"

Reading: Privacy Laws

What does privacy mean in today’s world?

Privacy is the ability of an individual or group to seclude themselves—or information about themselves—and thereby express themselves selectively. Most of us expect some level of privacy, but the boundaries depend on the individual and the situation.

As our culture has come to rely heavily on digital communication—for everything from social networking to education to conducting business—privacy questions have grown more complex. Marketers have been quick to use digital tools to reach target buyers. Sometimes aggressive tactics trigger public backlash and, in turn, new laws and enforcement priorities.

TELEMARKETING — National DNCL

Intrusive telemarketing led to the creation of Canada’s National Do Not Call List (DNCL) in 2008, administered and enforced by the CRTC. Individuals can register numbers to reduce unwanted marketing calls; certain organizations are exempt (e.g., political parties, registered charities), and there are specific rules for market research and existing business relationships.
Learn more: CRTC overview of DNCL rules and exemptions. [1] [2]


10 year anniversary for the Do Not Call list from 2008/9
10-year anniversary for the Do Not Call (DNCL) list from 2008/9

The DNCL regime is designed to reduce privacy intrusions in the home and on mobile devices. It significantly altered the economics of telemarketing in Canada by imposing clear registration, identification, and calling-hour rules and by enabling monetary penalties for violations. [3]

PRIVACY — Overview

Below is an overview of key Canadian privacy laws and standards that impact marketers. While many data-driven tactics are legal, “nuisance” practices and opaque data collection erode trust and often attract enforcement—or push legislators to tighten rules.

Email Spam — CASL

Canada’s Anti-Spam Legislation (CASL) applies to all commercial electronic messages (CEMs)—not just bulk email. If a message promotes a product or service, CASL generally requires: (1) valid consent (express or allowed forms of implied), (2) sender identification, and (3) a working unsubscribe mechanism in each message (processed without delay, and no later than 10 business days). CASL also addresses malware, spyware, and unauthorized alteration of transmission data. [4] [5]

Managing Customer Data — PIPEDA (current)

PIPEDA is the federal privacy law for private-sector organizations engaged in commercial activities. It is built on the 10 fair information principles (accountability, consent, limiting collection, safeguards, access, etc.).

Organizations often hold contact data, purchase histories, and behavioural data; some hold sensitive information. Marketers share responsibility with IT and legal to ensure data is collected with meaningful consent, safeguarded appropriately, and used only for stated purposes. The OPC provides practical tips to reduce vulnerabilities. [6]

Key Takeaways For Good Corporate Cyber-Hygiene

  1. Start with security: collect only what you need; be transparent; treat data with care.
  2. Control and restrict access to sensitive data.
  3. Require strong passwords and multi-factor authentication where appropriate.
  4. Protect data at rest and in transit; use current encryption and key-management practices.
  5. Segment networks; monitor for exfiltration and unusual access.
  6. Secure remote access with sensible limits and logging.
  7. Build security into product development; test for common vulnerabilities.
  8. Ensure vendors meet your standards; write security and privacy into contracts and verify.
  9. Patch quickly; follow credible advisories; have an incident-response plan.
  10. Don’t forget paper and devices; protect and dispose securely.

These PIPEDA principles may seem technical, but—like product liability—privacy failures create legal and reputational risk for marketing. The OPC’s Guidelines for obtaining meaningful consent clarify that consent must be understandable to the audience; for young users, organizations should adapt flows and, in most cases, obtain parental consent under age 13. [7] [8]

Emerging Reforms — CPPA & AIDA (Bill C-27)

Canada has proposed modernizing privacy and introducing AI governance via Bill C-27, which would enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA). As of August 2025, these reforms remain before Parliament; marketers should monitor scope, consent, de-identification, automated decision-making transparency, and potential penalties. [9] [10] [11]

Quebec’s Law 25 (Provincial Modernization)

Quebec’s Law 25 (formerly Bill 64) phases in stronger requirements: privacy impact assessments (PIAs), breach notification to the CAI and affected individuals, enhanced consent rules, and a designated privacy officer. Law 25 applies to private-sector organizations handling Quebecers’ personal information. [12] [13]

Protecting Privacy Online

The Internet enables unprecedented collection and sharing of consumer information. Surveys consistently show strong concerns about confidentiality, security, and secondary uses of data. These concerns are an opportunity: brands can build trust by being transparent, minimizing data, and honoring choices.

