Canadian privacy law in 2026 is a patchwork of overlapping rules: PIPEDA federally, Quebec's Law 25 (significantly stricter), Alberta's PIPA, BC's PIPA, and the still-in-progress federal Bill C-27 / CPPA replacement for PIPEDA.
For most Canadian small business websites, you can satisfy 90% of practical compliance with about 4 hours of work. Here's the 2026 guide.
Who is covered by which law in 2026
- PIPEDA (federal): applies to businesses that collect personal information in commercial activities anywhere except Quebec, Alberta, BC consumers (those are covered by provincial equivalents), and in practice still applies to your federal interactions and inter-provincial data flows
- Quebec Law 25: applies to any business handling Quebec residents' personal information. Significantly stricter than PIPEDA. Penalties up to 4% of global revenue or $25M
- Alberta PIPA / BC PIPA: provincial private-sector laws roughly parallel to PIPEDA
- Bill C-27 / CPPA: the eventual PIPEDA replacement. As of early 2026 still in legislative process; may pass 2026–2027
What every Canadian small business website needs in 2026
- Privacy Policy page, accessible from every page (typically footer link)
- Cookie consent banner, required for non-essential cookies, especially for Quebec residents
- Clear data collection disclosure on every form that collects personal info
- Lawful basis for collecting each piece of data (PIPEDA-style: consent + legitimate purpose)
- Designated Privacy Officer named in your privacy policy with contact details
- Process for handling access and deletion requests within 30 days
- Data breach notification process to OPC and affected individuals
- Cross-border transfer disclosure if data is stored outside Canada (Quebec Law 25 specifically requires this)
- Retention policy, how long you keep data and how you delete it
- Children's data special handling (under 14 in Quebec, under 13 federally)
Quebec Law 25, what makes it different
If your Canadian business has any meaningful Quebec customer base, Law 25 is the compliance floor, not PIPEDA. It's much stricter and has actually been enforced since 2023.
- Mandatory Privacy Officer designation (cannot be an outside vendor in most cases)
- Privacy Impact Assessments required for new projects involving personal data
- Express consent required for collection, use, and disclosure of personal data
- Right to data portability. Quebec residents can request their data in structured format
- Right to deindexation. Quebec residents can request removal from search engines
- Cross-border data transfer assessments required and disclosed
- Mandatory breach notification to Quebec Commission and affected individuals
- Penalties up to 4% of worldwide revenue or $25M (whichever is higher)
What a real Canadian small business privacy policy needs
- Identity and contact details of your business (legal name, address, phone, email)
- Name and contact for your designated Privacy Officer
- Categories of personal data you collect (names, emails, phone, IP, browsing data, payment info, etc.)
- Purposes for collection (customer service, marketing, fulfillment, analytics, etc.)
- Sharing disclosures (third-party processors: Stripe, MailChimp, Google Analytics, etc.)
- Cross-border transfer disclosure (where data is stored, what country)
- Retention period for each category of data
- Security measures in place to protect data
- Individual rights: access, correction, deletion, withdrawal of consent
- How to make a privacy complaint to your business and to the OPC
- Effective date and last revised date
Practical privacy policy templates for Canadian SMB
Skip the generic ‘this is for informational purposes only' US privacy policy templates that flood Google. They reference CCPA, GDPR, and US state laws that don't apply to your Canadian business and miss PIPEDA and Quebec Law 25 specifics.
- Termly's Canada-specific generator: free tier acceptable for very small businesses
- iubenda Canadian template ($27+/yr): solid mid-tier
- Privacy lawyer-drafted policy ($800–$3,500 one-time): for businesses doing meaningful regulated data work
- Adapt the Office of the Privacy Commissioner's sample policy: free, requires customization
We include a Canada-specific privacy policy + cookie consent setup with every new website build. Want a free privacy audit of your current setup?
Get a Free Website ScoreWhat's coming with Bill C-27 / CPPA
When the Consumer Privacy Protection Act (CPPA) eventually passes (likely 2026–2027 based on the current legislative pace), it will replace PIPEDA with a meaningfully stricter regime, closer to Quebec Law 25 and EU GDPR than to current PIPEDA. Building to Quebec Law 25 standards today means you're already mostly compliant when CPPA arrives.
Major CPPA changes to plan for: stronger consent rules (limited implied consent), data portability rights, automated decision-making transparency, mandatory breach reporting, expanded penalties up to 5% of global revenue or $25M.
Privacy compliance for Canadian small business websites in 2026 is more involved than ‘copy a privacy policy template' but much smaller than the panic-pitches suggest. Get a real Canadian-specific privacy policy, deploy a cookie consent banner, designate a Privacy Officer, and have a documented process for access and deletion requests. If you serve Quebec, build to Law 25 standards. Future-proof your compliance for CPPA by building stricter than the current PIPEDA minimum today.
Want a Canadian-specific privacy and cookie audit on your current site?
Jacob
Founder of Elevate Web Design. Building fast, conversion-focused websites for small businesses across Canada and the US since 2018.