Online behavioural advertising (OBA) is often presented as a narrow ad-tech issue. In Canadian privacy law, it is not. It is a legal question about whether an organization may track individuals across digital environments, combine data points into profiles, infer interests or attributes, and use those profiles for targeting in a manner that is transparent, proportionate and grounded in meaningful consent. The Office of the Privacy Commissioner of Canada (OPC) has long recognized that OBA may be permissible in some circumstances, but its findings in Nexopia, Google, Ganz, Bell’s Relevant Ads Program and Tim Hortons show that Canadian regulators will look past interface design and examine the substance of the underlying practice.

The OPC defines OBA as tracking consumers’ online activities “across sites and over time” in order to deliver advertisements tailored to inferred interests. That formulation matters because it captures more than conventional browser cookies. It reaches the broader behavioural advertising ecosystem: pixels, SDKs, persistent identifiers, device-level telemetry, browsing signals, usage patterns and location-based inferences. The OPC’s position is that information collected and used in that environment will generally constitute personal information under Canadian privacy law.

That legal characterization brings PIPEDA’s core requirements into play. Consent must be meaningful. The purposes must be identified in a manner an individual can understand. The practice must align with reasonable expectations. And, critically, section 5(3) imposes an independent limit: an organization may not collect, use or disclose personal information for purposes that a reasonable person would not consider appropriate in the circumstances. As McMillan has observed in discussing meaningful consent under PIPEDA, consent is not a complete defence where the underlying practice itself is unreasonable. That point has become central to the modern regulation of behavioural tracking.

The OPC’s own OBA guidance is permissive in principle but restrictive in execution. It recognizes that OBA can be a reasonable purpose, but only within defined boundaries. Individuals must be informed in a manner that is “clear and understandable.” Key elements cannot be “buried in a privacy policy.” Users must have an effective and readily available opt-out. The practice should, to the extent practicable, avoid sensitive information. And the OPC has stated that, as a best practice, organizations should not implement behavioural advertising practices directed at children because obtaining meaningful consent in that context may be difficult or impossible. Those are not cosmetic requirements. They define the outer edge of what the regulator considers defensible.

The first major lesson from the OPC’s findings is that sensitivity is contextual, not formalistic. In Google, the OPC found that Google had served targeted ads connected to a user’s personal health interest after the user sought information relating to sleep apnea. The regulator concluded that the information at issue was sensitive and that implied consent was insufficient; express consent was required for the collection and use of that information for behavioural advertising purposes. The significance of Google is broader than health advertising. It confirms that information may become sensitive because of what it reveals in context, even where the organization did not collect a formal medical record or an expressly labelled health category. Behavioural data can disclose intimate facts by inference, and privacy law will treat it accordingly.

The Bell Relevant Ads Program pushed that logic further. Bell’s program involved the use of customer account, network and service usage information to create interest categories for targeted advertising. The OPC held that Bell’s opt-out approach did not produce meaningful consent and that express opt-in consent was required. Particularly important was the regulator’s rejection of the notion that sensitive source data ceased to matter once converted into higher-level categories. The OPC concluded that sensitive URLs used to generate non-sensitive categories did not lose their sensitive character simply because they were transformed downstream. That reasoning is highly consequential for modern ad-tech systems, where organizations often argue that profiling is acceptable because raw inputs are abstracted, bucketed or pseudonymized before targeting decisions are made. Under the Bell analysis, that move does not neutralize the sensitivity problem if the upstream data remains revealing.

The children’s privacy findings are even less forgiving. In Ganz, the OPC investigated a child-directed online environment and found reasonable grounds to believe that third-party advertisers were tracking and profiling children for targeted OBA without adequately explaining what data was collected, how it was used or to whom it was disclosed. The matter is important not only because of the deficient disclosures, but because it demonstrates the regulator’s practical skepticism toward behavioural advertising in youth-facing environments. Where the audience is composed of children, the problem is not merely that the notice could be improved; it is that meaningful consent may be structurally unavailable. The OPC’s guidance now says that organizations should, as a best practice, avoid implementing behavioural advertising practices on websites aimed at children.

Nexopia reinforces the same theme from a youth-privacy perspective. While the underlying findings addressed a broader set of privacy issues on a social networking platform used by younger individuals, the OPC expressly connected its analysis to OBA and to the difficulty of obtaining meaningful consent from children and youth in behavioural tracking environments. Read together, Nexopia and Ganz stand for a larger proposition: where a digital service is directed to, or materially used by, younger individuals, organizations should expect the regulator to assess consent, transparency and reasonable expectations against a heightened standard. A platform cannot rely on the formal availability of settings, policies or permissions screens if the practical reality is that the affected users are unlikely to understand the nature and consequences of the tracking.

