Under Canada's PIPEDA, a business website that collects personal data through contact forms, bookings, analytics or cookies needs a clear privacy policy, meaningful consent and responsible data handling. An Alberta small business should publish an accurate policy, limit what it collects, and secure that data. This is general guidance, not legal advice.
If your website has a contact form, a booking widget, an email signup, or Google Analytics running in the background, you are collecting personal information. That puts you inside the scope of Canada's federal private-sector privacy law, whether you ever thought about it or not. For most Alberta small businesses, privacy compliance is not a giant legal project. It is a handful of sensible practices you can put in place once and maintain with very little effort.
The trouble is that a lot of the advice floating around online is simply wrong, or two years out of date. Before we get to the practical baseline, it is worth clearing up the single biggest piece of misinformation in Canadian privacy content right now.
What PIPEDA actually requires of a small-business site (and the C-27/CPPA myth)
Canada's federal private-sector privacy law is the Personal Information Protection and Electronic Documents Act, or PIPEDA. It has been in force since 2000 and it is still the law today. You will read blog posts claiming that the Consumer Privacy Protection Act (CPPA) has replaced it, or that you need to prepare for sweeping new rules under Bill C-27. That is not accurate. Bill C-27, which contained the proposed CPPA, died on the Order Paper in January 2025 when Parliament was prorogued, and it was not re-tabled. There is no CPPA in force. Treating it as current law, or building your policy around it, is a mistake.
So what does PIPEDA actually ask of you? At its heart it is built on ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use and disclosure, accuracy, safeguards, openness, individual access, and the ability to challenge compliance. In plain terms, you must be clear about what you collect and why, collect only what you genuinely need, get meaningful consent, keep the data secure, and let people see and correct what you hold about them.
Two related regimes matter alongside PIPEDA. Quebec's Law 25 is the strictest privacy framework in Canada and is fully in force, but it applies to organizations handling the personal information of Quebec residents. If you have customers in Quebec, it is worth specific attention. And CASL, Canada's Anti-Spam Legislation, governs consent for commercial email, which is directly relevant the moment you add a newsletter signup to your site.
The practical baseline: privacy policy, consent, cookies, form data
PIPEDA is principles-based rather than prescriptive, which is good news for small businesses: it scales to the sensitivity and volume of data you handle. A dental clinic collecting health-adjacent details has more to think about than a tradesperson with a quote form. But there is a common baseline that nearly every Alberta business site should meet, regardless of size.
- Publish an accurate, plain-language privacy policy that says what you collect, why, how it is used, who it is shared with, and how someone can reach you to ask about it.
- Get meaningful consent at the point of collection. A form that quietly harvests data without explanation does not meet the bar; a short line near the submit button explaining how the information will be used does.
- Limit collection to what you actually need. If a booking only requires a name, email and phone number, do not ask for a date of birth or address you will never use.
- Handle cookies and analytics honestly. If you run Google Analytics, advertising pixels, or any third-party tracking, disclose it and give visitors a real way to understand and control it.
- Secure the data you hold. Use HTTPS across the whole site, send form submissions over encrypted connections, and restrict who on your team can access stored enquiries.
- Have a retention and deletion habit. Do not keep years of old form submissions in an inbox forever; delete what you no longer need.
- Name a person responsible. PIPEDA expects accountability, so designate who handles privacy questions and access requests, even if that person is you.
A note on cookie banners: the dramatic consent pop-ups you see everywhere are largely a response to Europe's GDPR, not PIPEDA. Canada does not require an aggressive blocking banner for ordinary analytics. What it requires is openness and meaningful consent appropriate to the sensitivity of the data. A clear privacy policy and an honest disclosure of your tracking tools is usually the right-sized answer for a small Alberta business, not a wall of toggles copied from a European enterprise site.
Where small businesses most often fall short
In our experience building and maintaining sites for Calgary businesses, the gaps are rarely dramatic. They are small, fixable, and almost always unintentional. The most common is a privacy policy that does not match reality, a generic template downloaded years ago that claims the business does not use cookies while Google Analytics and a Meta pixel run on every page. An inaccurate policy can be worse than none, because it is a documented promise you are not keeping.
The second common gap is form data with no clear destination. Submissions land in a shared inbox, get forwarded around, and live there indefinitely with no one accountable for them. The third is mixing email consent and privacy consent: collecting an address for a quote and then adding it to a marketing list without separate, informed consent, which trips over both PIPEDA and CASL. And the fourth is sites still serving pages over plain HTTP, or loading forms insecurely, which undermines the safeguards principle outright.
Transparency is not a legal burden to minimise. It is the clearest signal a small business can send that it respects the people who trust it with their information.
Compliance as a trust signal, not just a legal box
It is tempting to treat privacy as paperwork: write the policy, paste it in the footer, forget about it. But the businesses that do well with this treat it as part of how they earn trust. A visitor deciding whether to book a dentist, hire a contractor, or hand over their information to a professional-services firm is making a judgment about reliability. A clear, honest privacy policy and a form that explains itself quietly reinforce that you are organised, careful, and accountable, the same qualities they are hoping for in the service itself.
The practical reality is that good privacy practice and good web design point in the same direction. Collecting less data means simpler forms and higher completion rates. Serving everything over HTTPS is also better for search ranking. Keeping your policy accurate forces you to actually know which tools are running on your site. None of this is wasted effort, and most of it can be set up once and maintained with a light touch through a regular care routine.
If you are not sure where your site stands, start with the basics: read your own privacy policy and check whether it is true, look at what your forms collect versus what you need, and confirm the whole site is encrypted. For most Alberta small businesses, that short audit closes the majority of the gap. For anything sensitive or Quebec-facing, get advice tailored to your situation. The Office of the Privacy Commissioner of Canada publishes plain-language guidance at priv.gc.ca that is a useful starting point.