Get Started

Free Website Privacy Policy Template for Canada (PIPEDA-Compliant)

If you run a website that collects personal information from Canadian users, you need a privacy policy (also called a privacy notice or data protection policy). This free template gives you a PIPEDA-compliant starting point, with the disclosures Quebec's Law 25 and the provincial private-sector privacy laws also expect to see. Copy the template below, replace the placeholder fields with your specifics, and publish.

Please note: This Free Website Privacy Policy Template for Canada (PIPEDA-Compliant) is provided for example purposes only, is generic in nature, and it may not meet the needs of your business. Create a tailored comprehensive policy for your business with GetTerms, or consider legal advice to ensure compliance with all relevant laws in your Country.

canada website privacy policy template pipeda image

Last reviewed: 27 May 2026 by Alistair Hinchliffe

Which laws apply to your website?

This template gives you a privacy policy that meets PIPEDA, the federal law that applies to almost every Canadian website. Before you publish, check which other laws apply to you, because each one adds specific things your privacy policy needs to say.

Operating in Canada only: PIPEDA is the federal baseline, and this template covers it. Alberta’s PIPA and British Columbia’s PIPA closely mirror PIPEDA, so your policy needs little beyond what is already here. If you have Quebec users, add the Law 25 items below.
Based outside Canada but with Canadian users: PIPEDA still applies, because it follows the personal information of Canadians collected through commercial activity. Your policy needs the same PIPEDA disclosures this template provides; a US or EU policy on its own will not cover you.
Any users in Quebec: Quebec’s Law 25 applies on top of PIPEDA. Add to your policy a French-language version, the name and contact details of your Privacy Officer, a disclosure of any cross-border data transfers, a notice if you use automated decision-making or profiling, and the extra rights Quebec residents have, including data portability and de-indexing.
Any users in the EU or UK: GDPR and UK GDPR apply alongside PIPEDA. Add to your policy a lawful basis for each processing purpose, the full set of data subject rights (access, rectification, erasure, restriction, portability, and objection), your Data Protection Officer’s details if you have one, and the security measures you implement when transferring data out of the EU or UK.
Any users in California: the CCPA/CPRA applies alongside PIPEDA. Add to your policy a notice at collection, the categories of personal information you collect and whether you sell or share them, a “Do Not Sell or Share My Personal Information” disclosure, how you handle sensitive personal information, and the rights available to California residents.

This template if implemented properly should cover your Canadian PIPEDA requirements. If you operate across more than one of the scenarios above, our privacy policy generator builds a single policy that handles all your overlapping jurisdictions from a short questionnaire, and keeps it up to date automatically as these laws change. It also comes with a consent banner generator for Law 25 and GDPR cookie consent.

How to use this website privacy policy template

Replace any [placeholder text], with your specific details.
Ensure that your Privacy Policy accurately reflects your data collection and usage practices and complies with the PIPEDA and other data privacy laws that apply to your business.
Regularly review and update your Privacy Policy to stay compliant with evolving regulations.
Seek legal counsel to customize this template to your specific circumstances and ensure full compliance.

Download Create Your Own Tailored Policies

Canada Website Privacy Policy Template Sample

Your privacy is important to us. It is [Company name]‘s policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including across our website, [Website URL], and other sites we own and operate.

Personal information is any information about you which can be used to identify you. This includes information about you as a person (such as name, address, and date of birth), your devices, payment details, and even information about how you use a website or online service.

In the event our site contains links to third-party sites and services, please be aware that those sites and services have their own privacy policies. After following a link to any third-party content, you should read their posted privacy policy information about how they collect and use personal information. This Privacy Policy does not apply to any of your activities after you leave our site.

This policy is effective as of [Date policy is uploaded to your website]

Last updated: [Date last updated]

Information We Collect

Information we collect falls into one of two categories: “voluntarily provided” information and “automatically collected” information.

“Voluntarily provided” information refers to any information you knowingly and actively provide us when using or participating in any of our services and promotions.
“Automatically collected” information refers to any information automatically sent by your devices in the course of accessing our products and services.

Log Data

When you visit our website, our servers may automatically log the standard data provided by your web browser. It may include your device’s Internet Protocol (IP) address, your browser type and version, the pages you visit, the time and date of your visit, the time spent on each page, and other details about your visit.