Cybersecurity breaches affect organizations of all sizes; both consumers and companies often underestimate risk. A 2018 Senate report flagged systemic gaps in preparedness across sectors. [14]

Notice

Before collecting any personal information, organizations should clearly identify who is collecting the data, the purposes, and any categories of recipients (including service providers). PIPEDA requires clarity and accessibility of privacy notices. [15]

Consent

Choice means giving people control over secondary uses beyond what’s required to complete a transaction. Valid consent must be meaningful: users should understand the nature, purposes, risks, and consequences. Many frameworks distinguish opt-in (no use unless permitted) and opt-out (use unless declined). Under PIPEDA, organizations must adapt consent to the audience (e.g., minors) and the sensitivity of data. [16]

Security

Keep data accurate and secure. Limit internal access, log administrative actions, encrypt data in transit and at rest where appropriate, and vet vendors. Provide individuals with reasonable access and correction mechanisms. [17]

New Standards for European Privacy — GDPR (and Cookie Consent)

Websites should publish a clear privacy policy and provide effective consent controls for non-essential cookies and tracking. Under the EU’s GDPR—and guidance from European regulators—consent must be freely given, specific, informed and unambiguous. Pre-ticked boxes aren’t valid, and when “Accept all” is offered, an equally prominent “Reject all” should be, too. [18] [19]

GDPR remains a global benchmark; many Canadian organizations align to its standards for cross-border operations. [20]
[21]

In an evolving privacy landscape, marketers can differentiate by exceeding minimum legal requirements—minimizing data, being transparent, offering true choice, and designing for security and accessibility from the start.

Creation note: This content was updated with the assistance of ChatGPT, a language model developed by OpenAI, and was subsequently reviewed and edited by the author for clarity and accuracy.

  1. CRTC. “About registering and who can still call you.” https://crtc.gc.ca/eng/phone/telemarketing/exempt.htm
  2. CRTC. “Answering the Call: Protecting Canadians from Unsolicited Calls” (2022). https://crtc.gc.ca/pubs/2022-dncl-en.pdf
  3. CRTC DNCL overview (exemptions page above).
  4. CRTC. “From Canada’s Anti-Spam Legislation (CASL) Guidance for Implied Consent.” https://crtc.gc.ca/eng/com500/guide.htm
  5. CRTC. “Frequently Asked Questions about CASL.” https://crtc.gc.ca/eng/com500/faq500.htm
  6. OPC. “PIPEDA fair information principles.” https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/
  7. OPC. “Guidelines for obtaining meaningful consent.” https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/
  8. OPC / Consultation. “Children’s privacy code – Exploratory consultation” (Aug. 8, 2025). https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-children-code/expl_children-code/
  9. Department of Justice (Canada). “Bill C-27 Overview (Digital Charter Implementation Act, 2022).” https://www.justice.gc.ca/eng/csj-sjc/pl/charter-charte/c27_1.html
  10. LEGISinfo. “C-27 (44-1).” https://www.parl.ca/legisinfo/en/bill/44-1/c-27
  11. ISED. “Artificial Intelligence and Data Act (AIDA) – Companion document” (Jan. 31, 2025). https://ised-isde.canada.ca/site/innovation-better-canada/en/artificial-intelligence-and-data-act-aida-companion-document
  12. Commission d’accès à l’information (CAI) – English portal. https://www.cai.gouv.qc.ca/english
  13. LegisQuébec. “Act respecting the protection of personal information in the private sector (P-39.1).” https://www.legisquebec.gouv.qc.ca/en/document/cs/p-39.1
  14. Black, D., Olsen, C. S. (2018). Cyber Assault: It should keep you up at night. Standing Senate Committee on Banking, Trade and Commerce. https://sencanada.ca/content/sen/committee/421/BANC/Reports/BANC_Report_FINAL_e.pdf
  15. OPC. “PIPEDA fair information principles.” https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/
  16. OPC. “Guidelines for obtaining meaningful consent.” https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/
  17. OPC. “PIPEDA fair information principles.” (Safeguards, Accuracy, Access) https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/
  18. European Data Protection Board (EDPB). “Cookie Banner Taskforce Report” (Jan. 2023). https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf
  19. European Commission. “Legal framework of EU data protection.” https://commission.europa.eu/law/law-topic/data-protection/legal-framework-eu-data-protection_en
  20. GDPR legal text (consolidated). https://gdpr-info.eu/
  21. What are cookies? (2019, Aug. 12). Norton. https://us.norton.com/internetsecurity-privacy-what-are-cookies.html

License

Icon for the Creative Commons Attribution 4.0 International License

Introduction to Marketing I 3e Copyright © 2025 by Nova Scotia Community College is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book