Canada's digital legal landscape is shaped by a combination of federal privacy law (PIPEDA), one of the world's strictest anti-spam laws (CASL), and a growing framework of accessibility obligations — particularly in Ontario but expanding nationally. For online businesses operating in Canada or serving Canadian customers, the requirements are more demanding than many operators realise.
Essential legal documents for Canadian websites
Privacy Policy is a legal requirement under PIPEDA (the Personal Information Protection and Electronic Documents Act) for any private-sector organisation that collects, uses, or discloses personal information in the course of commercial activity. Your privacy policy must explain what information you collect, why you collect it, who you share it with, and how individuals can access or correct their information. Quebec's Law 25 (Bill 64), which came into full effect in 2023, imposes additional requirements including a privacy impact assessment for high-risk activities and mandatory breach notification — with the strictest penalties in Canada.
Terms of Service is not mandated by any specific Canadian law but is strongly recommended. Canada's Consumer Protection Act (and its provincial equivalents) governs unfair contract terms, so your terms should be written in plain language and must not contain grossly unfair provisions that would be unenforceable under applicable consumer protection law.
Cookie Notice — PIPEDA's principle of meaningful consent applies to tracking cookies. While Canada does not have a separate ePrivacy regulation like the EU, collecting data via non-essential cookies without informed consent is considered a violation of PIPEDA's consent requirements. In practice, a cookie consent banner that meets GDPR standards will also satisfy PIPEDA requirements for consent.
Unsubscribe Mechanism — under CASL (the Canada Anti-Spam Legislation), every commercial electronic message must include a functioning unsubscribe mechanism that is honoured within 10 business days. This is not optional and applies to all commercial email, SMS, and other electronic messages sent to Canadian recipients regardless of where the sender is located.
CASL: a uniquely strict anti-spam regime
CASL stands apart from US CAN-SPAM law in one critical way: it requires express or implied consent before you send a commercial electronic message, rather than operating on an opt-out basis. You cannot simply add someone to your email list and send them marketing until they unsubscribe. You need a valid consent basis before the first message is sent. Express consent (a clear opt-in, such as a ticked checkbox) is the safest basis. Implied consent applies in limited circumstances — an existing business relationship within a defined timeframe — and expires. Penalties for CASL violations can reach CAD $1 million per violation for individuals and CAD $10 million for organisations.
Accessibility obligations
Ontario's Accessibility for Ontarians with Disabilities Act (AODA) requires businesses with 50 or more employees to meet WCAG 2.0 Level AA for their websites and web content (with some exceptions). The federal Accessible Canada Act (ACA), which came into force in 2019, applies to federally regulated sectors — banks, airlines, telecoms — and is progressively expanding its requirements. For most private businesses, the immediate obligation is AODA compliance if they operate in Ontario with 50+ employees. Regardless of legal obligation, WCAG 2.1 AA is the recommended standard to build to.