← Quebec Law 25 & PIPEDA

Privacy Policy Requirements in Canada: What Yours Must Say (2026)

A privacy policy is the most visible proof you take data seriously — and both Law 25 and PIPEDA expect a clear one. Here is exactly what it must contain, in order. See the full Quebec Law 25 & PIPEDA guide, or Data residency in Canada. Want it handled? IT Cares can audit your data flows so your policy matches reality.

What every Canadian privacy policy must cover

Who you are and your privacy contact; what personal information you collect; why you collect it; how you use and share it; how long you keep it; how you protect it; cookies and analytics; and how people can access, correct or delete their data.

Law 25 extras

Quebec adds requirements: name the person responsible for privacy, disclose if data leaves Quebec/Canada, explain automated decision-making if you use it, and describe how you obtain consent. Plain language is required — no dense legalese.

Copy-ready outline

Use these headings: 1) Who we are 2) What we collect 3) Why 4) How we use it 5) Sharing 6) Cookies & analytics 7) Retention 8) Security 9) Your rights & how to exercise them 10) Contact. Fill each honestly — do not claim controls you do not have.

Action checklist

FAQ

Is a privacy policy legally required in Canada?

In practice yes — Law 25 and PIPEDA require transparency about how you handle personal information, and a published privacy policy is the standard way to meet that. It must be clear and accurate.

Can I copy another company's privacy policy?

No. A policy must reflect what your business actually collects and does. Copying one risks describing controls you do not have, which is itself a compliance problem.

Free · no obligation

Get a free assessment

Tell us where you are — we send back a clear, no-pressure plan. Leads only, no payment.

No spam, no payment. Reply within 1 business day. Fulfilled by IT Cares.

✅ Thanks — your request is in. We will email a plan within 1 business day.

More Law 25 guides

Explore more topics

Want it done for you? IT Cares — managed IT support across Canada.

Backup & DR

The 3-2-1 Backup Rule for Business (2026)Business Continuity Plan Template: Quebec Law 25 + PIPEDA (2026)Cloud Backup vs Local Backup: Which for Business? (2026)Disaster Recovery Plan Template for Small Business (2026)How to Back Up Business Data (Simple 2026 Routine)Recovering Data After Ransomware (First-Hour Guide, 2026)

Law 25

Privacy Officer Under Quebec Law 25: When & How to Delegate (SMB Guide)Data Residency in Canada: When Your Data Must Stay Home (2026)Law 25 Compliance Checklist for Quebec Small Business: 8 Steps (2026)Quebec Law 25 Penalties & Fines: What Small Businesses Risk (2026)Law 25 for Small Business: What You Actually Have to Do (2026)PIPEDA Compliance Checklist for Small Business (2026)

Managed IT

Break-Fix vs Managed IT Services: The True Cost (2026)How to Choose an IT Support Provider (2026 Checklist)Managed IT Cost Calculator (Canada, 2026)What Managed IT Services Cost in Canada (2026, Per User)MSP vs In-House IT: Which Is Cheaper for an SMB? (2026)Outsourced IT Support for Small Business (2026 Guide)

Microsoft 365

Cloud Migration for Small Business (2026 Step-by-Step)Microsoft 365 Plans & Pricing in Canada (2026)Microsoft 365 vs Google Workspace for Canadian SMBs (2026)Microsoft 365 Security Setup for Canadian SMBs: 12-Point Checklist (2026)How to Migrate Email to Microsoft 365 (No Downtime, 2026)SharePoint vs OneDrive for Business: Where Files Go (2026)

Cybersecurity

Free Small Business Cybersecurity Self-Assessment (2026)Endpoint Protection vs Antivirus: What SMBs Need in 2026Small Business Cybersecurity Incident Response Checklist (Canada, 2026)MFA Setup Guide for Small Business (Step by Step, 2026)Phishing Prevention & Staff Training That Actually Works (2026)Ransomware Protection for Small Business: A 2026 Playbook

More

BlogHomeIT Cares — managed IT support across Canada