Running a website in Canada means you have legal obligations most business owners are not fully aware of. If your site collects any personal information - through a contact form, a newsletter signup, an account registration, or an e-commerce checkout - Canadian privacy law applies to you. The good news is that compliance does not require a lawyer for most small businesses. It requires four well-written pages in your website's footer.
Privacy Policy (Required Under PIPEDA)
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires any private-sector organization that collects, uses, or discloses personal information in the course of commercial activity to have a Privacy Policy. If your contact form collects a name and email address, PIPEDA applies to you.
Quebec's Law 25 (Bill 64) adds additional requirements for businesses with Quebec customers or data, including mandatory privacy notices, data minimization, and breach reporting obligations that came into full effect in September 2023.
Your Privacy Policy must explain: what personal information you collect, why you collect it, how you use it, who you share it with (including third-party tools like Google Analytics, Mailchimp, or Stripe), how long you retain it, how users can access or correct their information, and how to contact you with privacy concerns.
Do not copy a generic US-focused privacy policy template and call it done. Make sure yours references PIPEDA, is accurate to your actual data practices, and includes your contact information.
Terms and Conditions
Terms and Conditions (also called Terms of Service or Terms of Use) are not legally required in Canada in the same way a Privacy Policy is, but they protect you legally by setting the rules for using your website and, critically, limiting your liability.
Your Terms and Conditions should cover: who may use the site, intellectual property ownership (your content is yours), disclaimer of warranties (you are providing information in good faith but cannot guarantee accuracy), limitation of liability, governing law (specify the Canadian province), and what happens when someone violates your terms.
For e-commerce sites, Terms and Conditions also establish the contract terms for purchases - crucial for handling disputes, chargebacks, and returns.
Cookie Notice
If your website uses cookies for tracking, analytics, or advertising - which it almost certainly does if you run Google Analytics, any social media pixel, or a remarketing tool - you need a Cookie Notice.
In Canada, the requirement flows from PIPEDA's consent principles: users should know what data is being collected and consent to it. While Canada has not enacted cookie consent legislation as prescriptive as the EU's GDPR and ePrivacy Directive, PIPEDA-aligned best practice requires meaningful disclosure.
Your Cookie Notice should explain what cookies your site uses, categorize them (strictly necessary, analytics, marketing), and give users a way to manage their preferences. A cookie consent banner linked to a full Cookie Policy covers this requirement.
Free tools like Cookiebot and CookieYes generate cookie policies and consent banners that can be embedded into WordPress with minimal configuration.
Returns and Refund Policy (Required for E-Commerce)
If you sell products or services online, Canadian consumer protection law - which is provincial but consistent in its core requirements across most provinces - requires that you clearly disclose your return and refund terms before a purchase is made.
In Ontario, the Consumer Protection Act requires specific disclosures for internet agreements. BC, Alberta, Quebec, and other provinces have equivalent legislation. The common thread: customers have the right to know the return and refund conditions before they complete a purchase, and those terms must be easily accessible.
Your Returns Policy should state: whether returns are accepted, the time window (e.g., 30 days from delivery), what condition items must be in, who pays return shipping, how refunds are issued and in what time frame, and any items or services excluded from returns.
Where to Display Legal Pages
All four of these pages belong in your website's footer, linked clearly and consistently. "Privacy Policy," "Terms of Use," "Cookie Policy," and "Returns Policy" (or equivalent labels) should be visible footer links on every page of your site - not buried in a sub-menu or accessible only from a specific page.
Footer placement is the universal standard because it is where users look for this information and where regulators expect to find it.
For generating starting-point documents tailored to Canadian businesses, Termly, iubenda, and Shopify's free policy generator all produce reasonable drafts. Review what is generated against your actual practices and, for anything complex, have a Canadian lawyer review the result. The cost of that review is small compared to the exposure of operating without adequate legal pages.
