
Over 42,000 CRA Accounts Breached: What to Know
More than 42,000 Canadian taxpayer accounts have been breached since 2020. Learn more about the data breach class-action lawsuit involving CRA accounts.
May 20, 2026 - Blog
Authored By Packetlabs

Canada's privacy landscape is undergoing its most significant transformation in more than two decades. In June 2026, the federal government introduced Bill C-36, legislation that would replace the privacy provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) with a new framework known as the Protecting Privacy and Consumer Data Act (PPCDA).
For Canadian businesses, this proposed legislation represents a fundamental shift in how personal information is collected, used, disclosed, stored, and protected. It also introduces stronger enforcement mechanisms, increased penalties, enhanced consumer rights, and new compliance obligations.
While Bill C-36 has not yet become law and remains before Parliament, organizations should begin preparing now. If enacted, the legislation will significantly reshape privacy compliance requirements across Canada.
This guide explains what Bill C-36 is, how it relates to PIPEDA, the major changes it introduces, and what organizations should do to prepare for Canada's evolving privacy framework.
Before examining Bill C-36, it is important to understand the role PIPEDA has played in Canada's privacy regime.
The Personal Information Protection and Electronic Documents Act (PIPEDA) has governed the collection, use, and disclosure of personal information by private-sector organizations engaged in commercial activities since the early 2000s.
PIPEDA established core privacy principles such as:
Accountability
Consent
Limiting collection
Limiting use and disclosure
Safeguarding information
Openness and transparency
Individual access rights
Complaint mechanisms
For more than two decades, PIPEDA has served as Canada's primary federal private-sector privacy law.
However, the digital economy has changed dramatically since its introduction.
Today's organizations operate in an environment characterized by:
Cloud computing
Artificial intelligence
Big data analytics
Mobile applications
Internet-connected devices
Cross-border data transfers
Automated decision-making systems
Many privacy experts, regulators, and policymakers have argued that PIPEDA no longer adequately addresses modern privacy risks.
Bill C-36, introduced on June 15, 2026, would enact the Protecting Privacy and Consumer Data Act (PPCDA) and substantially replace the privacy-related provisions currently found within PIPEDA.
The legislation is the federal government's third major attempt to modernize private-sector privacy law after earlier reform efforts through Bills C-11 and C-27 failed to become law.
The government has stated that the objective of the PPCDA is to:
Strengthen consumer privacy rights
Modernize privacy protections
Address emerging technologies
Improve transparency
Enhance accountability
Increase enforcement capabilities
Support responsible innovation and data use
The proposed law seeks to balance privacy rights with the realities of a modern digital economy.
The short answer is yes, at least for privacy compliance purposes.
If enacted, Bill C-36 would repeal Part 1 of PIPEDA, which currently governs private-sector privacy obligations. These provisions would be replaced by the PPCDA. The remaining portions of PIPEDA would continue under a renamed statute known as the Electronic Documents Act.
This means:
Area | PIPEDA Today | Under Bill C-36 |
Private-sector privacy rules | PIPEDA | PPCDA |
Consent requirements | PIPEDA framework | Enhanced PPCDA framework |
Enforcement | Privacy Commissioner | New regulator with expanded powers |
Administrative penalties | Limited | Significantly increased |
Privacy management programs | Limited expectations | Explicit requirements |
Consumer rights | Existing rights | Expanded rights |
For practical privacy compliance purposes, organizations should view Bill C-36 as a replacement for PIPEDA rather than a minor amendment.
Several factors have driven privacy reform efforts.
Organizations now collect significantly more personal information than when PIPEDA was first introduced.
Examples include:
Online behaviour data
Geolocation information
Biometric identifiers
Device telemetry
AI-generated profiles
Customer analytics
Modern legislation must address these evolving data practices.
AI systems increasingly influence:
Hiring decisions
Insurance assessments
Credit approvals
Marketing activities
Customer service interactions
Bill C-36 includes provisions aimed at improving transparency surrounding automated decision-making processes.
Many jurisdictions have strengthened privacy protections in recent years.
Examples include:
GDPR in Europe
Quebec's Law 25
Multiple U.S. state privacy laws
Emerging international privacy frameworks
Canada's privacy modernization efforts seek to maintain international confidence in Canadian privacy protections.
One of the most significant changes is the introduction of explicit privacy management program requirements.
Organizations may be required to establish and maintain documented privacy programs that demonstrate compliance with privacy obligations.
