Bill C-36 and Canadian Privacy Reform

On June 15, 2026, the federal government introduced Bill C-36 to modernize Canada’s federal private sector privacy laws and continue the implementation of Canada's National Artificial Intelligence Strategy: AI for All.

Bill C-36, An Act to enact the Protecting Privacy and Consumer Data Act (PPCDA), to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) and to make amendments to other Acts, will repeal the current federal private sector privacy regime under PIPEDA and replace it with the PPCDA.  

The proposed changes are significant. For businesses, the PPCDA will impact more than their privacy policies. It will affect commercial contracting, M&A agreements and diligence, cross-border data transfers, AI governance, records retention, customer-facing transparency and enterprise risk management. The following are five key themes to watch as Bill C-36 advances through the legislative process.

1. Legislative Architecture: A New Standalone Act and Privacy as a Fundamental Right

The PPCDA will be a new standalone statute for private-sector use of personal information in commercial activities. Bill C-36 will separate the privacy and electronic documents parts of PIPEDA, repealing Part 1 of PIPEDA (privacy), and rename the remainder (electronic documents) the Electronic Documents Act.

The PPCDA will formally recognize privacy as a fundamental right. That phrase may sound abstract, but it has practical consequences. It signals that privacy rights will be afforded greater deference than previously, and as a result should be considered at the front end of business decisions, not after a product, campaign or data-sharing arrangement is already in motion.  PPCDA will also introduce a private right of action for individuals affected by an organization's contravention of the PPCDA.

2. Introduction of a New Regulator

Bill C-36 will move private-sector privacy oversight to the Digital Safety and Data Protection Commission of Canada. The model includes a five-member Commission and a designated Privacy and Consumer Data Commissioner. The Commission will administer the PPCDA and will also have responsibility for the proposed Digital Safety Act (Bill C-34).

Unlike the current PIPEDA model, where the Office of the Privacy Commissioner of Canada investigates and seeks resolution, the new Commission will have binding order-making authority and authority to administer significant monetary penalties of up to C$10 million or 3% of global revenue, whichever is greater.

Organizations should expect privacy issues to be assessed alongside digital safety, AI, consumer protection, competition, telecommunications and platform accountability. This matters for regulated sectors, infrastructure projects using connected devices, consumer platforms, financial services, retail, transportation, energy and data-intensive businesses.

3. Consent

Consent remains the default basis for collecting, using or disclosing personal information unless the PPCDA provides otherwise. Bill C-36 is more prescriptive than PIPEDA: valid consent will require plain-language disclosure of the purposes, methods, reasonably foreseeable consequences, types of information and third-party recipients.

The PPCDA will also sharpen the distinction between express and implied consent, invalidate consent obtained through false, misleading or deceptive practices, and preserve an individual’s ability to withdraw consent on reasonable notice. PIPEDA already requires meaningful consent, but the PPCDA will make the disclosure requirements more concrete.

4. Disposal, Automated Decisions, Children’s Data and Surveillance Pricing

The PPCDA will expand individual control beyond PIPEDA’s access-and-correction model. It will add a right to request disposal of personal information where, for example, the information was handled in contravention of the PPCDA, consent has been withdrawn or the information is no longer necessary for the product or service requested. "Dispose" has been defined to mean "permanently and irreversibly delete personal information or to anonymize it." This will require organizations to know where personal information is stored, who has access to it, how long it is kept and which vendors hold it, and to have sufficient controls to delete (or anonymize) same across systems and service providers.

Bill C-36 also creates clearer transparency obligations for automated decision systems, including those that make predictions, recommendations or decisions about individuals. Where an automated decision has a legal or similarly significant effect, the individual may request an explanation of the prediction, recommendation or decision. Organizations using AI or automated tools for pricing, hiring, credit, customer service, fraud detection, marketing or risk scoring should be ready to explain what the tool does and what personal information it uses.

The proposed changes surrounding children’s personal information and surveillance pricing also deserve particular attention. Bill C-36 defines a "child" as an individual under 18 years of age, and the government has stated that organizations will be held to a higher standard when handling personal information pertaining to children. The bill also directs attention to unfair uses of personal information, including inappropriate surveillance pricing. Organizations that use personalized pricing, loyalty analytics, targeted advertising, age assurance or child-facing services should consider documenting and reviewing those practices now.

5. Movement of Data: Transborder Disclosure and Cross-Border Data Flows

Bill C-36 will require organizations to make cross-border transfers more explicit and more document-driven. Before disclosing or transferring personal information outside of Canada, an organization will need to complete a privacy impact assessment and implement risk-mitigation measures, which will now include approved codes or certifications on top of contractual protections.

The Commission will be able to request a copy the privacy impact assessment, and organizations will need to disclose whether they transfer or disclose personal information interprovincially or outside Canada where there are reasonably foreseeable privacy implications.

Looking to the Future

Bill C-36 has just been introduced into Parliament, and details may change before it becomes law. Nevertheless, the direction is clear: Canadian privacy compliance is moving toward stronger rights, more active and consequential enforcement, and greater expectations for organizations that handle personal information.

Organizations should use this window to begin readiness planning. Practical first steps include:

• mapping personal information across the organization and jurisdictions;
• reviewing privacy notices and consent processes;
• assessing vendor and service-provider contracts;
• identifying AI and automated decision tools;
• updating retention and deletion practices; and
• ensuring senior leadership understands the potential enforcement exposure.

If you have any questions about how Bill C-36 may affect your organization, the Bennett Jones Privacy & Data Protection group is available to assist.