The most significant recent development, however, is Tim Hortons. That investigation moved the Canadian analysis beyond classic web-based OBA into app-based behavioural surveillance. Privacy regulators found that the Tim Hortons app collected granular geolocation data even when the app was not open, recorded users’ movements throughout the day, and used that information to infer whether a user was at home, at work, travelling or visiting a competitor. The regulators concluded that the company had not obtained valid consent. More importantly, they found that the collection and use were not for an appropriate purpose. That conclusion should not be underestimated. It means the legal defect was not merely that the disclosure was inadequate. The defect was also substantive: the practice itself was disproportionate and unreasonable.

Tim Hortons also matters because it confirms how Canadian regulators now view location data. The OPC found that large volumes of granular location information are capable of revealing deeply personal facts, including visits to medical facilities and patterns that may support inferences about religion, politics or other intimate matters. Once persistent location tracking is used to generate behavioural insights, the sensitivity analysis becomes far more acute. For organizations using mobile SDKs, geofencing tools, attribution products or advertising-linked analytics, the implication is obvious: location-enabled profiling is unlikely to be treated as low-risk operational metadata. It will be analyzed as potentially sensitive personal information subject to an exacting consent and appropriateness review.

These findings, taken together, show that Canadian privacy law now evaluates OBA through four interlocking concepts.

First, meaningful consent remains the entry point. Users must understand what is being collected, why it is being collected, with whom it will be shared and what the consequences may be. Disclosures that are diffuse, layered beyond practical comprehension or functionally hidden will not suffice. The OPC’s guidance makes that plain, and law-firm commentary continues to emphasize that information cannot simply be tucked into privacy policies and terms of use.

Second, sensitivity is heavily contextual. Data that may appear innocuous in isolation can become sensitive when combined, analyzed or used to infer health status, habits, religious observance, competitive activity, routines or vulnerabilities. Google, Bell and Tim Hortons all reflect that principle. The days when organizations could rely on a blunt distinction between “ordinary usage data” and “special category information” are over. Canadian regulators are asking what the data actually reveals in practice.

Third, reasonable expectations matter. Even sophisticated users do not ordinarily expect that an app permission, a service interaction or passive browsing activity will authorize wide-ranging profiling for advertising or analytics purposes unrelated to the immediate service experience. Bell’s RAP and Tim Hortons both turned in part on the distance between the organization’s internal data use model and what an ordinary individual would realistically anticipate.

Fourth, and now most importantly, consent is not enough if the purpose is not appropriate. This is where much ad-tech compliance analysis still fails. Organizations focus on permission architecture, banner wording and notice placement while paying insufficient attention to whether the collection itself is necessary, proportionate and justifiable. The Tim Hortons findings, read alongside McMillan’s discussion of section 5(3), make clear that Canadian law now demands both procedural compliance and substantive restraint. A business may secure a click, obtain an app-level authorization or publish a layered privacy notice and still contravene privacy law if the underlying surveillance is excessive.

For organizations operating in this space, the compliance implications are concrete.

They should begin by mapping actual data flows rather than relying on vendor descriptions such as “analytics,” “personalization” or “measurement.” Those labels often obscure whether a technology stack is, in fact, enabling cross-context behavioural profiling. They should then separate core service functionality from advertising, analytics and profiling purposes so that each use can be assessed independently. Where a practice involves sensitive subject matter, children’s data, persistent identifiers across contexts or app-based geolocation, the working assumption should be that implied consent is precarious and that the practice may need to be defended under section 5(3) as well. Vendor contracts should also be revisited to restrict downstream use, retention, disclosure and model-training practices. These are not merely procurement issues; they are integral to privacy risk allocation.

The broader lesson is that Canadian OBA law has evolved from a narrow doctrine about cookies into a wider doctrine about behavioural surveillance. The OPC still accepts that some forms of interest-based advertising may be carried out lawfully. But the findings in Nexopia, Google, Ganz, Bell RAP and Tim Hortons demonstrate that the legal analysis is no longer satisfied by the presence of a banner, a policy or a settings menu. Regulators are asking harder questions: what was really collected, what could be inferred from it, whether the individual actually understood the practice, whether the organization’s purpose was proportionate, and whether the practice could withstand scrutiny once stripped of euphemistic technical labels. In Canada, that is now the real test for behavioural advertising compliance.