The Plain-English Glossary of Digital Compliance in Canada

PIPEDA, Personal Information Protection and Electronic Documents Act

The federal privacy law that governs how private-sector organizations collect, use, and disclose personal information in commercial activities. PIPEDA applies across Canada except where a province has its own substantially similar law (Quebec, Alberta, BC). Key marketing implications: meaningful consent, purpose limitation, and breach notification.

Law 25 (Quebec)

Formerly Bill 64, this is now the strictest privacy regime in North America. Requires explicit (not implied) consent for most data processing, mandatory privacy officer, privacy impact assessments, and significant penalties. If you have a single Quebec customer, Law 25 applies to that customer's data.

CASL, Canada's Anti-Spam Legislation

Canada's anti-spam law, broader than US CAN-SPAM. CASL covers email, SMS, social DMs, and software installation. Requires express or implied consent before sending commercial electronic messages, plus clear identification and unsubscribe. Fines up to $10 million per violation for businesses.

CPPA, Consumer Privacy Protection Act

Proposed federal update to PIPEDA, currently working its way through Parliament. Will introduce GDPR-style provisions: right to deletion, data portability, algorithmic transparency, and substantially higher penalties. Watch this carefully, expected to pass in 2026 or 2027.

OPC, Office of the Privacy Commissioner of Canada

The federal regulator that oversees PIPEDA. Conducts investigations, issues findings, and increasingly works in concert with provincial commissioners on multi-jurisdiction issues.

CRTC, Canadian Radio-television and Telecommunications Commission

Oversees CASL enforcement (alongside the Competition Bureau and the OPC). The CRTC issues warning letters first, then proceeds to undertakings and monetary penalties for repeat or serious violations.

Express vs implied consent

Express consent is opt-in, the user actively agrees. Implied consent is inferred from a business relationship (e.g., recent purchase, existing inquiry) and is time-limited under CASL (two years for purchase, six months for inquiry). Express is always safer.

PIA, Privacy Impact Assessment

A documented analysis of how a new project, product, or system affects personal information. Required under Law 25 for any project involving personal information of Quebec residents.

Data minimization

The principle of collecting only the personal information you actually need for a stated purpose, and keeping it only as long as necessary. Baked into both PIPEDA and Law 25 enforcement decisions.

Cross-border transfer

Sending Canadian personal data outside Canada (e.g., to US-based CRM or email tools) triggers specific obligations. Under Law 25, you must explicitly disclose the transfer; under PIPEDA, the transferring organization remains responsible for protection.

Breach notification

If a breach creates a real risk of significant harm, notification is mandatory to both the OPC (or provincial commissioner) and affected individuals. Timeline is 'as soon as feasible', in practice, within days.

DNCL, National Do Not Call List

Operated by the CRTC, this is the registry of phone numbers that have opted out of telemarketing. Calls to numbers on the DNCL without an existing business relationship are violations.

Compliance is no longer a back-office concern in Canada. It is increasingly a front-of-funnel asset, consumers actively choose brands they trust with their data. A working knowledge of these terms protects your business and signals competence to your customers.