Advertising privacy in Canada is getting more complex: What advertisers need to know

Advertising privacy in Canada is no longer defined by cookies alone. As data-driven advertising expands across devices, platforms, and identifiers, regulators are tightening expectations around consent, data use, and accountability. In response, advertisers are being pushed to rethink not only how they collect consumer data but how they justify, manage, and protect it throughout the advertising cycle. 

‍

We recently hosted a webinar, hosted by our Product Marketing Manager Rebecca Berbel and Julie Ford, Executive Director at the Digital Advertising Alliance of Canada (DAAC), to discuss these recent shifts and how advertisers can adapt.

‍

Continue reading for a full breakdown, or watch the webinar replay here:

‍

‍

Advertising and data privacy in Canada

Data privacy in Canada is governed by both a federal and local provincial laws. In this section, we give a brief overview of what organizations handling Canadian data should know.

‍

Canada federal privacy law: PIPEDA

At a federal level, advertising in Canada is anchored by the Personal Information Protection and Electronic Documents Act (PIPEDA). The law sets the rules for how private sector organizations may collect, use, and disclose personal information for commercial purposes, and is built around ten core privacy principles:

PIPEDA defines personal information as information about an identifiable individual:

‍

• Emails, phone numbers (even if hashed)
• Location information, including GPS data
  Device identifiers such as IP and MAC address
• Click stream data, browser history, bookmarks
• User-generated social network data, such as comments, ratings, likes & dislikes, and customer service interactions
• The combination of disparate bits of information to build a detailed profile

‍

Sensitive personal information is subject to even higher protection standards, and includes precise location data, medical and health information, financial information, biometric and genetic data, political opinions, religious beliefs, and sexual orientation. Organizations should be aware of the type of information they collect, and run advertising campaigns accordingly:

‍

When accessing this type of information, organizations need to weight their privacy risks, and evaluate whether leveraging personal information for marketing purposes and particularly interest-based advertising is advisable. 

When in serious doubt about data sensitivity, I would say err on the side of caution. You want to work with your legal counsel to obtain that opt-in consent, protext that data, document your practices, and make sure that you’re confident in what you’re doing.

- Julie Ford, Executive Director at the DAAC

‍

Against this backdrop, regulators expect consent to be meaningful and for consumers to clearly understand what data is being collected and why, who it is being shared with, and what risks may be involved.

‍

In short, consent must offer a real choice, including a clear “yes” or a “no,” and it must be treated as an ongoing process rather than a one-time event.

Regulatory findings over the years have reinforced these expectations. Cases involving mobile location tracking, children’s data, and targeted advertising without consent have highlighted the consequences of insufficient transparency and control.

‍

Online behavioral advertising under PIPEDA in Canada

Online behavioral advertising (something shortened as OBA) is defined by:

‍

The use of data collected across multiple websites and/or applications in order to predict user preferences and to show ads that are most likely to be of interest to users.

‍

Under PIPEDA, the Office of the Privacy Commissioner of Canada (OPC) issued guidelines in 2011 that are still relevant today, stating that online behavioral advertising can rely on implied consent or opt-out, provided that specific criteria is met:

‍

• Individuals must be made aware in a manner that is clear, understandable, and obvious
• Organizations should be transparent and communicate with users
• Individuals should be informed of the purposes at or before collection, and concerning all the parties concerned
• Opt-out must be immediate and persistent
• Information should be limited to non-sensitive information
• Information should be destroyed as soon as possible or effectively de-identified

‍

The OPC does not have the power to issue order or to impose fines, but it does have the power to issue reports of findings and name-and-shame companies, which it has done extensively in the past (watch the recording to see some examples).

‍

Canadian provincial privacy laws: Alberta, British Columbia and Québec

On top of the federal law in place in Canada, provincial laws add another layer of complexity. 

Alberta and British Columbia each have a provincial Personal Information Protection Act (PIPA) that governs how provincially regulated private-sector organizations collect, use, and disclose personal information, generally based on consent and “reasonable purposes,” with access/correction rights and oversight by the provincial privacy commissioner.

‍

Quebec’s Law 25, on the other hand, features a different approach with more GDPR-style requirements. 

‍

It notably introduced enhanced consent requirements, mandatory privacy impact assessments before data sharing, expanded rights for individuals to access, correct, and delete their data, and strict penalties for non-compliance. The law also embeds privacy by default and opt-in expectations more firmly into advertising practices. 

‍

Visit our website to learn more about Law 25, or check out the video testimonial below to learn how we worked with a major Canadian bank to help with compliance in Quebec:

Tools and industry standards for advertising privacy in Canada

As regulations evolve, customer expectations grow, and the cost of non-compliance rises, organizations must ensure they have the best possible data practices in place while keeping performance and revenue in mind. 

‍

During our webinar, a poll conducted among the attendees confirmed that very few companies (even within the context of an event dedicated to privacy compliance in Canada) consider themselves to be fully prepared to comply with Canadian regulatory requirements:

Thankfully, industry standards and technologies exist to do just that, as highlighted by speaker Julie Ford during the event:

‍

You do not have to do this alone. Privacy compliance is a lot of work.”

- Julie Ford, Executive Director at the DAAC

‍

Example of data privacy standards in Canada: AdChoices

AdChoices, a self-regulatory program for interest-based advertising operated by the DAAC in Canada, is designed to provide transparency and consumer control while helping organizations demonstrate accountability.

‍

Participants in the AdChoices program are granted a license to display the AdChoices icon and can link to its publicly available opt-out tools. They also commit to proactive monitoring by Ad Standards to ensure compliance with the DAAC Principles:

‍

1. Education
2. Transparency
3. Consumer control
4. Data security
5. Limitations around sensitive data
6. Accountability
   
   

For advertisers, participation can help align advertising practices with regulatory requirements, reduce risk, and build trust with consumers. Learn more at youradchoices.ca/ 

‍

Examples of data privacy technologies for compliance in Canada: Didomi

As we’ve seen throughout the article, data privacy is a non-negotiable for leveraging user data and maximizing the impact of marketing campaigns. A Consent Management Platform (CMP) will be the central component of any modern digital stack, to ensure full transparency for end users and regulatory compliance:

‍

The underlying element is the key role that privacy is going to play in being able to address all of your audience. Finding a good solution for consent collection is the first step to ensuring that what you are offering your audiences is appropriate.

- Rebecca Berbel, Product Marketing Manager at Didomi

‍

But collecting consent is only the first step. As browser restrictions and ad blockers reduce the effectiveness of traditional tracking, companies are turning to new approaches to ensure they can run personalized advertising campaigns while remaining compliant. Along with a CMP, tracker monitoring, preference management and  server-side implementations are being used to: 

‍

• Better document user consent
• Improve visibility into data flows
• Strengthen data governance
• Identify unauthorized trackers and vendor mismatches

‍

Didomi helps companies in Canada follow through al these imperatives. To discover our solutions and see whether we could help with your privacy challenges, book a time with one of our experts.
‍

Data privacy best practices in Canada: Cheat sheet

Data privacy compliance in Canada: How to get started

For advertisers operating in Canada, privacy means more than simply avoiding enforcement actions. Trust, transparency, and control have become foundational requirements for digital advertising to function effectively. 

‍

As laws evolve and expectations rise, organizations that treat privacy as a core part of their advertising strategy rather than an afterthought will be better positioned to adapt, maintain audience trust, and sustain long term growth. 

‍

Learn more in our dedicated page on data privacy compliance in Canada, and check out the most important privacy trends for 2026 according to industry experts, including Julie Ford from the DAAC, in our yearly roundup: