Canada's New Privacy Law Is Coming. Here's What Bill C-36 Means for Your Business.

Canada is getting ready to swap out the old privacy law we've all been working under for the past 25 years. On June 15, the federal government tabled Bill C-36, which would bring in the Protecting Privacy and Consumer Data Act, or PPCDA. It would replace the privacy sections of PIPEDA, the law that's governed how businesses collect and use personal information since 2001.
The bill hasn't become law yet. Second reading is expected this fall, and the details can still change. But this is the government's third run at privacy reform after two earlier bills died on the order paper, and it landed the same month as a national AI strategy and new online safety legislation. So I wouldn't bet on this one dying quietly.
One thing before we get into it. I'm not a lawyer and none of this is legal advice. It's a practitioner's read on a proposed bill. For decisions about your legal obligations, talk to counsel.
What is Bill C-36? The plain-language version
Bill C-36 is proposed federal legislation, introduced June 15, 2026, that would enact the Protecting Privacy and Consumer Data Act and replace the privacy provisions of PIPEDA. It brings fines of up to $25 million or 5% of global revenue, stricter consent requirements, new individual rights, and a new federal privacy regulator.
Eight things Bill C-36 would change
Here's the short list that matters if you collect or use customer data in Canada.
There will be steep penalties. Fines run up to $10 million or 3% of global revenue, whichever is higher, and up to $25 million or 5% for the most serious offences. Directors and officers can face personal liability too. These are numbers that get a board's attention.
Consent gets more specific. You'd have to spell out what you collect, why, how, what could reasonably come of it, and name the third parties, or types of third parties, the data goes to. All in plain language, before you collect it. If your consent banner doesn't mention your ad platforms today, that's a gap.
Kids' data gets a hard upgrade. Children's personal information would be treated as sensitive by default, and the regulator has to weigh the best interests of children in its decisions. If minors are in your audience, or you can't rule that out, your profiling, targeting, and consent flows for those users need a separate look.
Anyone affected can sue. The new act adds a private right of action, so individuals affected by a contravention can bring their own claims. California shows where that leads. Its privacy law lets residents sue directly, and I sat in on a webinar where one law firm described making over half a billion dollars on CCPA claims. This bill would open that door across Canada.
Your privacy program becomes a document you hand over. A documented privacy management program becomes mandatory, and the regulator can ask for it at any time. For organizations that have treated privacy as an informal exercise, that approach is over.
People get a right to deletion. Individuals can require you to dispose of their personal information, which covers both deletion and anonymization.
De-identified isn't exempt. Only fully anonymized data falls outside the act. Hashing an email address doesn't take you out of scope. A lot of what analytics teams work with every day lives in this category.
Cross-border transfers need a privacy impact assessment. Before personal information leaves Canada, you'd need to assess and mitigate the risks, and the regulator can ask to see that work.
Oversight also moves from the Office of the Privacy Commissioner to a new body, the Digital Safety and Data Protection Commission of Canada.
| PIPEDA today | PPCDA as proposed | |
|---|---|---|
| Maximum penalty | No direct fining power | $10M or 3% of global revenue, $25M or 5% for offences |
| Regulator | Office of the Privacy Commissioner | Digital Safety and Data Protection Commission of Canada |
| Consent standard | Purpose-based, principles-driven | Specific disclosures in plain language, third parties named |
| Deletion | Implied through consent withdrawal | Explicit right to disposal |
| Children's data | No special category | Sensitive by default |
| Individual lawsuits | Limited, after the OPC process | Private right of action |
Canada's regulator can't fine anyone. Bill C-36 aims to fix that.
In 2022, the federal privacy commissioner and three provincial counterparts found that the Tim Hortons app tracked users' locations for advertising even when the app was closed, without adequate consent. Under PIPEDA, the commissioners had no power to issue a fine. The only money that moved came from class action settlements. Each affected user got a free hot drink and a baked good, worth $8.68 according to the court filings. That type of math is exactly what Bill C-36 rewrites. The same finding under the PPCDA sits in penalty territory of up to $10 million or 3% of global revenue, with individual lawsuits on top.