Additionally, if you encounter certain errors while using the site, we may automatically collect data about the error and the circumstances surrounding its occurrence. This data may include technical details about your device, what you were trying to do when the error happened, and other technical information relating to the problem. You may or may not receive notice of such errors, even in the moment they occur, that they have occurred, or what the nature of the error is.

Please be aware that while this information may not be personally identifying by itself, it may be possible to combine it with other data to personally identify individual persons.

Device Data

When you visit our website or interact with our services, we may automatically collect data about your device, such as:

[Types of device data you collect]

Data we collect can depend on the individual settings of your device and software. We recommend checking the policies of your device manufacturer or software provider to learn what information they make available to us.

Personal Information

We may ask for personal information — for example, when you submit content to us or when you contact us — which may include one or more of the following:

[Types of personal information you collect]

Legitimate Reasons for Processing Your Personal Information

We only collect and use your personal information when we have a legitimate reason for doing so. In which instance, we only collect personal information that is reasonably necessary to provide our services to you.

Collection and Use of Information

We may collect personal information from you when you do any of the following on our website:

Access our content
Contact us via contact forms, email, social media, or on any similar technologies
[event’s when you might collect personal data]

We may collect, hold, use, and disclose information for the following purposes, and personal information will not be further processed in a manner that is incompatible with these purposes:

to provide you with our platform’s core features and services
to enable you to customise or personalise your experience of our website
to contact and communicate with you
for analytics, market research, and business development, including to operate and improve our website, associated applications, and associated social media platforms
for advertising and marketing
[times you use any collected personal data]

We may combine voluntarily provided and automatically collected personal information with general information or research data we receive from other trusted sources. For example, Our marketing and market research activities may uncover data and insights, which we may combine with information about how visitors use our site to improve our site and your experience on it.

Security of Your Personal Information

When we collect and process personal information, and while we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorised access, disclosure, copying, use or modification.

Although we will do our best to protect the personal information you provide to us, we advise that no method of electronic transmission or storage is 100% secure and no one can guarantee absolute data security.

You are responsible for selecting any password and its overall security strength, ensuring the security of your own information within the bounds of our services. For example, ensuring any passwords associated with accessing your personal information and accounts are secure and confidential.

How Long We Keep Your Personal Information

We keep your personal information only for as long as we need to. This time period may depend on what we are using your information for, in accordance with this privacy policy. For example, if you have provided us with personal information as part of creating an account with us, we may retain this information for the duration your account exists on our system. If your personal information is no longer required for this purpose, we will delete it or make it anonymous by removing all details that identify you.

However, if necessary, we may retain your personal information for our compliance with a legal, accounting, or reporting obligation or for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes.

Disclosure of Personal Information to Third Parties

We may disclose personal information to:

third-party service providers for the purpose of enabling them to provide their services
our employees, contractors, and/or related entities
our existing or potential agents or business partners
[third parties you might share data with]

Third parties we currently use include:

[Third party tracking software used – e.g. Google Analytics]

International Transfers of Personal Information

The personal information we collect is stored and/or processed in [location your data is stored – e.g. Canada], or where we or our partners, affiliates, and third-party providers maintain facilities.

The countries to which we store, process, or transfer your personal information may not have the same data protection laws as the country in which you initially provided the information. If we transfer your personal information to third parties in other countries: (i) we will perform those transfers in accordance with the requirements of applicable law; and (ii) we will protect the transferred personal information in accordance with this privacy policy.

Your Rights and Controlling Your Personal Information

Your choice: By providing personal information to us, you understand we will collect, hold, use, and disclose your personal information in accordance with this privacy policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of our website or the products and/or services offered on or through it.

Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person’s consent to provide the personal information to us.

Marketing permission: If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below.

Access: You may request details of the personal information that we hold about you.

Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us using the details provided in this privacy policy. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading, or out of date.

Non-discrimination: We will not discriminate against you for exercising any of your rights over your personal information. Unless your personal information is required to provide you with a particular service or offer (for example providing user support), we will not deny you goods or services and/or charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties, or provide you with a different level or quality of goods or services.

Downloading of Personal Information: We provide a means for you to download the personal information you have shared through our site. Please contact us for more information.

