Consenti

PIPEDA / Law 25 Compliance Guide

ℹ️Compliance group: opt-in — same opt-in model as GDPR. Use compliance: { type: 'opt-in' } in your ConsentiSetup config.

Canada has two overlapping privacy frameworks. The federal PIPEDA (Personal Information Protection and Electronic Documents Act) applies to private-sector organisations across Canada. Quebec's stricter Law 25 (Bill 64 / Act 25) — fully in force since September 2023 — is GDPR-aligned and supersedes PIPEDA for Quebec residents. Consenti's regulation: 'pipeda' mode implements the stricter Law 25 baseline, which also satisfies PIPEDA.

ℹ️British Columbia (PIPA BC) and Alberta (PIPA AB) have their own substantially similar provincial laws that Consenti's PIPEDA mode also satisfies. If you primarily serve BC or AB, no additional configuration is required.

Official references

Key requirements

RequirementDetail
Consent modelLaw 25: explicit opt-in for sensitive data; meaningful opt-in for all; PIPEDA: opt-in for sensitive, implied for others
Purpose limitationMust collect only what is necessary for a stated purpose
Privacy noticeLaw 25: must publish a privacy policy and disclose data use before collection
Data minimisationNo excessive collection; consent to each category individually
WithdrawalIndividuals may withdraw consent at any time with reasonable notice
MinorsLaw 25: under-14 requires parental consent
Privacy OfficerMust designate a Privacy Officer (name must be public)
Enforcer (federal)Office of the Privacy Commissioner of Canada (OPC)
Enforcer (Quebec)Commission d'accès à l'information du Québec (CAI)

Law 25 vs. GDPR

GDPRLaw 25 (Quebec)
Opt-in for all non-essentialYesYes (since Sept 2023)
Lawful bases beyond consent6Fewer — consent-first model
Minor threshold16 (States may lower to 13)14
Privacy officer disclosureDPO (mandatory for some)Privacy Officer (always mandatory, name public)
GPC / browser signalsOptionalNot recognised

Enabling PIPEDA / Law 25 mode

Frontend widget

ts
new ConsentiSetup({
  core: {
    regulation: 'pipeda',
  },
})

Profile configuration (dashboard)

json
{
  "regulation": "pipeda",
  "pipeda": {
    "privacyOfficerEmail": "[email protected]",
    "privacyPolicyUrl": "https://yourcompany.ca/privacy"
  }
}

When set, pipeda.privacyOfficerEmail is rendered in the modal notice footer.privacyPolicyUrl is used in the "Learn more" link in the consent banner.

Right to access and erasure

PIPEDA and Law 25 grant individuals the right to access and correct their data. Use:

http
GET  /consenti/api/v1/consent/:visitorId
DELETE /consenti/api/v1/consent/:visitorId