Canadian Website Legal Requirements — CASL, PIPEDA and What You Must Include

Canadian website law is among the most comprehensive in the world. Between CASL, PIPEDA, Quebec's Law 25 (Bill 64), Ontario's AODA, and federal consumer protection requirements, a Canadian business website has specific legal obligations that go well beyond a generic privacy policy. Non-compliance carries real consequences — CASL alone allows fines up to $10 million CAD. This guide covers what your website must legally include.

CASL — Canada's Anti-Spam Legislation

CASL (S.C. 2010, c. 23) governs all commercial electronic messages (CEMs) sent to Canadians. It applies to any email newsletter, promotional message, or transactional communication your website triggers.

Express Consent Requirements

CASL requires express consent before sending CEMs. Your website's newsletter signup or contact form must:

• Include an unchecked checkbox (pre-ticked boxes are a CASL violation)
• Display consent language that clearly identifies: (1) what they're consenting to receive, (2) the name of the business sending messages, (3) a statement that consent can be withdrawn
• Example compliant wording: "I agree to receive promotional emails from [Business Name] about [products/services]. I can unsubscribe at any time."
• Retain consent records: timestamp, IP address, form version, and exact checkbox wording at time of consent

CASL also covers implied consent (existing business relationships), but express consent is always the safer foundation for new contacts.

PIPEDA — Personal Information Protection and Electronic Documents Act

PIPEDA governs how private-sector organisations collect, use, and disclose personal information in the course of commercial activities. Your privacy policy under PIPEDA must:

• Identify the purposes for collecting personal information (name, email, phone, IP address)
• Explain how long data is retained
• Describe how individuals can access their own data and request corrections
• Identify a Privacy Officer or designated contact for privacy complaints
• Disclose any third parties data is shared with (Google Analytics, Mailchimp, CRM platforms)
• Explain cross-border data transfers if using US-hosted services

Your privacy policy must be easily accessible — typically linked in the footer on every page.

Quebec Law 25 — Stricter Provincial Requirements

Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25, formerly Bill 64), fully in force as of September 2023, imposes requirements stricter than PIPEDA:

• Privacy Impact Assessments (PIAs): Required before implementing any new technology that collects personal data
• Data minimisation: You may only collect data strictly necessary for the stated purpose
• Consent withdrawal mechanism: Must be as easy as giving consent — a simple unsubscribe link is not sufficient for all data processing activities
• Anonymisation on deletion: When data is no longer needed, it must be anonymised (not just deleted) to remain compliant
• Privacy Officer designation: Must be publicly identified by name and title on your website
• Data breach notification: Commission d'accès à l'information (CAI) must be notified within 72 hours of a breach affecting Quebec residents

If your business has any Quebec customers — even online — Law 25 applies to you.

Cookie Consent Requirements

Canada does not yet have a federal cookie consent law as prescriptive as the EU's GDPR/ePrivacy Directive. However, PIPEDA's principle of consent applies to cookies that collect personal information (analytics cookies with IP tracking, advertising cookies). Best practice for Canadian websites:

• Display a cookie consent banner that allows users to accept or decline non-essential cookies
• Do not load Google Analytics or advertising pixels before consent is obtained
• Document cookie categories (strictly necessary, analytics, marketing) in your cookie policy
• Quebec Law 25 effectively requires opt-in consent for cookies — treat it as the standard

Mandatory Contact Information Display

Canadian consumer protection legislation and industry standards require businesses to display:

• Legal business name (or operating trade name with the legal entity identified)
• Physical business address (PO boxes are insufficient for most regulated industries)
• Phone number or email address for customer inquiries
• GST/HST registration number if you charge tax (required on invoices; recommended on pricing pages)
• Provincial business registration number for certain industries (real estate, mortgage, insurance)

AODA Accessibility for Ontario Businesses

Ontario's Accessibility for Ontarians with Disabilities Act (AODA) requires private-sector businesses with 50+ employees to meet WCAG 2.0 Level AA web accessibility standards. Smaller businesses are encouraged (and in some sectors required) to comply as well. Key requirements:

• Alt text on all images
• Keyboard-navigable interface
• Sufficient colour contrast (minimum 4.5:1 ratio for normal text)
• Form labels associated with inputs
• Captions on video content

A custom-coded React site can be built AODA-compliant from the ground up. Template-based sites frequently fail accessibility audits due to generated markup that violates semantic HTML requirements.