These programs may include:
Privacy policies
Risk assessments
Employee training
Governance frameworks
Incident response procedures
Compliance monitoring
This represents a more proactive approach than many organizations currently take under PIPEDA.
Consent remains a cornerstone of Canadian privacy law.
However, Bill C-36 seeks to strengthen requirements around obtaining meaningful consent.
Organizations may need to provide information in clear, understandable language regarding:
What information is collected
Why it is collected
How it will be used
Potential disclosures
Associated risks
The goal is to improve transparency and informed decision-making for individuals.
Similar to certain international privacy frameworks, Bill C-36 introduces broader circumstances where organizations may process personal information without obtaining explicit consent.
These include specific "legitimate interest" and business activity provisions. However, organizations may need to demonstrate that such activities are appropriate, proportionate, and not unexpected by individuals.
This change may provide greater operational flexibility while still requiring accountability.
The PPCDA proposes stronger rights for individuals regarding their personal information.
These rights may include:
Access rights
Correction rights
Data deletion rights
Enhanced transparency rights
Rights related to automated decisions
Some commentators have compared portions of these provisions to concepts found in the European GDPR.
Organizations would face increased obligations to demonstrate privacy compliance.
Regulators may expect evidence of:
Risk assessments
Security safeguards
Data governance practices
Compliance documentation
Privacy management programs
Privacy compliance would become more operationally rigorous than under traditional PIPEDA approaches.
Perhaps the most significant aspect of Bill C-36 is its enhanced enforcement framework.
Historically, PIPEDA relied heavily on investigations and recommendations from the Office of the Privacy Commissioner.
Bill C-36 proposes substantially stronger enforcement mechanisms, including:
Order-making authority
Administrative monetary penalties
Expanded regulatory oversight
Increased accountability measures
Organizations may face penalties reaching tens of millions of dollars or a percentage of global revenue for serious violations.
This represents a dramatic shift from PIPEDA's historical enforcement model.
Bill C-36 would establish a new regulatory framework through the Digital Safety and Data Protection Commission of Canada, which would oversee privacy enforcement under the PPCDA.
The proposed regulator would possess significantly stronger enforcement powers than those traditionally available under PIPEDA.
Organizations should expect increased regulatory scrutiny and higher expectations regarding privacy governance.
Virtually every Canadian organization that collects personal information may be affected.
This includes:
Small businesses
Retailers
Financial institutions
Technology companies
Professional services firms
Healthcare providers
Non-profit organizations
E-commerce businesses
Organizations that currently comply with PIPEDA will have a strong foundation, but additional compliance work will likely be necessary if Bill C-36 becomes law.
Although Bill C-36 has only completed first reading and is not yet law, proactive preparation is advisable. PIPEDA remains the governing federal privacy law until the new legislation is passed and brought into force.
Organizations should consider:
Evaluate current privacy practices against anticipated PPCDA requirements.
Assess whether consent notices are understandable, transparent, and adequately documented.
Develop formal privacy management programs and assign accountability.
Understand what personal information is collected, where it resides, and how it is used.
Strengthen technical and organizational safeguards protecting personal information.
Develop processes for handling access, correction, deletion, and transparency requests.
Organizations that begin preparing now may find compliance significantly easier once final legislative requirements are confirmed.
Bill C-36 signals a broader shift toward modern, risk-based privacy governance.
Canadian organizations can expect increased expectations around:
Privacy by design
Data governance
Transparency
Consumer rights
Accountability
Security safeguards
Automated decision-making oversight
Privacy is increasingly becoming a board-level and executive-level issue rather than solely a legal or compliance concern.
Organizations that proactively invest in privacy governance today will likely be better positioned to navigate future regulatory developments.
Bill C-36 represents Canada's most significant proposed privacy reform in more than twenty years. If enacted, it will replace the privacy provisions of PIPEDA with the new Protecting Privacy and Consumer Data Act (PPCDA), introducing stronger consumer rights, expanded organizational obligations, enhanced enforcement powers, and substantially larger penalties.
While PIPEDA remains the law today, Canadian organizations should begin evaluating how the proposed legislation could affect their privacy programs, governance structures, consent practices, and cybersecurity controls. Privacy compliance is increasingly becoming a core business requirement, particularly as organizations collect larger volumes of personal information and rely more heavily on digital technologies and artificial intelligence.
By understanding the relationship between Bill C-36 and PIPEDA now, organizations can position themselves to adapt more effectively when Canada's next generation of privacy legislation ultimately comes into force.