Notification of data breaches: We will comply with laws applicable to us in respect of any data breach.

Complaints: If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to contact a regulatory body or data protection authority in relation to your complaint.

Unsubscribe: To unsubscribe from our email database or opt-out of communications (including marketing communications), please contact us using the details provided in this privacy policy, or opt-out using the opt-out facilities provided in the communication. We may need to request specific information from you to help us confirm your identity.

Business Transfers

If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data, including your personal information, among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and that any parties who acquire us may, to the extent permitted by applicable law, continue to use your personal information according to this policy, which they will be required to assume as it is the basis for any ownership or use rights we have over such information.

Limits of Our Policy

Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.

Changes to This Policy

At our discretion, we may change our privacy policy to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. If we decide to change this privacy policy, we will post the changes here at the same link by which you are accessing this privacy policy.

If the changes are significant, or if required by applicable law, we will contact you (based on your selected preferences for communications from us) and all our registered users with the new details and links to the updated or changed policy.

If required by law, we will get your permission or give you the opportunity to opt in to or opt out of, as applicable, any new uses of your personal information.

Additional Disclosures for Personal Information Protection and Electronic Documents Act (PIPEDA) Compliance (Canada)

Customer Data Rights

Although PIPEDA does not contain an extensive set of consumer rights, it does grant consumers the right to:

Access the personal information organizations hold about them;
Correct any inaccurate or outdated personal information the organization hold about them (or, if this is not possible, delete the inaccurate personal information)
Withdraw consent for any activities for which they have consented (e.g. direct marketing or cookies

Right to Withdraw Consent

Where you give us consent to collect and use your personal information for a specific purpose. Subject to some restrictions, you can, at any time, refuse to consent, or continue to consent to the collection, use or disclosure of their personal information by notifying us using the email address below in the ‘Contact Us’ section. Withdrawal of consent may impact our ability to provide or continue to provide services.

Customers cannot refuse collection, use and disclosure of their personal information if such information is required to:

be collected, used or disclosed as required by any law;
fulfill the terms of any contractual agreement; and
be collected, used or disclosed as required by any regulators including self regulatory organizations

While you may request that we delete your contact details at any time, we cannot recall any email we have already sent. If you have any further enquiries about how to withdraw your consent, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

Right of Access under PIPEDA

PIPEDA gives you a general right to access the PII held by businesses subject to this law. Under PIPEDA, you need to make your access request in writing and pay a minimal fee of $30.00.

If any organizational fees seem unjust, you have the right to complain about this. We retain the right to decide how we disclose the copies of your PII to you. We will take all necessary measures to fulfill your request in 30 days from receipt, otherwise we must inform you of our inability to do so before the 30-day timeframe if:

meeting the time limit would unreasonably interfere with our business activities; or
the time required to undertake consultations necessary to respond to the request would make it impractical to meet the time limit.

We can also extend the time limit for the length of time required to convert the personal information into an alternative format. In these circumstances, we will advise you of the delay within the first 30 days and explain the reason for it.

Right of rectification under PIPEDA

You may request a correction to any factual errors or omissions within your PII. We would ask you to provide some evidence to back up your claim. Under PIPEDA, an organization must amend the information, as required, if you successfully demonstrate that it’s incomplete or inaccurate.

You may contact us at any time, using the information provided in the Contact Us section of this privacy policy if you believe your PII on our systems is incorrect or incomplete.

If we cannot agree on changing the information, you have the right to have your concerns recorded with the Office of the Privacy Commission of Canada.

Compliance with PIPEDA’s Ten Principles of Privacy

This privacy policy complies with the PIPEDA’s requirements and ten principles of privacy, which are as follows:

