# Privacy Legislation (Bill C-36) and its Relationship to PIPEDA

**Published on:** 2026-07-06T00:00:00.000Z

**Author:** Packetlabs

Canada's privacy landscape is undergoing its most significant transformation in more than two decades. In June 2026, the federal government introduced Bill C-36, legislation that would replace the privacy provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) with a new framework known as the [Protecting Privacy and Consumer Data Act (PPCDA)](https://www.canada.ca/en/innovation-science-economic-development/news/2026/06/government-of-canada-introduces-legislation-to-protect-canadians-privacy-in-the-digital-age.html).

For Canadian businesses, this proposed legislation represents a fundamental shift in how personal information is collected, used, disclosed, stored, and protected. It also introduces stronger enforcement mechanisms, increased penalties, enhanced consumer rights, and new compliance obligations.

While Bill C-36 has not yet become law and remains before Parliament, organizations should begin preparing now. If enacted, the legislation will significantly [reshape privacy compliance requirements across Canada.](https://www.parl.ca/legisinfo/en/bill/45-1/c-36)

This guide explains what Bill C-36 is, how it relates to PIPEDA, the major changes it introduces, and what organizations should do to prepare for Canada's evolving privacy framework.

## Understanding PIPEDA

Before examining Bill C-36, it is important to understand the role PIPEDA has played in Canada's privacy regime.

The [Personal Information Protection and Electronic Documents Act (PIPEDA)](https://www.packetlabs.net/posts/pipeda-one-year-later/) has governed the collection, use, and disclosure of personal information by private-sector organizations engaged in commercial activities since the early 2000s.

PIPEDA established core privacy principles such as:

*   Accountability
    
*   Consent
    
*   Limiting collection
    
*   Limiting use and disclosure
    
*   Safeguarding information
    
*   Openness and transparency
    
*   Individual access rights
    
*   Complaint mechanisms
    

For more than two decades, PIPEDA has served as Canada's primary federal private-sector privacy law.

However, the digital economy has changed dramatically since its introduction.

Today's organizations operate in an environment characterized by:

*   Cloud computing
    
*   Artificial intelligence
    
*   Big data analytics
    
*   Mobile applications
    
*   Internet-connected devices
    
*   Cross-border data transfers
    
*   Automated decision-making systems
    

Many privacy experts, regulators, and policymakers have argued that [PIPEDA no longer adequately addresses modern privacy risks.](https://www.packetlabs.net/posts/customers-personal-data/)

## What is Bill C-36?

Bill C-36, introduced on June 15, 2026, would enact the Protecting Privacy and Consumer Data Act (PPCDA) and substantially replace the privacy-related provisions currently found within PIPEDA.

The legislation is the federal government's third major attempt to modernize private-sector privacy law after earlier reform efforts through [Bills C-11 and C-27 failed to become law.](https://www.mccarthy.ca/en/insights/blogs/techlex/bill-c-36-what-organizations-need-to-know-about-canada-s-new-privacy-reform)

The government has stated that the objective of the PPCDA is to:

*   Strengthen consumer privacy rights
    
*   Modernize privacy protections
    
*   Address emerging technologies
    
*   Improve transparency
    
*   Enhance accountability
    
*   Increase enforcement capabilities
    
*   Support responsible innovation and data use
    

The proposed law seeks to balance privacy rights with the realities of a modern digital economy.

## Does Bill C-36 Replace PIPEDA?

The short answer is yes, at least for privacy compliance purposes.

If enacted, Bill C-36 would repeal **Part 1 of PIPEDA**, which currently governs private-sector privacy obligations. These provisions would be replaced by the PPCDA. The remaining portions of PIPEDA would continue under a renamed statute known as the [Electronic Documents Act](https://laws-lois.justice.gc.ca/eng/acts/p-8.6/).

