Jun 29, 2026 · 9 min read
Canada's Bill C-36 Replaces PIPEDA With $10M Fines
The Protecting Privacy and Consumer Data Act is the most significant overhaul of Canadian private sector privacy law in over two decades — and organizations handling Canadians' data have a lot to prepare for.
Canada's privacy law was born in 2000, when streaming video meant waiting forty minutes for a two minute clip and "the cloud" was something meteorologists tracked. PIPEDA has governed how private sector organizations collect, use, and disclose personal information for 25 years — through the smartphone era, the social media era, and now the AI era — without any fundamental structural reform. On June 15, 2026, Minister of Artificial Intelligence and Digital Innovation Evan Solomon introduced Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA), Canada's third attempt at a comprehensive overhaul — and the one with the sharpest teeth yet.
Key Takeaways
- Bill C-36 received first reading on June 15, 2026, and proposes replacing Part 1 of PIPEDA — Canada's 25-year old federal private sector privacy law — with the new Protecting Privacy and Consumer Data Act.
- The Digital Safety and Data Protection Commission of Canada will replace the Office of the Privacy Commissioner for private sector enforcement, with binding order making authority and administrative penalties up to CAD $10 million or 3% of global annual revenue.
- The most serious offences carry fines up to CAD $25 million or 5% of global annual revenue — placing Canada squarely in GDPR scale enforcement territory.
- Organizations must now disclose, upon request, how automated decision systems use personal information to make predictions or recommendations that have a significant effect on individuals.
- Children's personal information is classified as sensitive by default, triggering heightened protections across the entire PPCDA framework — not just in specific child facing contexts.
Why Did PIPEDA Need Replacing?
PIPEDA's enforcement model was built on recommendations, not orders. The Privacy Commissioner of Canada could investigate complaints and issue findings, but could not directly fine organizations or compel compliance. That structure made sense in 2000, when the privacy threat landscape was largely theoretical. By 2026, four Canadian privacy regulators had ruled that OpenAI violated five privacy laws to train ChatGPT — and the enforcement outcome was still a set of nonbinding recommendations. The gap between the scale of modern data practices and PIPEDA's remedial toolkit had become impossible to ignore.
Bill C-36 is, as McCarthy Tétrault described it, "the most consequential proposed reform of Canada's private sector privacy law in more than 20 years." It is also the third time the federal government has attempted this reform — Bills C-11 and C-27 both died on the order paper. The minority Parliament dynamic means C-36 faces real legislative risk, but the government's political appetite and international pressure from GDPR aligned trading partners make passage more likely than previous attempts.
What Is the Digital Safety and Data Protection Commission?
The Digital Safety and Data Protection Commission of Canada is the new enforcement body that replaces the Privacy Commissioner's private sector role. It consolidates investigative authority, order making power, and penalty authority under one roof — eliminating the multi step tribunal process that previously slowed enforcement. The Office of the Privacy Commissioner retains oversight of the public sector Privacy Act.
The Commission's penalty framework is significant. Administrative monetary penalties reach the greater of CAD $10 million or 3% of global annual revenue for standard contraventions. For the most serious offences, penalties climb to CAD $25 million or 5% of global revenue. That second tier puts Canada in the same bracket as GDPR enforcement, which has accumulated over €7.1 billion in fines since 2018. A private right of action for damages also applies following a finding of contravention — a provision that did not exist under PIPEDA and that opens organizations to civil litigation exposure on top of regulatory penalties.
What Do the Consent and Transparency Changes Actually Require?
PIPEDA allowed implied consent in many circumstances. The PPCDA shifts the default: express consent is now the baseline. Organizations must obtain consent in plain language, without bundling privacy terms into broader agreements, and without using deceptive or confusing design patterns. Consent can still be implied where it aligns with reasonable expectations and the sensitivity of the data, but organizations need documented justification for that choice.
The shift to process driven compliance is the deeper structural change. Under PIPEDA, many organizations could demonstrate good faith through general policies. The PPCDA requires a formal privacy management program — documented, scaled to data sensitivity, and available to the Commission on request. Privacy impact assessments become mandatory before cross border data transfers and legitimate interest processing. Deidentification practices carry compliance obligations, with explicit prohibitions on reidentification. The legitimate interest exception (Section 18(3) of the draft) introduces a GDPR style balancing test with documentation requirements that will be familiar to European compliance teams but new to most Canadian organizations.
How Does Automated Decision Making Transparency Work?
