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information), which took effect in phases starting September 2023, imposes stricter requirements than PIPEDA. It mandates privacy impact assessments for any system involving personal information, requires a designated privacy officer, demands explicit consent for cross-border data transfers, and introduces data portability rights. Organizations operating in Quebec must comply with Law 25 regardless of whether they also comply with PIPEDA.
Alberta and British Columbia have their own substantially similar provincial privacy acts — Alberta's PIPA (Personal Information Protection Act, S.A. 2003, c. P-6.5) and BC's PIPA (Personal Information Protection Act, S.B.C. 2003, c. 63) — which replace PIPEDA for intra-provincial commercial activity. Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23) adds requirements for electronic communications, requiring express or implied consent before sending commercial electronic messages and mandating an unsubscribe mechanism in every message.
The legal framework governing the Privacy Policy (Canada) in Canada draws on several key statutes and regulatory bodies. Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Parties executing a Privacy Policy (Canada) in Canada should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) sets the foundational requirements.
When Do You Need a Privacy Policy (Canada)?
When launching any website, mobile application, or online service that collects personal information from Canadian users — including names, email addresses, IP addresses, cookies, device identifiers, payment information, or location data — a privacy policy is legally required under PIPEDA and applicable provincial legislation before collection begins.
When an e-commerce business sells products or services to Canadian consumers and collects payment card information, shipping addresses, purchase history, or creates customer accounts that store personal preferences and transaction records.
When a SaaS company, cloud service, or technology platform processes user data, stores files, tracks usage analytics, or integrates with third-party services that receive personal information — requiring disclosure of each data processor, the purposes of sharing, and the safeguards in place.
When a business operating in Quebec must comply with Law 25's enhanced requirements, including publishing a privacy policy that discloses cross-border transfer destinations, data retention periods, the right to data portability, and the contact information of the designated privacy officer.
When a business sends commercial electronic messages — marketing emails, promotional texts, or newsletter subscriptions — and must comply with CASL's consent and unsubscribe requirements, which should be referenced in the privacy policy alongside the organization's electronic communication practices.
Without a privacy policy, organizations face enforcement action from the Office of the Privacy Commissioner of Canada (OPC), which can investigate complaints, issue recommendations, and refer matters to the Federal Court for binding orders including damages. Quebec's Commission d'acces a l'information can impose administrative monetary penalties of up to CAD $25 million or 4% of worldwide turnover for Law 25 violations.
Parties in Canada should prepare a Privacy Policy (Canada) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Privacy Policy (Canada)
Types of Personal Information Collected — A thorough list of the categories of personal information collected: directly provided information (name, email, phone, payment details), automatically collected information (IP address, browser type, cookies, device identifiers), and information from third parties (social media profiles, analytics providers). PIPEDA Principle 4.4 requires that collection be limited to what is necessary for the identified purposes.
Purposes of Collection and Use — A clear statement of why personal information is collected, tied to specific business purposes: processing transactions, providing customer support, sending marketing communications, improving services, complying with legal obligations, or preventing fraud. Each purpose must be identified before or at the time of collection under PIPEDA Principle 4.2.
Consent Mechanisms — Describe how consent is obtained (express opt-in, implied through use, or opt-out for non-sensitive purposes) and how individuals can withdraw consent. Quebec Law 25 requires express consent for any collection beyond what is necessary for the transaction, and explicit consent for cross-border transfers.
Disclosure and Sharing — Identify every category of third party that receives personal information: payment processors, shipping providers, analytics services, advertising networks, cloud hosting providers, and affiliated companies. State the purpose of each disclosure and the safeguards required of each recipient.
Data Retention and Deletion — Specify how long personal information is retained for each purpose, and the process for securely deleting or anonymizing data when it is no longer needed. Quebec Law 25 requires specific retention periods to be disclosed.
Security Safeguards — Describe the administrative, technical, and physical measures used to protect personal information from unauthorized access, disclosure, or loss. PIPEDA Principle 4.7 requires safeguards appropriate to the sensitivity of the information.