This means:

Are**a**

**PIPEDA Today**

**Under Bill C-36**

Private-sector privacy rules

PIPEDA

PPCDA

Consent requirements

PIPEDA framework

Enhanced PPCDA framework

Enforcement

Privacy Commissioner

New regulator with expanded powers

Administrative penalties

Limited

Significantly increased

Privacy management programs

Limited expectations

Explicit requirements

Consumer rights

Existing rights

Expanded rights

For practical privacy compliance purposes, organizations should view Bill C-36 as a replacement for PIPEDA rather than a minor amendment.

## Why Canada is Modernizing Privacy Law

Several factors have driven privacy reform efforts.

### Rapid Growth of Personal Data Collection

Organizations now collect significantly more personal information than when [PIPEDA was first introduced](https://secureprivacy.ai/blog/what-is-pipeda).

Examples include:

*   Online behaviour data
    
*   Geolocation information
    
*   Biometric identifiers
    
*   Device telemetry
    
*   AI-generated profiles
    
*   Customer analytics
    

Modern legislation must address these evolving data practices.

### Artificial Intelligence and Automated Decision-Making

AI systems increasingly influence:

*   Hiring decisions
    
*   Insurance assessments
    
*   Credit approvals
    
*   Marketing activities
    
*   Customer service interactions
    

Bill C-36 includes provisions aimed at improving transparency surrounding automated decision-making processes.

### Global Privacy Expectations

Many jurisdictions have strengthened privacy protections in recent years.

Examples include:

*   GDPR in Europe
    
*   Quebec's Law 25
    
*   Multiple U.S. state privacy laws
    
*   Emerging international privacy frameworks
    

Canada's privacy modernization efforts seek to maintain international confidence in [Canadian privacy protections.](https://www.dlapiper.com/en-cl/insights/publications/2026/06/canada-tables-bill-c36-the-protecting-privacy-and-consumer-data-act?)

## Key Changes Introduced by Bill C-36

### Stronger Privacy Management Requirements

One of the most significant changes is the introduction of explicit privacy management program requirements.

Organizations may be required to establish and maintain documented privacy programs that demonstrate compliance with [privacy obligations.](https://www.civicsproject.org/regions/canada/bill/45/1/c-36)

These programs may include:

*   Privacy policies
    
*   Risk assessments
    
*   Employee training
    
*   Governance frameworks
    
*   Incident response procedures
    
*   Compliance monitoring
    

This represents a more proactive approach than many organizations currently take under PIPEDA.

### Enhanced Consent Requirements

Consent remains a cornerstone of Canadian privacy law.

However, Bill C-36 seeks to strengthen requirements around obtaining meaningful consent.

Organizations may need to provide information in clear, understandable language regarding:

*   What information is collected
    
*   Why it is collected
    
*   How it will be used
    
*   Potential disclosures
    
*   Associated risks
    

The goal is to improve transparency and [informed decision-making for individuals](https://www.cloudforces.ca/blog/bill-c36-canada-privacy-law-ppcda-guide-2026).

### Legitimate Interest Exceptions

Similar to certain international privacy frameworks, Bill C-36 introduces broader circumstances where organizations may process personal information without obtaining explicit consent.

These include specific "legitimate interest" and business activity provisions. However, organizations may need to demonstrate that such activities are appropriate, proportionate, and not unexpected by individuals.

This change may provide greater operational flexibility while still requiring accountability.

### Expanded Consumer Rights

The PPCDA proposes stronger rights for individuals regarding their personal information.

These rights may include:

*   Access rights
    
*   Correction rights
    
*   Data deletion rights
    
*   Enhanced transparency rights
    
*   Rights related to automated decisions
    

Some commentators have compared portions of these provisions to concepts found in the European GDPR.

### Greater Accountability for Organizations

Organizations would face increased obligations to demonstrate privacy compliance.

Regulators may expect evidence of:

*   Risk assessments
    
*   Security safeguards
    
*   Data governance practices
    
*   Compliance documentation
    
*   Privacy management programs
    

Privacy compliance would become more operationally rigorous than under [traditional PIPEDA approaches](https://www.onetrust.com/blog/the-ultimate-guide-to-pipeda-compliance/).