The PPCDA expressly defines automated decision systems as tools that use AI, machine learning, or predictive analytics to assist or replace human judgment. Any system that makes a prediction, recommendation, or decision with a "legal or similarly significant effect" on an individual triggers transparency obligations. When an individual requests an explanation, the organization must provide meaningful information — in plain language — about how their personal information was used in reaching that outcome.
This threshold mirrors GDPR Article 22 more closely than the broader language in the failed Bill C-27, which drew criticism for vagueness. The practical compliance burden is significant: organizations using automated credit scoring, hiring tools, fraud detection, or personalized pricing systems will need to build explanation pipelines and audit trails they currently lack. Surveillance pricing — using personal data to charge different consumers different prices for the same product — is explicitly addressed as a potentially unfair data practice. This is a provision with no PIPEDA precedent.
The automated decision provisions intersect with a broader legislative shift. The same week C-36 was introduced, Illinois, Connecticut, and New York passed four AI privacy laws with similar automated decision transparency requirements — a sign that the accountability for algorithms framework is becoming standard across North American jurisdictions, not just Europe.
Why Email and Marketing Teams Should Care
Marketing and communications data sits at the intersection of almost every major PPCDA obligation. Email marketing lists, behavioral segmentation, and personalized send time optimization all involve collecting, using, and disclosing personal information — the exact activities the new consent regime governs. The anti bundling rule alone will force changes to how many organizations embed email marketing consent into account registration flows. The plain language requirement means privacy notices buried in terms of service no longer satisfy the law.
Data deletion rights are another direct concern. The PPCDA gives individuals the right to request deletion of their personal information in specified circumstances. For email marketing platforms handling Canadians' data, that means operationalizing deletion requests across mailing lists, behavioral databases, and third party tools — not just unsubscribing someone from a list. Organizations already aligned with GDPR deletion workflows have a head start; those operating PIPEDA only stacks face significant retooling.
Surveillance pricing provisions also have a direct digital marketing angle. Using purchase history, location data, or behavioral signals to charge individual consumers higher prices than others — a practice increasingly common in dynamic pricing systems — is explicitly flagged as a potentially unfair data use. The Commission will have authority to investigate and penalize such practices. For organizations that profile users across email and web behavior to drive personalized pricing, that is a compliance exposure that did not exist under PIPEDA.
What Is the Timeline for Compliance?
Bill C-36 is at first reading. It still requires second reading, committee study, third reading, full Senate passage, and royal assent before it becomes law. A mandatory five year parliamentary review is built into the legislation. Enactment is also contingent on the commencement of Bill C-34, the Safe Social Media Act — a legislative dependency that adds uncertainty to the timeline. The government has indicated openness to amendments during summer consultations, and Privacy Commissioner Philippe Dufresne welcomed the bill's stronger enforcement powers while signaling interest in further refinements.
Critically, substantial compliance detail is deferred to regulations that will be drafted after royal assent. Organizations will not know the full scope of their obligations — particularly around automated decision system disclosures and privacy management program requirements — until those regulations publish. That makes now the right time to conduct a gap analysis against the PPCDA's known requirements, not to wait for regulatory certainty. Organizations that treated GDPR readiness as a project completed in 2018 and never revisited it have the most ground to cover.
Canada is not operating in isolation here. The same week C-36 was tabled, the US SECURE Data Act introduced federal privacy preemption language that could reshape how cross border data flows between Canada and the United States are governed. Organizations that operate in both markets need to track both bills simultaneously — the compliance burdens will interact.
What Should Organizations Do Now?
The bill's structure is clear enough to act on before regulations arrive. Start with a data inventory scoped to personal information from Canadian residents: what you collect, why, how long you keep it, and what third parties receive it. Map that inventory against the PPCDA's core obligations — consent, transparency, deletion, and cross border transfer rules — and identify gaps.
- Audit your consent collection flows for PIPEDA era implied consent that will not survive the PPCDA's express consent default.
- Identify every automated system that affects individual outcomes — hiring, pricing, fraud detection, content ranking — and document how each uses personal data.
- Review your privacy notice against the plain language and anti bundling requirements; legal boilerplate will not satisfy the new standard.
- Build or update your data deletion pipeline to handle individual requests, not just opt outs from marketing lists.
- Assign board level ownership of the privacy management program the PPCDA requires — this is no longer an IT function or a legal checkbox.
PIPEDA's 25-year run ends not with a gradual transition but with a structural replacement that brings Canada into alignment with GDPR scale accountability. The Commission's order making power and the private right of action mean the cost of noncompliance is no longer a regulatory letter — it is a fine, a court judgment, or both. Organizations that start now will have the advantage when regulations fill in the remaining gaps.