Author: Rimsha Zafar
July 15, 2026

Bill C-36: Canada’s Biggest Privacy Reform and What It Means for Your Business

Is your organisation ready for the most significant shift in Canadian privacy law in over two decades? With personal data breaches rising and consumer expectations growing, Canada has moved to completely overhaul its federal privacy framework.

 

On 15 June 2026, the Canadian government introduced Bill C-36, officially titled the Protecting Privacy and Consumer Data Act (PPCDA). This proposed legislation would replace Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), the law that has governed private-sector privacy in Canada since 2000. Bill C-36: Canada’s Biggest Privacy Reform represents the government’s third attempt since 2020 to modernise its approach to data protection.

 

This blog covers everything you need to know about the bill. From its core provisions and enforcement penalties to how it affects children’s data, cross-border transfers, and automated decision-making, each section breaks down the details that matter most for compliance teams, legal professionals, business leaders, and data governance stakeholders.

Why Canada Needed a New Privacy Law

Canada’s existing privacy framework has struggled to keep pace with rapid technological change and global regulatory standards.

PIPEDA's Limitations in a Data-Driven Economy

PIPEDA was enacted in 2000, long before cloud computing, artificial intelligence, and large-scale data analytics became standard business tools. The law lacked strong enforcement mechanisms. The Office of the Privacy Commissioner (OPC) could investigate complaints and make recommendations, but it could not issue binding orders or impose financial penalties. This left the regulator with limited power to hold organisations accountable.

 

As global standards evolved with laws like the EU’s GDPR and various US state-level regulations, Canada’s framework fell behind. Businesses operating across borders faced uncertainty about how Canadian rules compared to stricter international requirements.

Failed Predecessors: Bill C-11 and Bill C-27

Behavioural profiling builds a detailed picture of individual users across multiple websites. Advertisers track which pages a person visits, how long they stay, and what they click. This cross-site profiling creates rich audience segments that fuel retargeting campaigns.

The problem is that most users never explicitly agreed to this level of monitoring. Under the GDPR and similar frameworks, behavioural profiling for advertising requires a lawful basis. In most cases, that lawful basis is consent. Without it, businesses face significant legal and financial risk.

Growing Public Demand for Stronger Protection

Consumers increasingly expect transparency about how their data is collected, used, and shared. High-profile data breaches and growing awareness of digital surveillance have fuelled demand for stronger legal safeguards. Bill C-36: Canada’s Biggest Privacy Reform responds directly to this demand by recognising privacy as a fundamental right, not merely a commercial consideration.

What Is Bill C-36: The Protecting Privacy and Consumer Data Act

Bill C-36 proposes to enact the Protecting Privacy and Consumer Data Act (PPCDA), a comprehensive replacement for Part 1 of PIPEDA.

Core Purpose and Scope

The PPCDA applies to every private-sector organisation that collects, uses, or discloses personal information in the course of commercial activities across Canada. It retains the consent-based, principles-based, and technology-neutral approach that underpinned PIPEDA. However, it introduces substantially stronger individual rights, clearer organisational obligations, and a new enforcement structure with real financial consequences.

 

Unlike Bill C-27, which bundled AI regulation into the same legislation, Bill C-36 focuses solely on privacy and consumer data protection. The government has chosen to address artificial intelligence through separate legislative channels.

Privacy as a Fundamental Right

One of the most significant shifts in Bill C-36: Canada’s Biggest Privacy Reform is the legislative recognition of privacy as a fundamental right. Bill C-27 was widely criticised for framing privacy as secondary to commercial interests. The PPCDA corrects this by placing individual privacy at the centre of the regulatory framework. This change in legal positioning carries weight. It influences how courts and regulators interpret and enforce the law when balancing user consent against business needs.

What the PPCDA Replaces

If passed, the PPCDA would replace Part 1 of PIPEDA entirely. PIPEDA’s remaining parts, which deal with electronic documents, would continue to apply. The PPCDA also builds on the Consumer Privacy Protection Act (CPPA) proposed under Bill C-27 but introduces notable updates, particularly around enforcement and regulatory oversight.

