Privacy & Regulatory Compliance

For businesses that operate across borders — whether as multinational corporations or e-commerce companies serving consumers in multiple jurisdictions — privacy and consumer protection law has become one of the most complex and consequential areas of compliance. The proliferation of overlapping regulatory regimes means that the same data practices, the same commercial terms, or the same marketing campaign can trigger obligations in several legal systems simultaneously.

We have helped businesses in Canada and abroad implement the policies, processes, and governance structures needed to comply with these requirements — without losing sight of commercial realities. Our work spans both the legal analysis and the practical implementation: reviewing data flows, drafting compliant privacy notices and consent mechanisms, advising on cross-border data transfer frameworks, and supporting businesses through regulatory inquiries.

Consumer protection adds another layer. From mandatory disclosure obligations to unfair commercial practices rules and distance selling requirements, businesses that sell to consumers — particularly online — must navigate a set of rules that vary significantly by jurisdiction and are increasingly enforced.

Privacy & Data Frameworks We Work With

Our practice covers the major privacy frameworks affecting Canadian and internationally operating businesses:

• GDPR — General Data Protection Regulation (European Union): applies to any organization that processes personal data of EU residents, regardless of where the organization is established.
• PIPEDA — Personal Information Protection and Electronic Documents Act (Canada): the federal private-sector privacy law governing the collection, use, and disclosure of personal information in the course of commercial activity.
• CCPA / CPRA — California Consumer Privacy Act and California Privacy Rights Act: among the most stringent state-level privacy laws in the United States, with broad extraterritorial reach for businesses serving California consumers.
• Quebec Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (Law 25): Quebec's comprehensive reform of private-sector privacy obligations — including mandatory privacy impact assessments, 72-hour breach notifications, data minimization requirements, and new individual rights — with some of the strictest compliance thresholds in North America.

What We Do

• Privacy compliance audits and gap analyses across multiple jurisdictions
• Drafting and updating privacy policies, terms of use, and consent mechanisms
• Cross-border data transfer frameworks (standard contractual clauses, adequacy assessments)
• Privacy impact assessments (PIAs / FRPs) as required under Law 25 and GDPR
• Data breach response and regulatory notification obligations
• Vendor and processor agreement review (data processing agreements, DPAs)
• Consumer protection compliance for e-commerce and distance selling
• Training and internal policy development for privacy governance programs
• Representation before privacy regulators (Commission d'accès à l'information, Office of the Privacy Commissioner)