Governing AI Without a Federal Rulebook: What Canadian SMBs Must Do Now
Three years after introducing Canada's first federal AI regulation, Ottawa still has no AI law on the books — and AI adoption among Canadian businesses has tripled in the interim.
Statistics Canada's Analysis on Artificial Intelligence Use by Businesses in Canada, Q2 2026 found that 19.2% of Canadian businesses reported using AI to produce goods or deliver services — up from just 6.1% in Q2 2024. The Canadian Federation of Independent Business (CFIB) puts the figure even higher: 45% of Canadian businesses report using generative AI to complete tasks, rising from 39% among firms with fewer than five employees to 60% or more among those with 20 to 49 employees.
Rapid adoption. No federal statute. That gap has real compliance implications for Canadian SMBs — and "no federal AI law" does not mean "no obligations."
This is the compliance picture as it actually stands in mid-2026.
What Happened to Canada's AI Law
In June 2022, the federal government introduced Bill C-27, the Digital Charter Implementation Act, which bundled three pieces of legislation: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA). AIDA would have been Canada's first federal AI statute, creating mandatory risk assessments for high-impact AI systems, disclosure obligations, and a dedicated AI and Data Commissioner.
AIDA never became law. When Parliament was prorogued in January 2025, Bill C-27 died on the order paper. AIDA died with it.
Canada's National Artificial Intelligence Strategy: AI for All signalled that AI-specific risks would be addressed through targeted regulation and existing legal authority rather than a standalone AI act. The strategy also announced meaningful investment — $500 million through BDC's LIFT program and an equal amount through Regional AI Initiatives — to accelerate SME AI adoption.
On June 15, 2026, the Minister of Artificial Intelligence and Digital Innovation tabled Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA) — a modernized replacement for PIPEDA. The PPCDA strengthens consent requirements, breach notification timelines, and enforcement, and creates the Digital Safety and Data Protection Commission with powers to issue binding orders and substantial penalties. But Bill C-36 is a privacy law, not an AI law. It addresses how AI processes personal data — it does not set risk tiers for AI systems, require algorithmic impact assessments, or mandate a registry of high-impact AI deployments. Crucially, it is not yet in force.
The result: Canadian businesses are running a 2026 AI adoption curve against a regulatory backdrop last meaningfully updated when BlackBerry was a growth stock.
What Actually Applies Right Now
The absence of a federal AI law does not mean absence of obligation. Canadian SMBs using AI face binding rules from four directions today.
PIPEDA: The Current Federal Baseline
Canada's Personal Information Protection and Electronic Documents Act was written in 2000, but its 10 Fair Information Principles apply directly to AI-driven data processing. The practical implications are concrete.
Consent. When employees enter customer information into a public AI tool — ChatGPT, Gemini, Microsoft Copilot without an enterprise agreement — they are disclosing that data to a third party. If customers never consented to their information being used that way, that is a PIPEDA compliance failure.
Purpose limitation. Personal data collected for one purpose — billing, for example — cannot be repurposed for AI model training without fresh consent. This is not a hypothetical risk: the OPC's investigation into OpenAI turned in part on exactly this issue.
Accountability. Organizations remain responsible for personal information in the hands of third-party AI providers. A data processing agreement with your AI vendor is not optional — it is a condition of meeting your accountability obligation under PIPEDA.
The Office of the Privacy Commissioner of Canada (OPC) has demonstrated it will enforce PIPEDA against AI companies — and the businesses that use them carry shared exposure. PIPEDA complaints more than doubled in 2025-26, rising 109% to 3,044, a surge the OPC's 2025-2026 Annual Report attributes partly to heightened awareness driven by AI-enhanced search. The OPC also received nearly 700 breach reports from businesses in the year, affecting more than 20 million Canadians.
In May 2026, the OPC concluded its joint investigation into OpenAI (PIPEDA Findings #2026-002). The matter was conditionally resolved based on OpenAI's commitments. The message from that investigation — and from subsequent complaints against X Corp. and X.AI — is that the OPC is actively applying PIPEDA to AI companies and to the consumer-facing tools built on their platforms.
Quebec's Act 25: Canada's Strictest AI Rules
Quebec's *Act Respecting the Protection of Personal Information in the Private Sector* (Act 25) has been fully in force since September 2024. Any Canadian business that sells goods or services in Quebec, operates a French-language website, or runs Quebec-targeted advertising is subject to it.
Act 25 contains Canada's most specific automated decision-making requirements. When a decision about an individual is made exclusively by automated processing, the organization must disclose this fact to the person, explain what personal information was used and why, and provide a mechanism for human review of the AI-only decision. Before deploying any AI system that presents a significant privacy risk — including automated profiling — organizations must complete a Privacy Impact Assessment (PIA).