Key Provisions of Bill C-36

The bill introduces a wide range of new requirements that affect how organisations handle personal information at every stage.

Strengthened Consent Requirements

Organisations must obtain valid, informed consent before collecting, using, or disclosing personal information. Express consent is the default standard. Implied consent may apply only where it is appropriate based on the sensitivity of the information and the individual’s reasonable expectations. 

 

To obtain valid user consent, organisations must provide plain-language explanations covering the purpose of collection, the manner of use or disclosure, foreseeable consequences, the specific type of personal information involved, and the names of any third parties who may receive it. This goes well beyond what PIPEDA currently requires, aligning more closely with global standards like those in the GDPR.

Individual Rights: Deletion, Access, and Portability

Individuals gain the right to request that organisations permanently and irreversibly delete or anonymise their personal information, subject to certain exceptions. They also retain the right to access their data and request corrections. These expanded rights give Canadians meaningful control over their sensitive personal information.

Legitimate Interest Exception

The PPCDA includes a legitimate interest exception similar to Article 6(1)(f) of the EU’s GDPR. Organisations may collect, use, or disclose personal information without consent if they have a legitimate interest that outweighs any potential adverse effect on the individual. However, before relying on this exception, organisations must identify and record the legitimate interest, conduct a privacy impact assessment, take reasonable steps to mitigate risks, and comply with any prescribed requirements. This is not a blanket exemption. It requires documented justification.

Children's Data Protection Under Bill C-36

Protecting younger users is one of the clearest priorities within Bill C-36: Canada’s Biggest Privacy Reform.

Children's Information Classified as Sensitive

The PPCDA defines a child as any individual under 18 years of age. All personal information belonging to children is automatically classified as sensitive information under the act. This classification triggers higher standards for collection, use, and disclosure. Organisations cannot treat children’s data with the same level of flexibility they might apply to general consumer data.

Best Interests of the Child Standard

The bill requires the Commissioner to consider the best interests of children when exercising any powers or performing any duties under the act. This principle ensures that regulatory decisions consistently prioritise the welfare of younger individuals. It also sends a clear signal to organisations that handle children’s data, including social media platforms, educational technology providers, and gaming companies.

Practical Impact on Organisations

Businesses that collect data from users who may be under 18 will need to implement age-verification mechanisms, apply heightened consent standards, and ensure their privacy management programmes specifically address children’s data. Failure to meet these requirements could result in significantly higher penalties, given the sensitive classification.

Enforcement Framework and Penalties

The enforcement model under Bill C-36 is fundamentally different from what exists under PIPEDA today.

The Digital Safety and Data Protection Commission

Bill C-36 creates the Digital Safety and Data Protection Commission of Canada, a new regulatory body that replaces the enforcement role previously held by the OPC for private-sector matters. The Commission includes a dedicated Privacy and Consumer Data Commissioner and a specialised Privacy and Consumer Data Division. 

 

It has the power to issue binding orders, impose administrative monetary penalties, and conduct audits. This effectively consolidates functions that Bill C-27 had proposed splitting across three separate bodies, including a separate tribunal.

Administrative Monetary Penalties

The PPCDA introduces administrative monetary penalties (AMPs) of up to the higher of CAD 10 million or 3% of an organisation’s gross global revenue. These penalties apply to a broad range of contraventions under the Act. For organisations operating at scale, the revenue-based calculation could produce penalties far exceeding the fixed cap.

Criminal Offences and Higher Fines

For knowing contraventions of certain provisions, the bill provides for criminal offences. On indictment, fines can reach up to the higher of CAD 25 million or 5% of gross global revenue. On summary conviction, penalties can go up to CAD 20 million or 4% of gross global revenue. These figures put Bill C-36 in the same league as the GDPR’s enforcement framework.

Private Right of Action

Individuals gain the ability to bring civil claims for damages caused by an organisation’s contravention of the Act. This private right of action is subject to statutory preconditions but represents a major departure from PIPEDA, under which individuals generally could not pursue direct civil claims. It creates an additional layer of accountability beyond regulatory enforcement.