Accountability. [Business name] only is responsible for the PII under its control and will designate one or more persons to ensure organizational accountability for compliance with the ten principles of privacy under PIPEDA, whose details are included below. All personnel are accountable for the protection of customers’ personal information.
Identifying purposes. [Business name] only identifies the purposes for which personal information is collected at or before the time the information is collected.
Consent. Consent is required for [Business name] only’s collection, use or disclosure of personal information, except where required or permitted by PIPEDA or other law. In addition, when customers access a product or service offered by us, consent is deemed to be granted. Express consent may be obtained verbally, in writing or through electronic means. Alternatively, consent may be implied through the actions of customers or continued use of a product or service following [Business name] only’s notification of changes.
Limiting collection. Personal information collected will be limited to that which is necessary for the purposes identified by [Business name] only.
Limiting use, disclosure and retention. We will not use or disclose personal information for purposes other than those for which the information was collected, except with your consent or as required by law. We will retain personal information only for as long as is necessary to fulfill the purposes for collecting such information and compliance with any legal requirements.
Accuracy. Personal information will be maintained by [Business name] only in an accurate, complete and up-to-date format as is necessary for the purpose(s) for which the personal information was collected.
Safeguards. We will protect personal information with security safeguards appropriate to the sensitivity of such information.
Openness. We will make our policies and practices relating to the collection and management of personal information readily available upon request, including our brochures or other information that explain our policies, standards, or codes.
Customer access. We will inform customers of the existence, use and disclosure of their personal information and will provide access to their personal information, subject to any legal restrictions. We may require written requests for access to personal information and in most cases, will respond within 30 days of receipt of such requests. Customers may verify the accuracy and completeness of their personal information, and may request the personal information be corrected or updated, if appropriate.
Challenging compliance. Customers are welcome to direct any questions or inquiries concerning our compliance with this privacy policy and PIPEDA requirements using the contact information provided in the Contact Us section of this privacy policy.

Enquiries, Reports and Escalation

To enquire about [Business name] only’s privacy policy, or to report violations of user privacy, you may contact us using the details in the Contact us section of this privacy policy.

If we fail to resolve your concern to your satisfaction, you may also contact the Office of the Privacy Commissioner of Canada:

30 Victoria Street
Gatineau, QC K1A 1H3
Toll Free: 1.800.282.1376
www.priv.gc.ca

Contact Us

For any questions or concerns regarding your privacy, you may contact us using the following details:

[Privacy Officer]

[Privacy Officer’s contact details]

What is a website privacy policy in Canada?

A website privacy policy is the public document that tells your visitors what personal information your site collects, how you use it, who you share it with, and how they can access, correct, or withdraw consent for that information. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) makes a privacy policy a legal requirement for most commercial websites. Provincial laws including Quebec’s Law 25, Alberta’s PIPA, and British Columbia’s PIPA can apply on top of PIPEDA depending on where your users are located.

This template is built around PIPEDA’s ten fair information principles and covers the disclosures the Office of the Privacy Commissioner of Canada expects to see, including lawful purpose, consent, access rights, withdrawal of consent, safeguards, and cross-border data transfers. Replace the placeholder text with your specifics and you have a working draft.

Who needs a website privacy policy in Canada?

You need a website privacy policy if your site collects any personal information from people in Canada. That covers contact forms, email signups, e-commerce checkouts, account registrations, cookies, analytics, and tracking pixels. PIPEDA applies to almost every commercial website with Canadian users, regardless of where the business is based.

PIPEDA is Canada’s federal private-sector privacy law. It applies to organizations that collect, use, or disclose personal information during commercial activity. A US-based SaaS product accepting Canadian sign-ups is covered. A Canadian blog earning revenue through ads is covered. A small online store shipping to Canadian customers is covered.

A handful of provinces have their own private-sector privacy laws that apply in place of PIPEDA for purely intra-provincial activity: Alberta’s PIPA, British Columbia’s PIPA, and Quebec’s Law 25. In practice, most websites still need to satisfy PIPEDA at the federal level, plus Quebec Law 25 on top of PIPEDA whenever Quebec residents are in scope.

If your site collects no personal information at all (no forms, no analytics, no cookies, no accounts), you may sit outside PIPEDA. However, almost no modern website meets that bar.

What must a PIPEDA-compliant privacy policy include?

A PIPEDA-compliant website privacy policy must identify what personal information you collect, why you collect it, how you use it, who you share it with, how long you keep it, how you protect it, and how users can access, correct, or withdraw consent. It must also name a person accountable for privacy at your organization.

