Recurring Payments in Canada: Legal Requirements

  • Home
  • Blog
  • Recurring Payments Legal Requirements

Table of Contents

Recurring billing is one of the most valuable business models in Canada — it enables predictable revenue, reduces collection costs, and improves customer retention. But operating a subscription or recurring billing business in Canada comes with a layered set of legal obligations that go well beyond simply having a credit card on file. Non-compliance can result in chargebacks, payment reversals, regulatory investigations, and damage to your business reputation. This guide covers every major legal requirement you need to know.

Note: This guide provides general information about payment regulations in Canada and should not be construed as legal advice. Consult a qualified legal professional for advice specific to your business situation.

The Regulatory Landscape for Recurring Billing

Recurring payments in Canada are governed by an overlapping set of federal and provincial rules, plus private network rules from payment processors and card networks. The key regulatory frameworks are:

  • PIPEDA — the federal Personal Information Protection and Electronic Documents Act, governing how you collect, use, and store customer payment information
  • Payments Canada Rule H1 — governing pre-authorized debits from bank accounts
  • Visa and Mastercard recurring billing rules — governing how you store and charge credit cards on a recurring basis
  • Provincial consumer protection laws — in provinces like Ontario (Consumer Protection Act), British Columbia (Business Practices and Consumer Protection Act), and Quebec (Consumer Protection Act / CPA), additional rules apply to contracts with recurring payment obligations

PIPEDA and Privacy Requirements

Federal — Personal Information Protection and Electronic Documents Act (PIPEDA)

Privacy Obligations for Payment Data

PIPEDA requires that all personal information — including payment information — be collected, used, and disclosed only with the individual's knowledge and consent, and only for purposes that a reasonable person would consider appropriate under the circumstances.

For recurring billing, PIPEDA's implications include:

  • Informed consent for data collection: When you collect a customer's credit card number or banking information, you must clearly disclose what you will use it for. Saying "for payment of your purchase" does not necessarily authorize you to store the card for future recurring charges.
  • Purpose limitation: If a customer provides payment information for a one-time purchase, you cannot use that information for a recurring subscription without additional explicit consent.
  • Secure storage: Payment data must be protected using appropriate safeguards. For credit card numbers, PCI DSS compliance is required. For bank account numbers, appropriate encryption and access controls are mandatory.
  • Data minimization: Collect only the payment information you actually need. For credit cards, using tokenization (storing a token rather than the actual card number) satisfies both PCI DSS and PIPEDA's security obligations.
  • Retention limits: Do not retain payment data longer than necessary for the stated purpose. Once a subscription is cancelled, define and follow a clear data deletion policy.

Quebec's Law 25 (enacted 2022) added additional requirements including privacy impact assessments for certain data processing activities and stricter breach reporting obligations. Businesses serving Quebec customers should review their compliance with Law 25 specifically.

Payments Canada PAD Rules

If you use EFT/pre-authorized debits to collect recurring payments from Canadian bank accounts, Payments Canada's Rule H1 applies. The key recurring billing requirements include:

📋

Written PAD Agreement

Must be obtained before the first debit. Must include amount, frequency, start date, and recourse rights.

📣

Advance Notice

10 calendar days notice before first debit (unless waived in writing). Notice for variable amounts before each debit.

🚫

Cancellation Compliance

Must stop debiting immediately on receipt of cancellation. Cannot charge for debits initiated after cancellation notice.

📁

Record Retention

Personal PAD authorizations must be retained for 7 years after the last debit under that authorization.

For a complete breakdown of PAD requirements, see our dedicated article on pre-authorized debits setup and compliance.

Credit Card Recurring Billing Rules

Visa and Mastercard both have detailed recurring transaction rules that merchants must follow. These rules govern stored credentials (saving a card for future use) and recurring charges.

Stored Credential Framework

When you save a customer's credit card for future charges, you are using what Visa and Mastercard call "stored credentials." The rules require:

  • Initial transaction: The first time you charge a stored card, you must use the full card details and include a flag indicating it is the first in a series of stored-credential transactions. You must get explicit cardholder consent to store the card.
  • Subsequent transactions: Subsequent recurring charges must include the original transaction ID from the first charge and a flag indicating it is a recurring stored-credential transaction. This allows issuers to identify the charge pattern and reduces fraud flags.
  • Cancellation: When a cardholder cancels their subscription, you must stop charging within the agreed cancellation period. Continuing to charge after a valid cancellation will result in chargebacks that you will not be able to dispute successfully.

Pre-Notification Requirements

Visa's rules require merchants to notify cardholders at least 7 days before charging a stored card if the amount, frequency, or other material terms of the recurring arrangement have changed. Mastercard has similar requirements. For standard recurring charges that match the agreed terms exactly, pre-notification for each charge is generally not required — but it is a best practice that reduces chargebacks significantly.

Critical Rule: If a customer's card expires and you receive an updated card number through Account Updater service, you must still notify the cardholder that their card was updated and confirm they consent to continued charges. You cannot simply update the card silently and continue billing without the cardholder's knowledge.

