API Terms of Use (Canada)

An API Terms of Use in Canada sets the rules and limits on developers’ access to and use of the organisation’s API, governed primarily by common-law contract principles. It defines the service scope, SLA, pricing, data-protection duties, and liability allocation between provider and customer.

The legal enforceability of Canadian API Terms of Use rests on established contract law principles. Under Canadian common law (the law of contract applies in all provinces and territories except Quebec, where the Civil Code of Quebec (CCQ) governs), a binding contract requires an offer, acceptance, and consideration. API Terms of Use presented through a clickwrap mechanism — requiring developers to affirmatively check an 'I agree' checkbox or click an 'Accept' button before receiving an API key — satisfy the acceptance requirement. The Supreme Court of Canada's approach to standard form contracts, articulated in cases including Douez v. Facebook Inc. [2017] 1 SCR 751 and Uber Technologies Inc. v. Heller [2020] 2 SCR 118, emphasizes that standard-form contracts are enforceable but that unusual or onerous clauses must be brought to the attention of the adhering party with reasonable notice — a principle that informs how API Terms of Use should highlight key limitations and obligations.

The API itself, including its software, algorithms, architecture, endpoints, and documentation, is protected as a copyrighted work under the Copyright Act (R.S.C., 1985, c. C-42). Under Copyright Act section 3(1), the copyright owner has the exclusive right to reproduce the work, authorize its use, and create derivative works. An API licence grants the developer the right to use the API's interface without infringing this copyright, within the constraints specified in the Terms of Use. The Supreme Court of Canada's framework for software copyright under Théberge v. Galerie d'Art du Petit Champlain Inc. [2002] 2 SCR 336 and the Federal Court's approach to software as a literary work establish the Canadian copyright baseline for API protection.

The federal Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) applies to API providers that collect, use, or disclose personal information through their APIs. Under PIPEDA's accountability principle (Schedule 1, Clause 4.1), an organization is responsible for personal information in its possession or custody, including information transferred to third parties (such as API developers) for processing — the API Terms of Use must impose on developers data protection obligations equivalent to PIPEDA's requirements. Quebec's Act respecting the protection of personal information in the private sector (RLRQ, c. P-39.1), as amended by Law 25, imposes additional requirements including mandatory privacy impact assessments (PIAs) for new technologies processing personal information and stronger consent requirements.

The Canada Anti-Spam Legislation (CASL, S.C. 2010, c. 23) may apply to API providers whose APIs enable developers to send commercial electronic messages (CEMs) to Canadian recipients. The API Terms of Use should prohibit developers from using the API to send unsolicited CEMs or to install computer programs without consent, consistent with CASL Sections 6 and 8. CASL violations carry administrative monetary penalties enforced by the Canadian Radio-television and Telecommunications Commission (CRTC). The Competition Act (R.S.C. 1985, c. C-34), enforced by the Competition Bureau of Canada, prohibits deceptive marketing practices and misleading representations in developer-facing API documentation. The Office of the Privacy Commissioner of Canada (OPC) investigates complaints under PIPEDA and publishes guidance on privacy obligations for API operators. For APIs serving Quebec users, the Commission d'accès à l'information du Québec oversees compliance with Quebec's Act respecting the protection of personal information in the private sector. The Canadian Internet Registration Authority (CIRA) and Innovation, Science and Economic Development Canada (ISED) set broader Canadian digital economy standards relevant to API operations.

Canadian API Terms of Use in Canada are needed whenever a Canadian organization makes an API available to external developers — whether publicly accessible, available to registered developers, or shared with specific business partners — to protect the organization's intellectual property, manage legal liability, and comply with Canadian privacy law.

Public API programs require thorough Terms of Use addressing permitted uses, abuse prevention, rate limiting, and terms of service violations. Canadian organizations including Shopify Inc., Hootsuite Inc., Miovision Technologies, Verafin Inc., and D2L Corporation maintain public APIs governed by Terms of Use. The Treasury Board Secretariat publishes the Government of Canada API Standards applying to federal government APIs. The Digital Governance Council Canada and the Information Technology Association of Canada (ITAC) publish industry guidance on API governance that private-sector organizations should reference.

Privacy compliance under the Personal Information Protection Electronic Documents Act (PIPEDA) requires API Terms of Use to impose data protection obligations on developers equivalent to those of the Canadian API provider. The Office of the Privacy Commissioner of Canada publishes guidance on cloud computing and API privacy that informs Terms of Use drafting. Innovation Science and Economic Development Canada (ISED) oversees digital economy policy including open banking API standards through the Advisory Committee on Open Banking.

Software licence compliance under the Copyright Act (R.S.C., 1985, c. C-42) requires API Terms of Use to clearly state whether the API software is licensed under proprietary terms or under open-source licences such as the Apache Software Licence 2.0. Section 27 of the Copyright Act addresses infringement, and Section 34 gives courts authority to award statutory damages for copyright violations. The Federal Court of Canada and provincial Superior Courts of Justice have concurrent jurisdiction over intellectual property disputes arising from API licence violations.

Business-to-business API integrations, where a Canadian company grants a specific business partner access to its internal systems through an API (for data exchange, process automation, or system integration), require Terms of Use — or more typically, an API Access Agreement or Data Sharing Agreement — that address the specific permitted data exchanges, security obligations, and integration architecture.