Mandatory Privacy Management Programmes

Organisations must build and maintain documented frameworks that demonstrate ongoing compliance with the new rules.

What Must Be Documented

Every organisation subject to the PPCDA must implement a privacy management programme that includes documented policies, practices, and procedures. These must cover how personal information is protected, how complaints and data access requests are handled, how staff are trained, and what explanatory materials are provided to individuals. The programme must be scaled to the volume and sensitivity of the personal information the organisation handles.

Regulator Access on Request

The Commission can request access to an organisation’s privacy management programme at any time. This means compliance cannot be a paper exercise. Organisations must be prepared to demonstrate that their documented policies are actively implemented and regularly updated. This requirement creates a strong incentive for ongoing investment in data governance infrastructure.

Alignment With Global Best Practices

The mandatory programme requirement mirrors similar obligations under the GDPR and other modern privacy frameworks. Organisations already subject to GDPR compliance requirements may find significant overlap, but Canadian-specific adaptations will be necessary.

Cross-Border Data Transfers

Bill C-36 introduces explicit rules for moving personal information outside Canada’s borders.

Privacy Impact Assessment Before Transfer

Organisations must conduct a privacy impact assessment before disclosing or transferring personal information outside Canada. This assessment must identify and mitigate any privacy risks associated with the transfer. While sending data abroad remains permitted, the transferring organisation retains full accountability for ensuring equivalent protection.

Accountability Across the Service Provider Chain

The obligation to protect personal information does not end with the initial transfer. Under the PPCDA, accountability runs through the entire service provider chain. If a Canadian organisation shares data with a processor in another jurisdiction, the Canadian organisation remains responsible for ensuring that the data receives a comparable level of protection throughout its lifecycle.

Implications for Global Operations

Multinational businesses operating in Canada will need to review their data-sharing agreements, vendor contracts, and internal transfer mechanisms. This provision aligns Canada’s approach more closely with GDPR-style adequacy and safeguard requirements, though the specific mechanics may differ.

Automated Decision-Making Obligations

The PPCDA addresses the growing use of AI and algorithmic tools in business decisions that affect individuals.

Broad Definition of Automated Decision Systems

The bill defines automated decision systems broadly. It covers rules-based systems, regression analysis, predictive analytics, machine learning, deep learning, and neural networks. Any tool that uses these technologies to assist or replace human judgement falls within scope.

Disclosure and Explanation Requirements

Organisations must disclose, in general terms, when they use automated systems to make predictions, recommendations, or decisions about individuals that could have a legal or significant effect. Individuals also gain the right to obtain explanations about how these systems reached their conclusions and the ability to challenge those decisions. This transparency requirement is particularly relevant for organisations using AI in hiring, credit decisions, insurance underwriting, and similar high-impact areas. 

 

Understanding the intersection of EU AI Act requirements and Canadian obligations will be essential for global compliance planning.

No Standalone AI Legislation in This Bill

Unlike Bill C-27, which included the Artificial Intelligence and Data Act (AIDA) as Part 3, Bill C-36 does not contain standalone AI regulation. The automated decision-making provisions are embedded within the broader privacy framework rather than treated as a separate regulatory regime.

De-identification and Anonymisation Standards

Bill C-36 draws a clear legal distinction between de-identified and anonymised data, removing ambiguity that existed under PIPEDA.

De-identified Information Remains Regulated

De-identified information is personal information that has been modified so that an individual cannot be directly identified from it. However, because some risk of re-identification remains, the PPCDA treats de-identified information as personal information. Organisations cannot use de-identification as a shortcut to escape regulatory obligations.

Anonymised Information Falls Outside the Scope

Anonymised information, by contrast, is personal information that has been irreversibly and permanently modified so that there is no reasonably foreseeable risk of re-identification. Only truly anonymised data falls outside the scope of the act. This distinction matters for data analytics, research, and secondary use cases where organisations may attempt to rely on modified datasets.

Operational Considerations

Organisations must evaluate whether their current data processing practices genuinely achieve anonymisation or merely de-identification. Getting this classification wrong could expose them to enforcement action under the new framework.