Breach Notification — Under PIPEDA's mandatory breach notification provisions (effective November 2018), organizations must notify the Privacy Commissioner and affected individuals when a breach creates a real risk of significant harm. Describe the organization's breach response procedures and notification timelines.
Individual Rights — Outline the rights of individuals: the right to access their personal information, request corrections, withdraw consent, and (under Quebec Law 25) request data portability or de-indexing. Include the process for submitting requests and the expected response timeframe.
CASL Compliance — Address commercial electronic message practices: how consent is obtained, the content of commercial messages (sender identification, unsubscribe mechanism), and how unsubscribe requests are processed within the 10-business-day statutory deadline.
Contact Information — The name and contact details of the organization's privacy officer or designated representative responsible for privacy compliance, as required by PIPEDA Principle 4.1 (Accountability) and Quebec Law 25.
Additional compliance elements for a Privacy Policy (Canada) used in Canada include: Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.
Sources & Citations
Statutory citations link to official government sources.
- R.S.C. 1985, c. C-44CA official
- R.S.C. 1985, c. C-34CA official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Policy (Canada) (Canada) [Legal document template]. Forms Legal. https://forms-legal.com/canada/business/policies/privacy-policy-canada
"Privacy Policy (Canada) (Canada)." Forms Legal, 2026, https://forms-legal.com/canada/business/policies/privacy-policy-canada.
@misc{formslegal-privacy-policy-canada,
author = {{Forms Legal}},
title = {Privacy Policy (Canada) (Canada)},
year = {2026},
howpublished = {\url{https://forms-legal.com/canada/business/policies/privacy-policy-canada}},
note = {Free legal document template. Based on Canada Business Corporations Act (R.S.C. 1985, c. C-44)}
}Also available for these jurisdictions:
Frequently Asked Questions
PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5) is Canada's federal private-sector privacy law that governs how organizations collect, use, and disclose personal information in the course of commercial activity. The Act 2000 is built on 10 fair information principles set out in Schedule 1: accountability, identifying purposes, consent, limiting collection, limiting use and disclosure, accuracy, safeguards, openness, individual access, and challenging compliance. Section 4 of the Act 2000 applies to every organization that collects, uses, or discloses personal information in connection with a commercial activity, regardless of province — except in Alberta, British Columbia, and Quebec, which have substantially similar provincial laws that apply instead for intra-provincial activities. Section 7 of PIPEDA sets out the limited circumstances where consent is not required. The Office of the Privacy Commissioner of Canada (OPC) enforces PIPEDA under Section 11, with authority to investigate complaints and issue findings. The Federal Court of Canada can order compliance and award damages under Section 16 of the Act 2000. Bill C-27, the Digital Charter Implementation Act 2022, proposes replacing PIPEDA with the Consumer Privacy Protection Act (CPPA) — organizations should monitor its passage. Forms-legal.com provides this Privacy Policy template to help Canadian businesses meet their PIPEDA obligations.
Quebec Law 25 (An Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25) is significantly stricter than PIPEDA and applies to any organization that holds personal information about Quebec residents, regardless of where the organization is located. The Act 2021 was implemented in three phases, with the final and most demanding requirements taking effect September 22, 2023. Under Section 3.1 of the Act 2021, every organization must appoint a designated privacy officer and publish that person's title and contact information on its website. Section 12 requires a Privacy Impact Assessment (PIA) before implementing any project involving personal information. Section 17 imposes explicit consent requirements for cross-border transfers of personal information — organizations must conduct a PIA before transferring data outside Quebec and publish information about the destination country's privacy framework. Section 28 grants individuals the right to data portability — to receive their personal information in a structured, commonly used format. Section 21 requires notification of privacy incidents to both the Commission d'accès à l'information (CAI) and affected individuals within 72 hours of becoming aware of an incident. Administrative penalties under Section 90.1 of the Act 2021 reach up to CAD $25 million or 4% of worldwide turnover, whichever is greater — far exceeding PIPEDA penalties. Forms-legal.com provides this Privacy Policy template with configurable Quebec Law 25 compliance clauses.