Other regulators already work this way. California's attorney general settled with Healthline for $1.55 million in 2025, the largest penalty under the CCPA so far. Healthline is the one worth remembering, because they actually had an opt-out. Their consent banner just didn't do anything and was just purely cosmetic. Unchecking the box didn't disable the tracking cookies, and data kept flowing to advertisers after people said no.
Europe plays it the same way. France's regulator fined Google and Facebook a combined 210 million euros because refusing cookies on their sites took more clicks than accepting them.
Kris Klein, the IAPP's Country Leader for Canada, called the enforcement change the biggest news in the bill.
"[A] new enforcement agency that completely re-writes the model of enforcement for privacy."
— Kris Klein, IAPP Country Leader for Canada
Nobody in those cases got in trouble for lacking a privacy policy. They got in trouble because the consent mechanics didn't do what they appeared to do, and a demand letter is usually how you find out. Someone outside the company telling you they think they can show a court something, with a dollar figure attached. There's a foam pillow manufacturer in my town, a mid-size company that's been at it for over 30 years. I was surprised to see a consent banner on their site, so I asked the owner about it. He told me they'd been served a demand letter from California. Large or small, it does not matter. Prevention is always cheaper.
What I'd do now
Consent management isn't typically the most glamorous corner of data work. But I love it anyway, and this is the type of moment where I like to shine.
If you've been keeping your data practices current, a lot of this bill will feel familiar. Klein made the same point, that most organizations will find many of the provisions line up with how they already operate. So you're not starting from zero. It’s more about finding your gaps.
In my experience the gaps tend to cluster in three places. Consent mechanics that look right cosmetically but don't hold up when you actually test them. Third-party disclosure lists that haven't kept pace with what's actually firing in the tag manager. And documentation that lives in people's heads instead of somewhere you could hand to a regulator.
Your legal counsel owns the policies and the legal positions. If you don't have counsel in this space, find a firm that lives in it. I've had a lot of success with Womble Bond Dickinson and couldn't say enough good things about them. What my team builds is the proof underneath the legal work, the consent records, the tag governance, and the monitoring that shows your setup actually honours the choices people make. Our Sentinel Insights platform watches consent signals continuously, so a misconfigured banner gets caught early.
The first practical step is a consent scan. It checks whether you have a consent management platform, then tests whether tracking actually stops when someone says no, on the click after they change their preferences, and again when they reload or move to another page. You get back a list of the technologies that fail, ranked by risk, with marketing tags at the top because those are the ones that draw the lawsuits. It takes minutes, not weeks.
There's a bigger reason to care than the fines. Privacy is becoming a differentiator on its own. Shoppers notice when a site offers no choices about data collection, and everyone knows the creep factor, you mention an underwater basket weaving trip in the Caribbean once, and a day later your phone is pitching you Caribbean vacations. That feeling costs brands trust whether or not a regulator ever calls. Handled well, consent tells your customers you run a tight ship.
My advice is don't try to boil the ocean. You don't need to rebuild your whole stack before second reading. Start by finding out where you actually stand, and sequence the fixes while there's still runway. The longer you wait, the fewer options you'll have.
If you want to get ahead of Bill C-36, request a consent scan. We'll show you what's working, what isn't, and what to fix first.
Common questions about Bill C-36
What is Bill C-36?
Bill C-36 is proposed federal legislation that would enact the Protecting Privacy and Consumer Data Act (PPCDA), replacing the privacy provisions of PIPEDA. It was introduced in the House of Commons on June 15, 2026.
What are the penalties under Bill C-36?
Administrative penalties reach the greater of $10 million or 3% of global gross revenue. The most serious offences carry fines up to the greater of $25 million or 5%, plus potential personal liability for directors and officers.
When does the PPCDA take effect?
It isn't law yet. Second reading is expected in fall 2026, and the bill could be amended along the way. Even after passage, a transition period is expected while the new regulator is established.
Does Bill C-36 require a privacy management program?
Yes, as drafted. Every organization would need to maintain a documented privacy management program and provide it to the regulator on request.
How does Bill C-36 protect children's data?
Children's personal information would be treated as sensitive by default, with a higher standard of care, and the regulator must consider the best interests of children in its decisions.
This article is for general information only and does not constitute legal advice. Consult qualified legal counsel about your obligations.
Stay informed, sign up for our newsletter.