Canada's Bill C-36 Replaces PIPEDA — What Canadian SMBs Need to Know Before It Comes Into Force

On June 15, 2026 — two days ago — the federal government tabled Bill C-36, the *Protecting Privacy and Consumer Data Act (PPCDA)*. If it passes, it will be the most significant overhaul of Canadian private-sector privacy law since PIPEDA came into force in 2001.

Bill C-36 raises the ceiling on penalties from $100,000 to $25 million or 5% of global revenue. It introduces a right to data deletion — including AI-generated deepfakes. It creates a new federal regulator with real enforcement power. And it hands businesses a compliance window that, realistically, is somewhere between one and two years.

If you run a Canadian business that collects, uses, or discloses personal information — and most do — this is the briefing to read.

Why Canada Needed a New Privacy Law

PIPEDA has governed commercial privacy for 25 years. It was built for a world without cloud infrastructure, AI-driven decision-making, or mass data brokerage. Its enforcement model reflects that: the Privacy Commissioner investigates, recommends, and can apply to Federal Court, but cannot impose fines directly. The maximum penalty for a violation is $100,000.

That limitation has consequences. In 2024-25, the Office of the Privacy Commissioner received 686 breach reports from private-sector businesses under PIPEDA — affecting over 20 million Canadians. Complaints to the OPC rose 32% in the same period. (OPC 2024-25 Annual Report) The average cost of a Canadian data breach reached CA$6.98 million in 2025 — a 10.4% increase year-over-year. (IBM Cost of a Data Breach Report 2025 – Canada) The enforcement regime was not designed for this environment.

Bill C-36 is the Carney government's response — a revised version of Bill C-27, which died on the Order Paper when Parliament prorogued in January 2025. (IAPP, Canada's Bill C-36 introduces privacy reforms, enforcement changes)

What Changes: PIPEDA to PPCDA

Bill C-36 enacts the Protecting Privacy and Consumer Data Act (PPCDA), which replaces Part 1 of PIPEDA — the commercial privacy section. PIPEDA itself survives in narrowed form, renamed the *Electronic Documents Act*, covering only its electronic documents and signatures provisions.

The legislation also creates a new Digital Safety and Data Protection Commission (DSDPC), which absorbs private-sector privacy enforcement from the Privacy Commissioner's office and gains significant new penalty powers. (Government of Canada, June 15, 2026)

The key changes for businesses fall into five areas.

1. Meaningful Consent — and a New Legitimate Interest Basis

The PPCDA requires meaningful consent in plain language that a non-lawyer can understand. Buried, pre-ticked, or vaguely worded consent will not meet the standard.

At the same time, the bill re-introduces "legitimate interest" as an alternative legal basis — allowing organizations to use personal information without explicit consent where the purpose is proportionate and would not be unexpected to the individual. This is closer to the GDPR model and provides practical flexibility for internal uses like fraud prevention, security monitoring, and analytics, while tightening the rules for marketing and profiling.

2. The Right to Data Deletion — Including AI Deepfakes

Canadians will be able to request that organizations delete their personal information. This includes AI-generated deepfakes — a specific provision that reflects how the threat landscape has evolved since PIPEDA was drafted. (Government of Canada press release, June 15, 2026)

For businesses, this means you need a functional deletion workflow before the law comes into force: a process for receiving requests, verifying identity, actioning the deletion across your own systems, and passing it downstream to any third-party processors you use — your CRM, marketing platform, payroll system, cloud storage vendor.

3. Children's Data: Heightened Obligations

Organizations collecting personal information from minors face additional obligations, including enhanced consent requirements and restrictions on profiling and behavioural advertising targeting children. If your website, app, or service could be accessed by minors, this section applies to you.

4. AI Transparency: Disclose Automated Decisions

If your business uses AI or automated systems to make — or meaningfully influence — significant decisions about individuals, Bill C-36 requires you to disclose that AI is involved and provide a meaningful explanation to the affected person. (HCA Mag, Federal privacy bill targets employee data and AI hiring)

The obvious cases: AI-assisted hiring, automated loan approvals, dynamic pricing engines, chatbot triage systems, predictive risk scoring. If your business uses any of these, you likely have a disclosure obligation under the new law.

5. Mandatory Privacy Management Program

Every organization must implement and maintain a privacy management program covering: data inventory and mapping, safeguards, staff training, complaint-handling procedures, and third-party vendor oversight. On request from the DSDPC, you must be able to produce it.