Financial services APIs governed by the federal Office of the Superintendent of Financial Institutions (OSFI) and the Financial Consumer Agency of Canada (FCAC) require Terms of Use that address financial data protection, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) compliance obligations, and the FCAC's open banking framework requirements. Canadian chartered banks developing open banking APIs must comply with the Advisory Committee on Open Banking's technical and legal standards.

Healthcare APIs that transmit or provide access to personal health information must comply with both PIPEDA (or provincial health privacy legislation) and any applicable provincial health information legislation — such as Ontario's Personal Health Information Protection Act (PHIPA, S.O. 2004, c. 3, Sched. A), BC's E-Health (Personal Health Information Access and Protection of Privacy) Act (S.B.C. 2008, c. 38), and Alberta's Health Information Act (R.S.A. 2000, c. H-5). The API Terms of Use must impose on developers the obligations of a health information custodian's agent under these statutes.

Developer ecosystem programs, where a technology company creates a marketplace for third-party applications built on its API (similar to Shopify's App Store or Salesforce AppExchange), require API Terms of Use that address marketplace listing standards, revenue sharing arrangements, app review requirements, and the provider's right to remove non-compliant applications.

A complete Canadian API Terms of Use must contain specific provisions to protect the API provider's intellectual property, comply with Canadian privacy law, limit liability, and give developers clear guidance on permitted and prohibited uses. Key statutory references include: Section 3 of the Copyright Act (R.S.C., 1985, c. C-42) for the rights granted; Section 10.1 of the Personal Information Protection Electronic Documents Act (PIPEDA) for mandatory breach reporting to the Office of the Privacy Commissioner; Section 6 of the Canada Anti-Spam Legislation (S.C. 2010, c. 23) for electronic message consent; Section 36 of the Telecommunications Act (S.C. 1993, c. 38) for network neutrality considerations; Section 74 of the Competition Act (R.S.C. 1985, c. C-34) for deceptive trade practices; and Section 27 of the Copyright Act for infringement liability. The Federal Court of Canada has jurisdiction over copyright and PIPEDA matters under Section 18 of the Federal Courts Act (R.S.C. 1985, c. F-7). Provincial Superior Courts adjudicate contract disputes.

Access grant and licence defines the scope of the developer's right to access and use the API: a limited, non-exclusive, non-transferable, revocable licence to access and use the API solely for permitted purposes during the term. The licence should specify whether it is free or paid, any applicable developer tier (free, basic, professional, enterprise), and whether sub-licensing is permitted. The grant must be carefully scoped to avoid inadvertently licensing the underlying software or data beyond the API interface.

Permitted uses enumerate the specific purposes for which the API may be used: developing a compliant application, retrieving data for display in the developer's application, testing and quality assurance, and any other explicitly approved uses. The permitted use section should reference any use policies posted on the API documentation portal and confirm that uses not expressly permitted are prohibited.

Prohibited uses are the most protective provisions of the Terms of Use. Absolute prohibitions should include: using the API to collect or harvest personal information without complying with PIPEDA and applicable provincial privacy law; using the API to send spam or commercial electronic messages contrary to CASL; reverse engineering or decompiling the API in violation of Copyright Act section 27.1; using the API to access or scrape data beyond the authorized access credentials; using the API for any unlawful purpose; and using the API to build products that compete directly with the API provider's core offerings (if this restriction is desired).

Rate limits and technical requirements specify the maximum number of API calls permitted per second, minute, hour, or day; the authentication method required (OAuth 2.0, API key, JWT); the supported API versions and their deprecation schedule; the response format (JSON, XML, etc.); and the provider's service level commitments (uptime SLA, maintenance windows). Rate limit enforcement protections — the provider's right to throttle or suspend access for excessive usage — should be clearly stated.

Intellectual property ownership confirms that all rights in the API, its software, documentation, and data (except developer-owned input data) remain with the provider. Under the Copyright Act (R.S.C., 1985, c. C-42), the provider retains copyright in the API as a software work. Developer-built applications using the API are owned by the developer, but the Terms of Use should specify any licence the developer grants back to the provider (e.g., to display the developer's application name and logo in a developer showcase).

Privacy and data obligations under PIPEDA and provincial legislation require developers to: maintain a privacy policy that discloses the personal information they collect through API-built applications; obtain valid consent for the collection of personal information; implement security safeguards appropriate to the sensitivity of the data; report data breaches to the provider within a specified period (to enable the provider to comply with PIPEDA section 10.1 breach reporting obligations to the OPC); and delete personal information upon termination of API access.

Limitation of liability under Canadian law should limit the provider's aggregate liability to the greater of fees paid in the preceding 12 months or a nominal amount (e.g., CAD $100), exclude consequential, indirect, special, and incidental damages, and include appropriate disclaimers of implied warranties. Canadian courts generally enforce limitation of liability clauses in commercial agreements between sophisticated parties, subject to the reasonable notice requirement for unusual or onerous terms.

Termination provisions specify: the provider's right to terminate access for cause (breach of Terms of Use, non-payment, abuse) or without cause on notice (typically 30 days); the developer's right to terminate by ceasing to use the API; and the obligations that survive termination (IP obligations, confidentiality, limitation of liability, data deletion requirements).

Governing law should specify the province of the API provider (typically Ontario or British Columbia for most Canadian technology companies) and dispute resolution mechanism. For Terms of Use with international developers, a submission to jurisdiction clause confirming Canadian courts' jurisdiction over disputes is advisable.

Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. The forms-legal.com API Terms of Use (Canada) template covers the mandatory elements under Common law of contract.