These requirements flow from PIPEDA’s ten fair information principles, which the Office of the Privacy Commissioner of Canada uses to assess compliance. In a website privacy policy, they map to specific disclosures:

Accountability: name a Privacy Officer or accountable contact and provide their contact details.
Identifying purposes: state why you collect each category of personal information, at or before the point of collection.
Consent: describe how you obtain consent (express, implied, opt-in, opt-out) and how users can withdraw it.
Limiting collection: confirm you collect only what is necessary for the stated purposes.
Limiting use, disclosure, and retention: describe retention periods and the third parties you share data with.
Accuracy: explain how users can correct inaccurate information.
Safeguards: describe the technical and organizational security measures you have in place.
Openness: publish the policy in plain language and link to it from any page that collects data.
Individual access: explain how users can request a copy of the personal information you hold about them.
Challenging compliance: describe how users can complain to you and escalate to the OPC.

The template on this page covers each principle. If you customize it, every principle should still be addressed somewhere in the final document.

How is a Canadian website privacy policy different from a US or EU one?

A Canadian website privacy policy is built around PIPEDA’s consent-based model and ten fair information principles. It sits between the EU’s strict GDPR framework and the US’s sector-specific patchwork. The biggest practical differences: implied consent is acceptable for non-sensitive data, a named Privacy Officer is required, and cross-border data transfer disclosures are mandatory.

If you arrived with a US or EU template and are localizing it for Canada, here is what to change.

Remove from a GDPR template

References to “lawful basis” for processing (PIPEDA uses purpose plus consent, not a lawful basis framework).
“Data Protection Officer” language (Canada uses the title Privacy Officer).
GDPR-specific rights such as data portability and the right to erasure (these are not PIPEDA rights, though Quebec Law 25 adds versions of them).
ICO or EU supervisory authority references (replace with the OPC and provincial commissioners).

Remove from a US template

“We do not sell personal information” framed around CCPA’s sale definition (use PIPEDA’s disclosure framing instead).
“California residents” carve-outs (irrelevant unless you also serve Californians).
Arbitration clauses for privacy disputes (PIPEDA complaints go to the OPC, not arbitration).

Add for Canada

A named Privacy Officer or accountable person with contact details.
PIPEDA’s ten principles, or commitments mirroring them.
A cross-border data transfer notice if you store or process data outside Canada.
Provincial disclosures where Quebec, Alberta, or British Columbia residents are in scope.

Manually localizing a foreign template is fiddly and easy to get wrong. Our privacy policy generator builds a Canada-ready policy from a short questionnaire and updates it when the law changes.

Does Quebec Law 25 change what my policy needs to say?

Yes. If your website serves users in Quebec, Law 25 adds disclosures that PIPEDA does not require: a publicly named Privacy Officer, a privacy impact assessment for cross-border transfers, automated decision-making notices, mandatory breach notification, and rights to data portability and de-indexing. The policy must also be available in French.

Law 25 (formerly Bill 64) made significant amendments to Quebec’s previous private-sector privacy law in staged rollouts through 2022, 2023, and 2024. It is the strictest private-sector privacy law in Canada and sits closer to the GDPR than to PIPEDA on several points.

Practical additions a Quebec-facing privacy policy needs:

Named Privacy Officer: the contact details of the person responsible for privacy compliance must be published on your site. PIPEDA requires the role internally; Law 25 requires the name to be public.
Cross-border transfer assessment: if personal information leaves Quebec, you must conduct a privacy impact assessment and disclose the transfer in your policy.
Automated decision-making notice: if profiling or automated decisions affect users, you must disclose this and explain how users can request human review.
Data portability: users can request their data in a structured, commonly used technological format.
Right to de-indexing: users can request you stop disseminating information that causes serious harm to them.
A French-language version of the policy: required under Quebec’s Charter of the French Language rather than Law 25 itself..
Breach notification: confirmed breaches affecting Quebec residents must be reported to the Commission d’accès à l’information (CAI) and to affected users.

Enforcement under Law 25 has picked up since the final September 2024 roll out. In December 2024 the Commission d’accès à l’information issued its first decision under the reformed framework, ordering an organization to stop using facial recognition for employee access. In September 2025 the CAI joined the federal Privacy Commissioner and the BC and Alberta commissioners in a joint TikTok investigation that produced the first CAI rulings on Law 25’s transparency and consent provisions, with direct implications for how privacy policies must describe profiling, tracking, and targeted advertising. Law 25 is also the only Canadian private-sector privacy law with a private right of action: where a violation is intentional or results from gross fault and causes harm, the court must award at least CAD $1,000 in punitive damages, under section 93.1 of the Private Sector Act, and collective action is available.

