Skip to main content
Charcom
← All posts

Compliance

PIPEDA and CASL: What Your Lead Form Actually Needs

Canadian privacy and anti spam laws have specific requirements that lead forms often miss. Here is the plain English version of what your form needs.

April 3, 2026 · 4 min read · 1 of 42

Canada has two laws that govern what you can do with the contact information someone submits through your lead form. PIPEDA (the Personal Information Protection and Electronic Documents Act) covers personal data generally. CASL (the Canadian Anti Spam Legislation) covers commercial electronic messages.

Most realtor lead forms have minor violations of both. Here is what is actually required.

What PIPEDA requires

Three things, at the moment you collect the data.

1. Identify the purpose. Tell the person why you are collecting their information. "To respond to your inquiry about real estate services in Mississauga" is enough. You do not need a wall of legalese.

2. Get consent. Consent can be explicit (a checkbox they tick) or implied (the act of filling out the form is consent for the stated purpose, if the purpose is obvious). For a generic contact form where the purpose is obviously "to talk to me about real estate", implied consent is fine. For a newsletter signup that will lead to marketing emails, explicit consent is required.

3. Limit collection. Only collect what you actually need. A contact form does not need date of birth, household income, or social insurance number. Asking for unnecessary data is a privacy violation, and it kills your conversion rate too.

What CASL requires

CASL applies the moment you send a commercial electronic message (any email, text, or instant message that promotes commercial activity). Three things are required.

1. Express consent or qualifying implied consent. The recipient must have either explicitly agreed to receive your messages, or you must have a qualifying existing business relationship with them (defined in the law as someone who, for example, requested a quote in the last 6 months or made a purchase in the last 24 months).

2. Identification. Every message must clearly identify who you are, including your business name and a current physical address. "Hassan Nouman, Cityscape Real Estate Ltd., 50 Burnhamthorpe Rd W, Mississauga ON L5B 3C2" in the footer of every email satisfies this.

3. Unsubscribe mechanism. Every commercial message must include a way for the recipient to unsubscribe with one click, and you must honour the unsubscribe within 10 business days.

The practical lead form setup

For most realtor lead forms, this is the compliant minimum.

Above or below the form, a sentence like: "By submitting this form, you agree to be contacted by [your brokerage] about your real estate inquiry. You can opt out of any future communications at any time."

Two fields: name and email. Optional: phone, message.

After submission, send your auto reply email with your full name, brokerage, address, and an unsubscribe link at the bottom (even if the email is transactional, it is a good habit to include it).

When you add the lead to a drip sequence (Day 3, Day 7, Day 14 nurture emails), the sequence itself is commercial, so the unsubscribe link in every email is essential.

The implicit consent trap

Lead forms used to commonly add new contacts to mailing lists automatically, treating the contact form submission as consent for future marketing. CASL specifically rejects this. The contact form submission is consent for the stated purpose (responding to the inquiry), not for unrelated marketing.

If your contact form adds the lead to your monthly newsletter without an explicit checkbox, you are over the line. The fix is a small "Yes, I also want occasional market updates" checkbox, defaulted to unchecked.

The penalties

CASL violations can carry penalties up to $1 million for individuals, though enforcement against solo realtors has historically focused on warnings and audits rather than fines. PIPEDA violations are typically handled by the Privacy Commissioner with mandated remediation rather than fines.

The realistic risk is reputational and operational. Your brokerage's compliance officer can pull your site offline if they spot violations during a routine audit. The brokerage's E&O insurance can refuse to cover privacy related claims if your site has known compliance gaps.

Setting up compliant lead forms is a 20 minute job. Cleaning up after a violation is hours of work and awkward conversations. The math is obvious.

Tagspipedacaslprivacylead capture

Keep reading

Ready to build a realtor website that actually works?

Same day setup, 8 editorial themes, MLS feed included, weekly local blog under your byline. $29.99/month locked for life as a founder.

Claim a founder spotSee pricing