How Bill C-36 Compares to Bill C-27 and GDPR

Understanding where Bill C-36 sits relative to its predecessor and international standards helps organisations plan their compliance approach.

Key Differences From Bill C-27

  • Enforcement structure: Bill C-27 proposed a separate Personal Information and Data Protection Tribunal. Bill C-36 consolidates enforcement under the Digital Safety and Data Protection Commission.
  • Privacy status: Bill C-27 faced criticism for subordinating privacy to commercial interests. Bill C-36 legislatively recognises privacy as a fundamental right.
  • AI regulation: Bill C-27 bundled AI regulation (AIDA) into the same bill. Bill C-36 removes AI legislation entirely, addressing it through separate channels.
  • Regulatory body: Under Bill C-27, the OPC retained private-sector jurisdiction. Under Bill C-36, private-sector oversight transfers to the new Commission.

Alignment With GDPR

Bill C-36 brings Canada substantially closer to GDPR standards. The legitimate interest exception, children’s data protections, consent requirements, and enforcement penalty structure all mirror GDPR principles. However, the specific mechanics differ. Canada’s framework uses a commission-based enforcement model rather than national data protection authorities.

 

Organisations already managing GDPR and CCPA compliance will find familiar territory in the PPCDA, though Canadian-specific requirements demand dedicated attention.

Implications for Cross-Border Compliance

For organisations operating across multiple jurisdictions, Bill C-36 may simplify certain aspects of cross-border compliance by aligning Canadian standards more closely with European ones. However, it also adds another layer of regulatory obligations that must be tracked, documented, and maintained alongside existing frameworks.

What Organisations Should Do Now

Even though Bill C-36 must still pass through second reading and committee study, organisations should begin preparing early.

Conduct a Data Mapping Exercise

Identify what personal information your organisation collects, where it is stored, how it flows across systems, and which third parties receive it. This forms the foundation for compliance with nearly every provision of the PPCDA.

Review and Update Consent Mechanisms

Evaluate whether your current consent processes meet the enhanced plain-language and express consent requirements. Organisations relying heavily on implied consent should assess where that approach may no longer be appropriate. A robust consent management platform can streamline this process and reduce compliance gaps.

Build or Strengthen Privacy Management Programmes

Start documenting your privacy policies, complaint-handling procedures, training programmes, and data protection practices now. The PPCDA requires these programmes to be scaled to your data volumes and sensitivity levels. Early investment reduces the risk of scrambling when the law takes effect. Consider how tools like GDPR staff training resources can support your programme development.

Current Legislative Status of Bill C-36

Bill C-36: Canada’s Biggest Privacy Reform is still in the early stages of the legislative process.

First Reading and Parliamentary Timeline

The bill received its first reading on 15 June 2026. Parliament rose for the summer recess on 18 June 2026, with regular sittings scheduled to resume on 21 September 2026. Bill C-36 is expected to begin second reading in the autumn session.

Committee Study and Amendments

After the second reading, the bill will proceed to committee study, where detailed scrutiny and amendments are likely. Given that this is Canada’s third attempt at privacy reform in six years, there is strong political motivation to advance the legislation. However, the committee process may introduce changes based on industry feedback and stakeholder consultations.

Timeline to Royal Assent

There is no confirmed date for when Bill C-36 might receive Royal Assent and become law. The legislative process includes second reading, committee study, third reading, Senate review, and Royal Assent. Organisations should treat the bill as a strong signal of the regulatory direction and begin preparing accordingly.

Final Thoughts

Bill C-36: Canada’s Biggest Privacy Reform marks a decisive shift in how Canada approaches data protection. By recognising privacy as a fundamental right, introducing serious enforcement penalties, and creating a dedicated regulatory commission, the PPCDA sets a new standard for private-sector accountability. Organisations that begin preparing now will be best positioned to meet these requirements when the law takes effect.

Get Ready for Canada's Privacy Reform with Seers Ai

Bill C-36 demands stronger consent handling, documented privacy programmes, and transparent data practices. Seers helps organisations build compliant foundations with automated cookie consent management and privacy tools designed for global regulatory standards.

