Analyzing the Conservative Party of Canada's privacy policy through a marketing technology lens
In the martech world, consent management is everything. Modern marketing platforms require explicit opt-in, granular consent for different processing activities, and clear documentation of when and how consent was obtained. This is the foundation of GDPR compliance.
But when you interact with a political party's website? The rules are completely different:
What this means: Simply filling out a form = automatic consent for all "political activities." No checkbox, no explicit agreement, no clear scope limitations. Under CASL, this would be illegal for a commercial entity. For political parties? Perfectly acceptable.
Compare this to an e-commerce site where you must check a box saying "Yes, I want to receive marketing emails" - and even then, they can only use your data for the specific purpose you agreed to.
In enterprise marketing, data access controls are critical. Marketing automation platforms like HubSpot or Salesforce have role-based permissions, audit logs, and strict controls on who can access customer data. GDPR requires organizations to limit data access to only those who need it for specific purposes.
Political parties operate under a completely different model:
The scale of this: 338 riding associations across Canada + hundreds of candidates + nomination contestants + leadership contestants = potentially thousands of individuals with access to your:
In a commercial context, sharing customer data this broadly without specific consent for each use would be a serious GDPR violation, potentially resulting in fines up to 4% of global revenue.
Data brokers and third-party data are hot-button issues in privacy law. GDPR requires transparency about data sources and gives individuals the right to know where their data came from. Modern privacy policies clearly state what data is collected directly vs. acquired from other sources.
The CPC's privacy policy includes a seemingly reassuring promise, but read it carefully:
The critical qualifier: "that you have chosen to provide." This carves out a massive exception for data from:
What this means: The "no sale" promise only covers the small subset of data you directly submitted via their forms. The vast majority of their databaseβbuilt from voter lists, public sources, and enriched dataβisn't covered by this commitment.
A comparable commercial promise would be: "We won't sell the data from your signup form, but all the data we bought about you from data brokers? That's fair game." This would never pass muster under GDPR or modern privacy standards.
GDPR violations: Up to β¬20M or 4% of global revenue
CASL violations: Up to $10M in fines
The reality: Federal political parties are not covered by CASL. Not covered by PIPEDA. Privacy Commissioner has no jurisdiction. The Canada Elections Act has no meaningful privacy enforcement mechanism.*
*Exception: B.C. residents have enforceable rights under provincial PIPA.
The same Canadian has dramatically different privacy protection depending on whether they're shopping online or engaging with the Conservative Party of Canada.
Sign a petition, RSVP an event, make a donation
Name, email, address, political views, family info
CPC policy: "If you submit your email... you consent to being added to our email list." No explicit opt-in required. Submission = consent for undefined "political activities."
Note: This includes responding to unsolicited contact. When you text back to a CPC volunteer - even to say "stop contacting me" - you've technically confirmed your number is active and provided engagement data. That response becomes part of your profile.
Name, address of all registered voters
Social media, property records, databases
Direct information you provided
Combined, analyzed, scored for likelihood to support
CPC policy promises not to sell data "you have chosen to provide" - but what about enriched or acquired data? The qualifier creates ambiguity.
338 riding associations, candidates, nomination & leadership contestants
Canvassers at your door with lists
Targeted based on your profile
Volunteers calling from databases
CPC policy: "your personal information may be used and disclosed within our Party" - shared across entire party structure with no individual consent or scope limits.
Google Analytics, third-party cookies
Mass email service providers
Infrastructure providers
CPC policy allows third-party cookies "to assist in advertising." You can opt-out of ads through Google/AdChoices, but not first-party CPC profiling.
No mandatory breach notification. No data portability rights (except B.C.). No external enforcement. No retention limits. No purpose restrictions beyond "political activities."
When I sign a CPC petition or donate, they'll only use my email to contact me about that specific issue or campaign.
You've given blanket consent for all "political activities" including fundraising, volunteer recruitment, canvassing, and "customizing your experience."
My information stays with the central CPC office - they wouldn't share my personal details without asking me first.
Your data flows automatically to hundreds of riding associations, local candidates, nomination contestants, and leadership contestants across the country.
When the CPC says they won't sell my data, that means my information is safe and won't be shared commercially.
The no-sale promise only covers data "you have chosen to provide" - not data from voter lists, public sources, or data enrichment. That leaves a massive loophole.
If the CPC mishandles my data, I can complain to the Privacy Commissioner like I would with any company.
The CPC claims to be "subject to extensive regulation" under the Canada Elections Act - but federal political parties are not covered by PIPEDA, Privacy Commissioner has no jurisdiction, and CASL exempts political fundraising.*
I can request to see all the data the CPC has on me, or ask them to delete it, just like with Google or Facebook.
The policy only mentions "updating" your information via email. No general right to access all your data, no data portability, no clear erasure process, no retention schedule.*
Canadian privacy laws protect me equally whether I'm dealing with a business or the Conservative Party.
The same Canadian has dramatically different protection levels. Commercial companies face GDPR-style rules, CASL penalties up to $10M, and Privacy Commissioner oversight. The CPC? None of the above.
These aren't just policy differences - they represent a fundamental imbalance in how Canadian law protects citizens. Your grocery store faces more privacy restrictions than the Conservative Party of Canada.