For most of the 2010s, a marketer running campaigns into Canada could get away with treating PIPEDA as the whole story. That hasn't been true for some time, and in 2026 it's actively dangerous. Quebec's Law 25 is enforced. Alberta and BC have substantially-similar statutes with their own quirks. Ontario is preparing legislation. CASL still governs every commercial electronic message. The marketer's job is to comply with whichever law is strictest for each audience segment.

The federal floor: PIPEDA

The Personal Information Protection and Electronic Documents Act is the federal baseline. It governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. PIPEDA applies in any province that doesn't have a substantially-similar provincial law — and even where provincial law applies, PIPEDA still governs interprovincial and international personal-data flows.

Quebec Law 25 is the strictest layer

If your campaign reaches Quebec residents, Law 25 applies regardless of where your business is located. Its phased rollout brought consent rules, mandatory privacy impact assessments, breach notification, automated decision-making transparency, and a general right to data portability. Penalties under Law 25 reach 4 percent of worldwide revenue or $25M, whichever is higher. This is not a "nice to have" compliance layer.

Alberta and BC: substantially similar, locally enforced

Both provinces operate their own Personal Information Protection Acts that the federal government has recognized as substantially similar to PIPEDA. The differences are subtle but real: BC's PIPA has narrower employee-data exceptions; Alberta's PIPA has its own breach-notification thresholds. If you employ or solicit residents in either province, your privacy practices should account for both regimes specifically.

Ontario, federal AI rules, and what's coming

Ontario has been preparing private-sector privacy legislation for several years. Federal Bill C-27 attempted to modernize PIPEDA into the Consumer Privacy Protection Act and introduce the Artificial Intelligence and Data Act; it died on the order paper but the policy direction is clear. Marketers should plan for tighter consent requirements, stricter cross-border transfer rules, and AI-specific transparency obligations — even if exact statutory text is still moving.

Infographic of layered Canadian privacy law: PIPEDA federal baseline, Quebec Law 25, Alberta and BC PIPA, plus CASL

The compliance posture that actually works

For national marketers, the only durable strategy is to comply with the strictest applicable law per audience. In practice this means designing programs around Quebec Law 25 plus CASL as the upper bound, then running the same controls in other provinces. It costs more up front than a "PIPEDA only" approach, but it eliminates the rolling exposure you accumulate as each province tightens. Member agencies advising on compliance posture should be explicit with clients about which regime they're meeting and where the gaps remain — see our Honest Representation standard.

Keep reading

Browse the full blog index, jump to our resources, or look up terms in the glossary.