START FREE TODAY

Frequently Asked Questions (FAQs)

What is Bill C-36 and what does it propose?

Bill C-36 proposes to enact the Protecting Privacy and Consumer Data Act (PPCDA), which would replace Part 1 of PIPEDA. It modernises Canada’s private-sector privacy framework by strengthening consent requirements, introducing individual rights like data deletion, creating a new regulatory commission, and establishing significant financial penalties for non-compliance.

When was Bill C-36 introduced in Parliament?

The bill received its first reading on 15 June 2026. Parliament adjourned for the summer shortly after, with sittings scheduled to resume in September 2026. Second reading and committee study are expected to follow during the autumn parliamentary session, though no specific dates have been confirmed for those stages.

How does Bill C-36 differ from Bill C-27?

Bill C-36 consolidates enforcement under a single Digital Safety and Data Protection Commission, whereas Bill C-27 proposed a separate tribunal. Bill C-36 also removes standalone AI legislation (AIDA), recognises privacy as a fundamental right rather than subordinating it to commercial interests, and transfers private-sector oversight from the OPC to the new Commission.

What penalties does Bill C-36 introduce for non-compliance?

Administrative monetary penalties can reach up to CAD 10 million or 3% of gross global revenue, whichever is higher. Criminal offences carry fines of up to CAD 25 million or 5% of gross global revenue on indictment. The bill also introduces a private right of action, allowing individuals to pursue civil claims for damages resulting from contraventions.

Does Bill C-36 apply to children's personal information?

The PPCDA classifies all personal information belonging to individuals under 18 as sensitive information. This triggers higher consent standards, additional safeguards, and stricter obligations for organisations that collect or process children’s data. The Commissioner must also consider the best interests of children when exercising regulatory powers.

What is the legitimate interest exception under the PPCDA?

Organisations may collect, use, or disclose personal information without consent if they have a legitimate interest that outweighs adverse effects on the individual. Before relying on this exception, they must document the interest, conduct a privacy impact assessment, mitigate identified risks, and comply with any additional prescribed requirements. It is not a broad exemption.

How does Bill C-36 address cross-border data transfers?

Organisations must conduct a privacy impact assessment before transferring personal information outside Canada. The transferring organisation remains accountable for ensuring equivalent protection throughout the service provider chain, regardless of where the data is processed or stored. This aligns Canada’s approach more closely with international standards.

What are the automated decision-making requirements?

Organisations using automated systems for predictions, recommendations, or decisions with legal or significant effects on individuals must disclose that use. Individuals can request explanations of how the system reached its conclusions and challenge the decisions. The definition covers machine learning, predictive analytics, neural networks, and rule-based systems.

What is the difference between de-identified and anonymised data under the PPCDA?

De-identified data have been modified so individuals cannot be directly identified, but re-identification risk remains. It is still treated as personal information under the act. Anonymised data has been irreversibly modified with no reasonably foreseeable risk of re-identification. Only anonymised data falls outside the PPCDA’s scope.

Should organisations start preparing for Bill C-36 now?

Preparation is strongly recommended even though the bill has not yet been enacted. Organisations should conduct data mapping exercises, review consent mechanisms, document privacy management programmes, and assess their cross-border data transfer practices. Early preparation reduces the risk of non-compliance when the law takes effect and helps avoid reactive scrambling.

 

Rimsha Zafar

Rimsha is a Senior Content Writer at Seers AI with over 5 years of experience in advanced technologies and AI-driven tools. Her expertise as a research analyst shapes clear, thoughtful insights into responsible data use, trust, and future-facing technologies.

ORCIDResearchGateGoogle ScholarLinkedIn 

Unlock Accurate Insights with Google Consent Mode v2

Is Your Website at Risk of Losing Conversions?


Take our Free Cookie Audit and find out

Ready to Build Trust and Drive Business Growth?

Join 50,000+ websites using Seers.Ai to turn compliance into trust, insights, & measurable business growth.