Ready for the new Google Consent Mode v2? Learn more »

PIPEDA/CPPA Consent Solution

Consent Management Solution for Canada

Become PIPEDA and CPPA compliant with our cookie consent solution for websites, online shops and brands.


We have already helped more than 25,000 websites comply with GDPR, TDDDG & ePrivacy

Our clients include some of the biggest websites and best known brands in the world.

… and many more.

Cookie Consent as part of PIPEDA

Consent to collect personal data in PIPEDA

  • Information about the collection, use and disclosure of personal data must be provided in a complete form. To help understand cookie consent under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), a few elements should be highlighted.
  • The Personal Information Protection and Electronic Documents Act requires consumers to quickly understand the nature and purpose of what they are consenting to through the cookie consent in PIPEDA. In order for consent to be considered valid and significant, companies must provide information about their data protection rules and regulations in a comprehensive and understandable way. This means that organisations must provide information about their privacy policies and practices in a way that is easily accessible to individuals.
  • Unfortunately, the reality is that important information about privacy policies is often buried in terms and conditions. For those who have little time and energy to read privacy information, the information overload is of little practical use. To obtain meaningful consent, organisations need to enable website visitors to quickly and directly review key elements of the privacy policy. This is important, for example, if the use of the service or product offered requires the purchase or download of an application.
  • Consumers and customers expect that, even with cookie consent under PIPEDA, their personal information will not be transferred to another organisation without their knowledge and consent. This aspect must also be taken into account for the cookie consent in PIPEDA Canada. For this reason, disclosure to third parties must be clearly identified. Particular attention should be paid to disclosure to third parties who may use the information for their own purposes rather than merely providing services.
  • For what purposes is personal data collected, used or passed on? Customers and consumers must be informed of all purposes for which information is collected and used. They must be able to understand what they are being asked for consent to do. This purpose should be described in plain language. Vague purposes and phrases such as “service optimization” should be avoided. That which is essential for the provision of a service should be distinguished from data that is not. All available options should be clearly explained.

Of course consentmanager also works with…

Risks of data misuse and data loss

  • Damage & Consequences

    When a company or organisation considers potential loss scenarios that may result from the collection, use or disclosure of personal information, the Personal Information and Electronic Documents Protection Act requires that this risk be responsibly minimised. In some cases, proactive mitigation efforts can significantly reduce risk. In other cases, however, the risk remains almost unchanged.

  • The consumer must always be informed about significant residual risks with significant losses. For the purposes of the Personal Data Protection and Electronic Documents Act, a significant risk is one whose probability of occurrence is more than minimal. Significant risk includes physical harm, humiliation, damage to reputation, loss of job, business or career opportunity, and financial loss.

  • Identity theft and negative effects on credit scores are also among these risks. The risk of damage is broad. In addition to direct damage, it is appropriate to include foreseeable damage that may be caused by malicious actors or other parties.

  • Provide clear ways for individuals to provide their opt-in or opt-out.

  • Consumers must be given a choice before using a product or service. This choice should be clearly explained and easily accessible. Whether each choice is best described as “opt-in” or “opt-out” depends on the factors specified with Cookie Consent in PIPEDA.

  • Be innovative and creative

    Organizations should design and/or implement innovative consent processes for cookie consent in PIPEDA that can be implemented just-in-time, are context-specific and fit the type of interface used.

Recommended by lawyers and data protection officers

Cookie consent in PIPEDA

Privacy Policy Changes

Informed consent in the form of modified cookie consent under PIPEDA is an ongoing process that will evolve as circumstances change; organisations should not rely on static timing, but should treat consent as a dynamic and interactive process.

  • Under the GDPR for Canada, if an organisation intends to make material changes to its data protection rules and regulations, it must notify users and obtain their consent before the changes take effect. Substantive changes include the use of personal information for a purpose other than that originally agreed, or the disclosure of personal information to a third party for a purpose other than that necessary to provide the service.
  • Privacy reminders

    Organisations should consider periodically reminding individuals of their privacy choices under PIPEDA for Canada and asking them to review them. Finally, as a best practice, organisations should regularly review their information management policies to ensure that personal data continues to be processed as agreed with the individual.

  • Demonstrate compliance

    Upon request, organisations should be able to demonstrate compliance and, in particular, the clear and unambiguous nature of the consent process they implement from the general perspective of their target audience(s) to ensure valid and meaningful consent.

  • In order to obtain explicit consent and meet their obligations under the Canadian Privacy Act, organisations should be able to
    • Provide privacy information in a complete form and highlight or draw attention to four key elements:
      • What personal data is collected?
      • Who is personal data shared with?
      • For what purposes is personal data collected, used or passed on?
      • What are the risks of damage and other consequences?
    • Form of Consent – ​​Cookie Consent in PIPEDA Canada.
    • Obtain express consent to collect, use, or disclose information.

frequently asked Questions

Not sure if you need a CMP?

To help you with things like GDPR, CMP and consent, we’ve rounded up the most common questions here.

Private sector privacy legislation requires companies to create and publish easily accessible privacy policies. This should explain how personal information about customers is collected, used and shared. This also means that privacy policies should be shared online if the company has an online presence.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private sector organizations. It lays down the basic rules of how companies should process personal data in the context of business transactions.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for commercial organizations in Canada. PIPEDA serves to align Canada’s reporting obligations with the country’s trading partners, namely the EU.

Personal Information Protection and Electronic Documents Act

Please note that we cannot provide legal advice. Some points of this FAQ may also change over time or be interpreted differently by courts. That’s why you should always consult your lawyer!