Provincial Consumer Protection Laws

Provincial consumer protection laws add requirements specifically for recurring billing contracts with consumers (not applicable to B2B contracts). Key provincial rules:

Ontario — Consumer Protection Act

  • Internet agreements (including online subscriptions) require clear disclosure of all recurring charges before the consumer agrees
  • Consumers may cancel internet agreements within 7 days of receiving the written agreement if full disclosure was not made
  • Contracts over 1 year (or indefinite-term contracts) must include cancellation provisions allowing the consumer to cancel at any time with 30 days notice

British Columbia — Business Practices and Consumer Protection Act

  • Future performance contracts (including subscriptions) must clearly state the total amount payable and any recurring obligations
  • Consumers can cancel within 7 days if the contract was entered into during an unsolicited visit or by telephone

Quebec — Consumer Protection Act

  • Quebec's CPA is one of the most consumer-protective in Canada. It requires particularly clear disclosure of all recurring charges and automatic renewal terms.
  • Automatic renewal clauses must be clearly brought to the consumer's attention, and consumers have a right to cancel automatic renewals.
  • Merchants must send a renewal notice 30–60 days before automatic renewal for contracts of 12 months or more.

Proper consent is the foundation of compliant recurring billing. These best practices satisfy both legal requirements and practical standards for reducing disputes:

1

Use explicit, specific checkboxes

Do not bundle consent for recurring billing into general terms of service acceptance. Use a separate, clear checkbox specifically for "I authorize recurring billing of $X on [frequency]."

2

State the exact amount and frequency

The consent must be specific: "I authorize TIB Finance to charge my credit card $49.99 per month starting [date]." Vague consents like "I authorize recurring charges" do not satisfy legal requirements.

3

Send a confirmation immediately

Email the customer a receipt of their authorization immediately after sign-up. Include the amount, frequency, start date, and how to cancel. This creates an evidence trail and reduces "friendly fraud" chargebacks.

4

Send pre-charge reminders

For annual subscriptions or variable-amount billing, send a reminder email 7–14 days before charging. This dramatically reduces chargebacks from customers who forgot they were enrolled.

5

Maintain an audit trail

Store the IP address, timestamp, user agent, and full agreement text at the moment of consent. This evidence is essential for winning chargeback disputes.

Cancellation Rights and Obligations

Canadian consumers (and regulators) take cancellation rights seriously. Your cancellation process must be:

  • Easy to find: Cancellation options must be clearly accessible — not buried in a help article or requiring a phone call to a support line. Many provinces and card network rules require that cancellation be at least as easy as sign-up.
  • Prompt: Once a customer requests cancellation, stop billing within the period specified in your agreement (typically 30 days or the next billing cycle). Billing after a documented cancellation request is a chargeback you will lose.
  • Confirmed: Send a cancellation confirmation email to the customer, including the effective date of cancellation and when their access ends.
  • Respected: Honour cancellations even if the customer owes a balance. Billing a customer who has cancelled violates both contractual and regulatory obligations. Pursue overdue balances through appropriate channels, not by continuing unauthorized charges.

Increasingly, provincial consumer protection offices and the Competition Bureau are scrutinizing "dark patterns" — UX designs that make cancellation deliberately difficult. Making cancellation unreasonably difficult exposes your business to regulatory action beyond just individual chargebacks.

Free Trials and Trial Period Compliance

Free trials that convert to paid subscriptions are subject to particularly scrutiny because many consumers do not fully understand the conversion terms. Compliant free trial implementation requires:

  • Clearly disclose that the trial converts to a paid subscription, the amount, and the date conversion will occur — at the point of sign-up, before credit card information is collected
  • Under Visa rules, free trials must use a $0 or $1 authorization to verify the card — not a $0 charge that does not appear on statements
  • Send a reminder email before the trial ends, informing the customer of the upcoming charge and providing a way to cancel
  • Obtain explicit consent for the post-trial recurring charge, separate from the trial authorization

Communicating Price Changes

When you change your subscription pricing, you have legal and contractual obligations to your existing subscribers:

  • Provide advance written notice of the new price — typically 30 days minimum, or as specified in your subscription agreement
  • Give customers the option to cancel before the new price takes effect without penalty
  • For customers on annual plans, the price change typically takes effect at the next annual renewal, not mid-term
  • Do not increase prices without notice — doing so is both a breach of contract and potentially a consumer protection violation

Compliance Checklist

Use this checklist to assess your recurring billing compliance status:

Requirement Applies To Key Action
Explicit consent for recurring charges All recurring billing Specific checkbox + confirmation email
Clear disclosure of amount and frequency All recurring billing State exact amount, frequency, start date
PAD agreement with R equired elements EFT/PAD billing Compliant agreement template + record retention
Stored credential flags in transactions Credit card recurring Ensure processor/gateway sends MIT flags
Easy cancellation process All recurring billing Self-serve cancellation + prompt confirmation
Pre-charge notification (annual/variable) Annual subscriptions, variable billing Email 7–14 days before charge
Price change notice All recurring billing 30 days notice + cancellation option
Free trial conversion disclosure Free trial offers Pre-signup disclosure + pre-conversion reminder
PCI DSS compliance for card storage Credit card recurring Use tokenization; complete annual SAQ
PIPEDA consent for data storage All payment methods Privacy policy + specific data use disclosure

TIB Finance provides a recurring billing infrastructure that incorporates compliance-by-design elements — compliant PAD agreement templates, stored credential transaction flags, electronic consent collection with audit trails, and pre-notification tools. To discuss setting up compliant recurring billing for your business, contact our team or explore our payment solutions. You can also review our specific guides on PAD compliance and EFT payments in Canada.

Ready to optimize your payment processing?

TIB Finance offers competitive rates and seamless integration for Canadian businesses.

Get Started Today