## Bill C-36: Stronger Enforcement and Penalties

Perhaps the most significant aspect of Bill C-36 is its enhanced enforcement framework.

Historically, PIPEDA relied heavily on investigations and recommendations from the Office of the Privacy Commissioner.

Bill C-36 proposes substantially stronger enforcement mechanisms, including:

*   Order-making authority
    
*   Administrative monetary penalties
    
*   Expanded regulatory oversight
    
*   Increased accountability measures
    

Organizations may face penalties reaching tens of millions of dollars or a percentage of global revenue for serious violations.

This represents a dramatic shift from PIPEDA's [historical enforcement model](https://termly.io/resources/articles/pipeda/).

## Bill C-36's New Regulatory Structure

Bill C-36 would establish a new regulatory framework through the [Digital Safety and Data Protection Commission of Canada](https://www.jdsupra.com/legalnews/bill-c-36-rewriting-the-rules-for-4549119/), which would oversee privacy enforcement under the PPCDA.

The proposed regulator would possess significantly stronger enforcement powers than those traditionally available under PIPEDA.

Organizations should expect increased regulatory scrutiny and higher expectations regarding privacy governance.

## PPCDA's Impact on Canadian Businesses

Virtually every Canadian organization that collects personal information may be affected.

This includes:

*   Small businesses
    
*   Retailers
    
*   Financial institutions
    
*   Technology companies
    
*   Professional services firms
    
*   Healthcare providers
    
*   Non-profit organizations
    
*   E-commerce businesses
    

Organizations that currently comply with PIPEDA will have a strong foundation, but additional compliance work will likely be necessary if Bill C-36 becomes law.

## How Organizations Should Prepare For PPCDA

Although Bill C-36 has only completed first reading and is not yet law, proactive preparation is advisable. PIPEDA remains the governing federal privacy law until the new legislation is passed and brought into force.

Organizations should consider:

### Conducting Privacy Gap Assessments

Evaluate [current privacy practices](https://www.packetlabs.net/services-overview/security-assessments/) against anticipated PPCDA requirements.

### Reviewing Consent Practices

Assess whether consent notices are understandable, transparent, and adequately documented.

### Strengthening Privacy Governance

Develop formal privacy management programs and assign accountability.

### Updating Data Inventories

Understand what personal information is collected, where it resides, and how it is used.

### Enhancing Security Controls

Strengthen technical and organizational safeguards protecting personal information.

### Preparing for New Consumer Rights

Develop processes for handling access, correction, deletion, and transparency requests.

Organizations that begin preparing now may find compliance significantly easier once final legislative requirements are confirmed.

## The Future of Privacy Compliance in Canada

Bill C-36 signals a broader shift toward modern, risk-based privacy governance.

Canadian organizations can expect increased expectations around:

*   Privacy by design
    
*   Data governance
    
*   Transparency
    
*   Consumer rights
    
*   Accountability
    
*   Security safeguards
    
*   Automated decision-making oversight
    

Privacy is increasingly becoming a board-level and executive-level issue rather than solely a legal or compliance concern.

Organizations that proactively invest in privacy governance today will likely be better positioned to navigate future regulatory developments.

## Conclusion

Bill C-36 represents Canada's most significant proposed privacy reform in more than twenty years. If enacted, it will replace the privacy provisions of PIPEDA with the new Protecting Privacy and Consumer Data Act (PPCDA), introducing stronger consumer rights, expanded organizational obligations, enhanced enforcement powers, and substantially larger penalties.

While PIPEDA remains the law today, Canadian organizations should begin evaluating how the proposed legislation could affect their privacy programs, governance structures, consent practices, and cybersecurity controls. Privacy compliance is increasingly becoming a core business requirement, particularly as organizations collect larger volumes of personal information and rely more heavily on digital technologies and artificial intelligence.

By understanding the relationship between Bill C-36 and PIPEDA now, organizations can position themselves to adapt more effectively when Canada's next generation of privacy legislation ultimately comes into force.