Yes. Since November 1, 2018, mandatory breach notification has been required under PIPEDA. Section 10.1 of the Act 2000 requires organizations to notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals as soon as feasible when a breach of security safeguards involving personal information creates a real risk of significant harm. The OPC's Breach of Security Safeguards Regulations (SOR/2018-64) define real risk of significant harm to include physical, financial, reputational, psychological, or other harm. Section 10.3 of the Act 2000 requires organizations to maintain a record of all breaches — even those that do not meet the notification threshold — for at least 24 months. Failure to notify is a violation of PIPEDA, enforceable by the Federal Court of Canada under Section 16. Quebec Law 25 (Act 2021) imposes a stricter 72-hour notification deadline under Section 21, requiring notification to both the Commission d'accès à l'information (CAI) and affected individuals within 72 hours of awareness of a confidentiality incident posing a serious injury risk. British Columbia's PIPA (S.B.C. 2003, c. 63) and Alberta's PIPA (S.A. 2003, c. P-6.5) each have their own breach notification obligations administered by provincial Privacy Commissioners. A Canadian Privacy Policy should include a clear statement of the organization's breach notification procedures, specifying timelines and contact information for affected individuals. Forms-legal.com provides this template with a configurable breach notification clause.
A Privacy Policy (Canada) does not legally require a lawyer in Canada, and individuals and businesses may draft and execute the document independently. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Canada lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Federal Court of Canada has jurisdiction over disputes arising from this type of document, and Corporations Canada may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
A Privacy Policy (Canada) does not legally require a lawyer in Canada, though legal advice is recommended for complex transactions. Under Canadian law, individuals may draft and execute this type of document independently. The Competition Act (R.S.C. 1985, c. C-34) provides consumer protections. However, Corporations Canada, the Canada Revenue Agency (CRA), or provincial regulatory bodies may have specific requirements. For property transactions, provincial land title offices require qualified lawyers or notaries. PIPEDA and provincial privacy legislation impose obligations on parties handling personal data. Where disputes arise, provincial superior courts or the Federal Court of Canada have jurisdiction. Forms-legal.com provides this template as a starting point — always review with a qualified Canadian lawyer for significant transactions.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Website Terms of Service (Canada)
Create comprehensive Canadian website terms of service that comply with PIPEDA, CASL, and the Competition Act. This template covers user eligibility, acceptable use, intellectual property, privacy and data protection, CASL-compliant electronic communications, e-commerce terms with GST/HST provisions, disclaimers, and limitation of liability under Canadian law.
Data Processing Agreement (Canada)
Canadian data processing agreement compliant with PIPEDA accountability principles, Quebec Law 25 processor requirements, and provincial privacy acts (AB PIPA, BC PIPA).
Non-Disclosure Agreement (NDA) (Canada)
Protect your confidential business information under Canadian law with our free NDA template. Built for all provinces and territories, this agreement references PIPEDA (Personal Information Protection and Electronic Documents Act) and lets you select your governing province. Covers mutual and one-way confidentiality, trade secrets, proprietary data, and includes Canadian entity types (corporation, partnership, sole proprietorship). Fill out the wizard, preview your document in real time, and download as PDF or Word — no account required.
Privacy Policy
Running a website or app that collects any user data — even just an email for a newsletter? You legally need a Privacy Policy. It's not optional; regulations like GDPR and CCPA require you to tell users what data you collect, why you collect it, and how you protect it. Without one, you risk fines and lost trust. Our free template helps you cover data collection practices, cookie usage, third-party sharing, user rights, and contact information. Fill in the details, preview your policy, and download it as PDF or Word — no account needed.
Confidentiality Agreement (Canada)
Protect trade secrets and proprietary business information with a Canadian confidentiality agreement. This template supports both unilateral and mutual agreements, references Canadian common law trade secret protections, PIPEDA privacy obligations, and includes provisions for compelled disclosure, return of materials, equitable remedies, and survival periods.