If Quebec users are out of scope, you can skip these additions. If they are in scope, Law 25 disclosures sit on top of PIPEDA, not in place of it.

What happens if my Canadian website doesn’t have a privacy policy?

Operating a website that collects personal information from Canadian users without a privacy policy puts you in breach of PIPEDA. Complaints to the Office of the Privacy Commissioner of Canada can trigger investigations, public findings, and orders to comply. Quebec’s Law 25 adds the possibility of significant administrative monetary penalties.

PIPEDA itself has historically had limited direct fining power, but several pathways still create real risk:

OPC investigations and public findings: the Privacy Commissioner can investigate complaints, publish findings, and refer matters to the Federal Court, which can order compliance and award damages.
Federal Court damages: individuals can pursue compensation after an OPC finding, including for humiliation and loss of trust.
Quebec Law 25 penalties: administrative monetary penalties of up to CAD $10 million or 2% of worldwide turnover for serious violations, with penal fines up to CAD $25 million or 4% for the most serious breaches.
Federal privacy reform remains stalled: Bill C-27 (the proposed Consumer Privacy Protection Act) died on the Order Paper in January 2025 when Parliament was prorogued, the second attempt at federal privacy reform to fail this way after Bill C-11 in 2021. C-27 would have replaced PIPEDA and given the OPC direct order-making and significant fining authority. A future government is widely expected to reintroduce reform, but the timing is uncertain. PIPEDA’s existing enforcement framework continues to apply.
Platform consequences: Google, Apple, Meta, and most ad networks require a published privacy policy as a condition of service. Sites without one risk app store removal, ad account suspension, or analytics service revocation.
Customer trust costs: privacy complaints become public when escalated, and modern users increasingly check before they sign up.

In practice, the most common consequences are platform-side (a lost ad account or app store listing) rather than regulatory, but Quebec users now carry meaningfully larger regulatory exposure than the rest of Canada.

Is a privacy policy enough for Canadian website compliance?

No. A privacy policy is the single most visible compliance document, but it is rarely enough on its own. Depending on what your site does and who it serves, you may also need a cookie consent banner, a cookie policy, terms of service, CASL-compliant email practices, and additional documents for Quebec, EU, or UK users.

The other pieces a Canadian website usually needs:

A cookie policy and cookie consent banner. PIPEDA, Quebec Law 25, and GDPR all expect website visitors to understand and consent to non-essential cookies and tracking before those scripts run. A privacy policy describes what you do; a cookie policy and consent banner give visitors the control they have a right to. You can do this with GetTerms: Generate a cookie policy or add a cookie banner to your website.
Terms of service. Required in practice for any site that sells products, hosts user accounts, runs a marketplace, or provides a service beyond simple content. Limits your liability and sets the rules of engagement with users. Generate terms and conditions with GetTerms.
CASL compliance. Canada’s Anti-Spam Legislation governs commercial electronic messages (emails, SMS, push notifications). It requires consent before you send, clear sender identification, and an unsubscribe mechanism in every message. Your privacy policy mentions email use; CASL governs how you actually run email marketing.
EULA. Required if you license software, an app, or a downloadable product to users. Use our free EULA template.
A data processing agreement (DPA). Needed between you and any third-party processor that handles personal data on your behalf, particularly for EU users under GDPR. Use our free DPA template.
Quebec Law 25 add-ons. Covered above. If Quebec users are in scope, the Law 25 disclosures sit on top of everything else.

Most Canadian websites with meaningful traffic need at least three of these: a privacy policy, a cookie policy with a consent banner, and terms of service. Sites that take payments or hold accounts usually need more.

The better way to create a privacy policy

While using a template is a perfectly acceptable way to create a privacy policy, but a privacy policy generator will get the job done in a fraction of the time and with less room for human error.

If you like simplicity, give ours a go. After asking you a few quick questions, our generator will create any of the legal document’s your business requires.

Privacy policy✅
Terms and conditions✅
EULA✅
Cookie policy✅

Trusted by 500k customers. Unlimited policy edits. 100% money-back guarantee.

Try our privacy policy generator

Your policy has been copied to the clipboard.