Canada · PIPEDAWordPress hosting with PIPEDA plugin built into the platform.
Meaningful consent, privacy portal, access and correction workflow, and signed DPA — handled by Yovale's compliance MU-plugin. You don't install it. You don't update it. You don't pay for it. It's how every Yovale site ships, on every plan.
We collect personal information to measure traffic and improve the site. You can accept all, customize what we collect, or only allow what's strictly necessary.
Ten principles you have to honor.
The Personal Information Protection and Electronic Documents Act, in force across Canada since 2000 and fully extended to the private sector in 2004, is enforced by the Office of the Privacy Commissioner of Canada (OPC). It rests on ten Fair Information Principles and applies to any organization that collects, uses, or discloses personal information during commercial activity in Canada.
- 01
Meaningful consent
Individuals must understand what you're collecting, why, and who you share it with — and give knowing opt-in for anything beyond non-sensitive use. Pre-checked boxes and buried disclosures don't meet the OPC's meaningful consent guidelines.
- 02
Ten Fair Information Principles
Accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance — all ten apply on every site, not pick-and-choose.
- 03
Access and correction
Anyone can ask what personal information you hold about them and have it corrected. You have 30 days to respond and must provide it in an understandable form, free of charge in most cases.
- 04
Safeguards
Personal information must be protected by security safeguards appropriate to its sensitivity — physical, organizational, and technological. Encryption at rest and in transit is the floor, not the ceiling.
- 05
Breach reporting to the OPC
Breaches that pose a real risk of significant harm must be reported to the Privacy Commissioner and to affected individuals as soon as feasible. Records of every breach must be kept for at least 24 months.
- 06
OPC complaints process
Individuals can file a complaint with the Privacy Commissioner. You must cooperate with investigations, respond to recommendations, and may be named in a public Commissioner's report.
Built into the platform. Not a plugin you install.
Yovale ships PIPEDA compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. Updates ship through the same channel your hosting updates do.
Meaningful consent banner
Geo-aware. Canadian visitors see PIPEDA opt-in with plain-language purposes before any non-essential script fires. Quebec visitors get Law 25 flows. US visitors see CCPA opt-out. Renders in 8 locales (including French for the bilingual market). Configurable in the dashboard.
Privacy portal
/.well-known/privacy on every Yovale site. Visitors view, export, correct, or delete the personal information you hold about them without filing a support ticket. You see every request in the Compliance dashboard tab.
Audit log
Every consent given, withdrawn, or modified is logged at the Cloudflare edge worker layer. Tamper-proof, queryable, retained for the 24-month breach-record minimum and beyond, so OPC investigations are answered with data, not guesses.
Signed DPA
Pre-signed Data Processing Agreement available in your dashboard. Lists every sub-processor (Cloudflare, Anexia, R2), data flows, security safeguards, and breach notification SLAs aligned to PIPEDA's real risk of significant harm test. PDF download for your records.
Why infrastructure beats a plugin.
Typical WordPress PIPEDA plugin
- Adds 200-500ms to every page load (banner JS, cookie scan, DB writes)
- Stores consent records in wp_options — slow, untyped, breaks with object caching
- Updates through wp-admin — you maintain it, you break it, you debug conflicts
- Costs $49-119/year per site (Complianz, CookieBot, CookieYes)
- Breaks when you migrate hosts; consent history and breach records lost
Yovale's built-in approach
- 0ms latency — consent state computed at the edge worker, cached in the CDN
- Audit log in a dedicated database, queryable, never blocks page render
- Updates ship through the platform — you don't see them, you don't break them
- Included on every plan ($149 / $249 / $499 per year), no per-site compliance fees
- Travels with your site forever — consent and breach history are yours to export
14 regulations. One toggle each. All automatic.
- Meaningful consent for collection
- Ten Fair Information Principles
- Breach reporting to the OPC
- Access and correction rights
PIPEDA + Yovale, answered.
Do I need to install a PIPEDA plugin on top of Yovale?
No. The compliance MU-plugin is part of the hosting, not something you add. Installing a separate consent plugin (Complianz, CookieBot, CookieYes) on top of Yovale would create duplicate banners and confuse visitors. The platform handles meaningful consent, access requests, and breach records.
What about Quebec Law 25 and provincial laws like BC and Alberta?
Quebec's Law 25 is treated as its own flow — Quebec visitors get the stricter notice-and-consent UI in French by default, with explicit purposes per category. BC's PIPA and Alberta's PIPA are recognized as substantially similar to PIPEDA, so intra-provincial commercial activity in those provinces is covered by the same configuration. You don't manage the geo logic; the platform does.
What if I get an access or correction request?
Individuals handle most requests themselves through the privacy portal at /.well-known/privacy on your domain. For requests that require human review (custom data correction, complex access requests), you see them in your dashboard Compliance tab with a 30-day SLA timer aligned to PIPEDA's response window.
What happens during an OPC investigation or breach?
The audit log gives you a complete, timestamped record of every consent and every personal information request, retained well past the 24-month statutory minimum. If a breach occurs, the dashboard walks you through the real risk of significant harm assessment, generates the OPC notification record, and keeps the breach log the law requires.
Is the DPA legally binding?
Yes. It's a pre-signed agreement that names Yovale as the third party handling personal information on your behalf and lists every sub-processor (Cloudflare, Anexia, R2), the security safeguards applied, and breach notification SLAs. Available as a PDF download in your dashboard.
What about Bill C-27 and the future CPPA?
Bill C-27 would replace PIPEDA's private-sector rules with the Consumer Privacy Protection Act (CPPA), with penalties up to 5% of global revenue or CAD $25M. It's not yet in force. Yovale's compliance MU-plugin is already structured around the CPPA's stricter consent, transparency, and de-identification expectations, so when (or if) it passes, your sites move with the platform — no plugin migration on your side.
Ship a PIPEDA-compliant WordPress site in 60 seconds.
Every Yovale site is PIPEDA-ready from the moment you deploy. No plugin to install. No DPA to chase. No banner to configure. Start the free Growth trial and see your first compliance dashboard.