The obligation is proportionate — a 10-person firm won't be held to enterprise-scale documentation. But you do need to have documented what you collect, why, how long you keep it, and who has access. Most Canadian SMBs don't have this today.

The Enforcement Overhaul

This is the biggest practical shift from PIPEDA. The new Digital Safety and Data Protection Commission can impose:

For context: a business with CA$5 million in annual revenue that fails to meet its consent obligations faces a maximum administrative penalty of CA$150,000 — 50% higher than the current PIPEDA ceiling for any violation, regardless of severity. A serious offence brings that to CA$250,000 for the same business. The math scales steeply with revenue for larger organizations.

The Privacy Commissioner of Canada publicly welcomed the legislation's stated direction while noting the structural shift — the Commissioner's private-sector jurisdiction transfers entirely to the new Commission. (OPC Statement on Bill C-36, June 15, 2026)

When Does This Take Effect?

Bill C-36 received first reading on June 15, 2026. It still needs to pass second reading, committee review, third reading in the House, Senate review, and royal assent — and only then can it come into force, contingent on Bill C-34 (the Safe Social Media Act) also passing and the DSDPC becoming operational.

Realistic timeline: 12 to 24 months from first reading at minimum, meaning enforcement likely begins in late 2027 or 2028. (Gowling WLG, Bill C-36: Timeline of Developments)

That window is real, but it is not a reason to delay. Privacy compliance takes time to build — data inventories, deletion workflows, and vendor contract updates don't happen overnight. And PIPEDA is still in force today. Statistics Canada found that 1 in 6 Canadian businesses — 16% — was impacted by a cyber security incident in 2023, and every one of those businesses faces existing breach notification and data protection obligations under the current law right now. (Statistics Canada, Canadian Survey of Cyber Security and Cybercrime, 2023)

What Canadian SMBs Should Do Now

Build your data inventory. Know what personal information you collect, from whom, for what purpose, and how long you keep it. If you don't have this documented, nothing else is possible.

Audit your consent mechanisms. Read your privacy policy from the perspective of a customer who has no legal background. If you wouldn't find it clear and specific, your customers won't either — and the PPCDA standard is plain language.

Design a deletion workflow. Before the law requires it, build the process: how an individual submits a deletion request, how you verify their identity, how you action it across your systems, and how you communicate it to your third-party processors.

Map your AI and automated decision-making. List every automated system that makes or materially influences decisions about customers or employees. Determine which ones require disclosure statements under the new AI transparency provisions.

Designate a privacy officer. PIPEDA already requires this for organizations of meaningful size; many Canadian SMBs don't have one. The PPCDA makes this role more consequential. Designate someone now and get them the training and tools they need.

Review vendor contracts. Your PPCDA obligations extend to third parties who process data on your behalf. Confirm appropriate data processing agreements are in place with every cloud provider, SaaS vendor, and analytics tool you use.

Sources

• Government of Canada. *Bill C-36 — Government tables new legislation to protect children's data, strengthen privacy and build trust in the digital economy.* canada.ca
• IAPP. *Canada's Bill C-36 introduces privacy reforms, enforcement changes.* iapp.org
• Parliament of Canada. *Bill C-36, First Reading — 45th Parliament, 1st Session.* parl.ca
• Gowling WLG. *Bill C-36: Timeline of Developments.* gowlingwlg.com
• Office of the Privacy Commissioner of Canada. *Statement on Bill C-36, the Protecting Privacy and Consumer Data Act — June 15, 2026.* priv.gc.ca
• Office of the Privacy Commissioner of Canada. *Prioritizing Privacy in a Data-Driven World — 2024-25 Annual Report.* priv.gc.ca
• IBM Security. *Cost of a Data Breach Report 2025 – Canada.* canada.newsroom.ibm.com
• Statistics Canada. *Canadian Survey of Cyber Security and Cybercrime, 2023.* statcan.gc.ca
• HCA Mag. *Federal privacy bill targets employee data and AI hiring, with fines up to 5% of revenue.* hcamag.com

Bill C-36 gives Canadian businesses a real compliance window — but preparation takes longer than the legislative calendar suggests. Cloud Forces helps Canadian SMBs conduct privacy readiness assessments, build PPCDA-compliant privacy management programs, and implement the technical safeguards that PIPEDA requires today and the PPCDA will require tomorrow. Explore our Advisory services or book a free privacy readiness assessment.