The attack surface is a git repository.

IN FORCE

ONTARIO

AODA — Accessibility for Ontarians with Disabilities Act

Fully in force; full-compliance deadline 2025-01-01 has passed

Scope. All Ontario public-sector organizations (municipalities, school boards, health authorities) and most private-sector organizations.

Why it matters. Municipal websites are required to meet WCAG 2.0 Level AA across all content the public can read. Non-compliance is a director-issued order with penalties up to $100,000 per day for organisations and $50,000 per day for individuals. Most municipalities running WordPress with off-the-shelf themes are technically non-compliant on at least the colour-contrast, focus-order, and form-label criteria.

• 2005-06-13Royal Assent
• 2014-01-01WCAG 2.0 Level A required
• 2021-01-01WCAG 2.0 Level AA required for all content
• 2025-01-01Full-compliance deadline (Ontario "accessible by 2025" target)

IN FORCE

QUEBEC

Law 25 — An Act to modernize legislative provisions as regards the protection of personal information (formerly Bill 64)

Fully in force — final stage took effect 2024-09-22

Scope. Every organisation carrying on an enterprise in Quebec, including municipalities, public bodies, and any private-sector entity collecting personal information from Quebec residents.

Why it matters. Quebec municipalities must designate a privacy officer, perform privacy impact assessments before launching new systems, report breaches to the Commission d'accès à l'information, and honour data-portability and right-to-erasure requests. Penalties run to the higher of $25M or 4% of worldwide turnover for the most serious violations.

• 2021-09-22Adopted as Bill 64
• 2022-09-22Stage 1 — privacy officer appointment, breach reporting
• 2023-09-22Stage 2 — bulk of substantive obligations
• 2024-09-22Stage 3 — right to data portability

IN FORCE

FEDERAL CANADA

CASL — Canada's Anti-Spam Legislation

In force since 2014-07-01

Scope. Any organisation sending commercial electronic messages to Canadian recipients, including newsletter signups, contact-form follow-ups, and meeting-confirmation emails initiated by a public-facing form on a municipal website.

Why it matters. The newsletter on your municipality's website, and any commercial email triggered by a form submission, must satisfy CASL's consent and identification requirements. Express or implied consent must be on file, the message must identify the sender, and an unsubscribe must work in two clicks. Penalties run to $10M per violation for organisations.

• 2014-07-01In force — most commercial-electronic-message provisions
• 2017-07-01Implied-consent transition window closed

IN FORCE

FEDERAL + PROVINCIAL

PIPEDA · MFIPPA · FOIP — Personal Information Protection and Electronic Documents Act + provincial municipal access/privacy regimes

In force; MFIPPA amendments expected via Ontario Bill 194 successor

Scope. Federal PIPEDA covers private-sector commercial activity nationally. Municipalities operate under provincial regimes — MFIPPA in Ontario, the Municipal Government Act / FOIP in Alberta, the LCOM/LCAI framework in Quebec, and similar in each province. Every municipal contact form, dossier-style intake, and council-livestream chat is in scope.

Why it matters. Most municipal websites collect, store, and route personal information through plugins and shared hosting that the procurement section has never audited. The legal exposure is not theoretical — it lives in the form-handler plugin's database and the CDN that's caching the response.

• 2000-04-13PIPEDA Royal Assent
• 2001-01-01PIPEDA Stage 1 — federal works, undertakings, businesses
• 2004-01-01PIPEDA Stage 2 — extended to all commercial activity nationally

PARTIAL

ONTARIO

Bill 194 — Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024

Royal Assent 2024-11-25; FIPPA amendments in force; municipal MFIPPA amendments still to be proclaimed

Scope. Ontario provincial public-sector institutions under FIPPA; children's aid societies; school boards. Equivalent municipal MFIPPA amendments are signalled but not yet introduced — municipalities should plan against them.

Why it matters. For provincial bodies and school boards, privacy impact assessments, breach reporting, and AI-system disclosures are now required practice. Municipalities sit one regulation away from the same standard; bringing your website and form pipelines into the FIPPA-grade posture before MFIPPA catches up is the cheap option.

• 2024-11-25Royal Assent
• 2025-01-29Whistleblower protections in force
• 2025-07-01PIPs, breach reporting, personal-info safeguards in force (FIPPA institutions)
• TBDMFIPPA amendments to be proclaimed (municipal scope)

IN FLIGHT

FEDERAL CANADA

Bill C-8 (CCSPA) — Critical Cyber Systems Protection Act (formerly Bill C-26, reintroduced as C-8)

Reintroduced 2025-06-18 as Bill C-8; under SECU committee study

Scope. Designated operators of federally regulated critical cyber systems — telecom, finance, energy, transportation. Municipalities are not directly covered, but the standard set will cascade through procurement requirements onto suppliers and through provincial copy-cat legislation.

Why it matters. When CCSPA passes, federally regulated suppliers must hold a cybersecurity programme to a defined standard. Municipal procurement that touches federally regulated services (water utilities working with Hydro, transit interfaces, banking integrations) will be expected to align — even before Ontario or Quebec adopt municipal versions.

• 2022-06-14Bill C-26 introduced (44th Parliament)
• 2024-12-12Senate amendments fix C-70 numbering conflict
• 2025-01-06Bill C-26 dies on prorogation
• 2025-06-18Reintroduced as Bill C-8 by the Carney government