A new private sector privacy law is coming to Canada. Yesterday, the federal government introduced Bill C-36, which would substantially replace the current federal private sector data protection and privacy laws in the Personal Information Protection and Electronic Documents Act (PIPEDA) with a new statute called the Protecting Privacy and Consumer Data Act (PPCDA). If enacted, it will be the most significant overhaul of federal privacy law in Canada in over two decades. Businesses that collect, use, or disclose personal information in the course of commercial activities should start paying attention and planning now.
What Does It Replace?
PIPEDA has governed how private sector businesses handle personal information since 2001. Bill C-36 repeals the privacy portions of PIPEDA entirely, replacing them with PPCDA. PIPEDA's electronic documents provisions survive under a renamed Electronic Documents Act. The new law brings Canada closer in line with modern privacy regimes like the EU's GDPR and Quebec's Law 25.
Who Does It Apply To?
The PPCDA applies to any organization (broadly defined) that collects, uses, or discloses personal information in the course of commercial activities. It also covers personal information about employees of federally regulated businesses. Unless the Alberta and British Columbia provincial Personal Information Protection Acts and the Quebec private sector privacy laws are deemed substantially similar under PPCDA, PPCDA will prevail. We anticipate Alberta and British Columbia will take steps to align their laws with PPCDA once enacted.
What Are the Key New Requirements for Businesses?
Privacy Management Programs. Every organization must implement and maintain a formal privacy management program. This is both a broader and more specific requirement that includes documented policies, practices and procedures covering how personal information is protected, how complaints are handled, and how staff is trained. Regulators can request access to this program at any time. This is a significant step up from PIPEDA's more principles-based approach.
Stronger Consent Rules and Legitimate Interest Exceptions. Consent remains the cornerstone of the law, but the expressed requirements for valid consent are higher. Organizations must tell individuals specifically what their information will be used for before collecting it, and that purpose must be recorded. At the same time, similar to GDPR, PPCDA recognizes specific exceptions to consent where there is a legitimate interest. These may be of practical importance to businesses, however, the exceptions are narrow and specific.
Data Minimization. Organizations can only collect what is genuinely necessary for their stated purpose. This limits the common practice of collecting broad categories of data "just in case."
Right to Deletion. Individuals can request that their personal information be disposed of (deleted or anonymized), subject to exceptions for legal or legitimate business retention requirements.
Data Mobility. The law introduces a data mobility framework, meaning individuals will eventually have the right to request that their data be transferred from one organization to another. The specifics will be established by regulation.
Automated Decision Systems. The bill expressly defines and addresses automated decision-making systems, being tools that use AI, machine learning, or predictive analytics to assist or replace human judgment. Businesses using these tools to make decisions about individuals will face specific obligations, the details of which will likely be developed through regulations and guidance.
Cross-Border Transfers. Sending personal information outside Canada remains permitted, but the transferring organization remains accountable for ensuring equivalent protection. This obligation runs through the entire service provider chain. The cross-border requirements may be significantly more onerous than those under PIPEDA.
New Enforcement Architecture: The Digital Safety and Data Protection Commission
Bill C-36 proposes regulatory oversight under the new Digital Safety and Data Protection Commission of Canada, with a dedicated Privacy and Consumer Data Commissioner and Division. This new body has significantly more enforcement muscle than its predecessor, including the power to conduct audits, issue compliance orders, impose administrative monetary penalties, hear complaints and make binding decisions.
The enforcement regime appears to have some similarities to the powers of the Competition Bureau in the imposition of compliance orders and penalties without requiring court referral. Penalties for serious violations can be substantial, consistent with the trend in modern privacy legislation globally. Maximum penalties in relation to any one investigation is the greater of $10,000,000 and 3% of the organization’s gross global revenue.
Private Right of Action
For the first time at the federal level, individuals whose privacy rights are violated will be able to sue organizations directly for damages in court. This creates a meaningful new litigation risk for businesses, similar to what exists under Quebec's Law 25.
What Should Businesses Do Now?
Bill C-36 was only introduced on June 15, 2026, and must still pass through the full legislative process before becoming law. Coming into force will be determined by Order in Council, so there will be a transition period. However, given the scope of the changes, businesses should not wait. Now is the time to start to audit current privacy practices against the new framework, assess whether consent mechanisms, privacy policies, and vendor contracts are adequate, and begin building or strengthening your privacy management program.
We will follow up with further guidance on the various aspects of PPCDA and how organizations can move toward compliance.
If you have any questions about data protection compliance, liability or risk, our Privacy and Data Protection team would be pleased to assist you.