Penalties are substantial: up to C$10 million or 2% of worldwide turnover for first-tier violations, and C$25 million or 4% of worldwide turnover for the most serious offences. These are GDPR-scale consequences that have been fully enforceable in Quebec for less than two years.
If your business has any Quebec customers — and if you sell online or serve French-Canadian markets, you almost certainly do — Act 25 is active compliance today, not something to plan for.
Ontario's Employment Standards Act: AI in Hiring
Amendments introduced through Ontario's *Working for Workers Four Act* (Bill 149) took effect January 1, 2026, for employers with 25 or more employees. Every publicly advertised job posting must now disclose whether AI tools are used to screen, assess, or select applicants. The same statement must appear on any associated application form.
This is a narrow but concrete obligation. If your hiring workflow uses AI to sort CVs, score candidates, or process application data — and a growing number of SMBs do, through tools embedded in Workday, LinkedIn Recruiter, or standalone ATS platforms — the Ontario ESA requires you to say so in the posting.
Sector-Specific Regulators
OSFI (financial services), Health Canada, the CRTC, and the Competition Bureau have all issued AI-related guidance or applied existing frameworks to AI tools in their sectors. If your business operates under a sector-specific regulator, that regulator's AI position is part of your compliance landscape — not a supplement to it.
The Governance Gap in Practice
The OPC's 2025-2026 Survey of Canadian Businesses found that while 72% of businesses rated themselves as highly aware of their PIPEDA responsibilities and 84% had implemented privacy policies, only 16% identified as using AI for business operations. Among AI-using businesses, the most common applications were research and document drafting (45%), marketing (24%), and text or data analysis (18%).
The gap is structural: the majority of businesses using AI for drafting and research are routing personal information through AI tools — but many lack the data processing agreements, updated privacy notices, or internal policies to make that use PIPEDA-compliant. The 16% who identified as AI users in the OPC survey do not capture the employees using consumer AI tools on personal accounts for work tasks — one of the most common PIPEDA exposures an SMB carries today.
Statistics Canada's Q2 2026 data adds texture: among businesses that had not adopted AI, 40% said it was not relevant to their operations, while 13.4% cited cybersecurity or privacy concerns and 10.6% cited cost. The privacy-concerned group — roughly 1 in 7 non-adopters — is right to flag compliance risk, but the answer is governance, not avoidance. AI adoption among competitors is accelerating regardless.
A Practical AI Governance Checklist for Canadian SMBs
Given the current landscape, here is what a defensible AI governance posture looks like for a Canadian SMB in mid-2026.
Build an AI inventory. List every AI tool in use across your organization, including tools employees use personally for work tasks. Identify which process personal information about customers, employees, or third parties. Separate consumer-facing products (high PIPEDA exposure) from enterprise deployments with contractual data processing agreements.
Map your personal data flows. Document what personal information flows through each AI tool and for what stated purpose. Confirm the purpose was covered in your original collection consent. Identify any Quebec customers who may be subject to automated decision-making.
Get vendor agreements in place. Every AI vendor processing personal information should have a signed data processing agreement. Confirm data residency — PIPEDA's accountability principle requires that transferred data be protected under comparable standards. Review vendor terms for model training provisions.
Update your privacy notice. Amend your external privacy policy to disclose AI use where it involves personal data. If you operate in Quebec and use automated decision-making, add the required disclosures and mechanism for human review.
Conduct a Privacy Impact Assessment for higher-risk uses. If you use AI for customer-facing eligibility, scoring, or service decisions, a PIA is mandatory in Quebec and best practice under PIPEDA everywhere else. Document your assessment and retain it.
Add the Ontario hiring disclosure. If you have 25 or more employees and post jobs in Ontario, ensure every public posting includes a clear statement about AI use in screening and selection. Apply the same disclosure to application forms.
Train your team. Employees are the most common source of AI-related PIPEDA exposure. A focused annual session on what data can and cannot go into AI tools — and why — is low-cost risk reduction with material compliance value.
Sources
- Statistics Canada. *Analysis on Artificial Intelligence Use by Businesses in Canada, Second Quarter of 2026.* statcan.gc.ca
- Canadian Federation of Independent Business (CFIB). *AI Adoption and Workforce Training Investment in Canada.* cfib-fcei.ca
- Innovation, Science and Economic Development Canada. *Canada's National Artificial Intelligence Strategy: AI for All.* ised-isde.canada.ca
- Office of the Privacy Commissioner of Canada. *Championing Privacy in the Age of AI — 2025-2026 Annual Report.* priv.gc.ca
- Office of the Privacy Commissioner of Canada. *PIPEDA Findings #2026-002: Joint Investigation of OpenAI OpCo, LLC.* priv.gc.ca
- Office of the Privacy Commissioner of Canada. *Privacy and Artificial Intelligence (AI).* priv.gc.ca
- Office of the Privacy Commissioner of Canada. *2025-2026 Survey of Canadian Businesses on Privacy-Related Issues.* priv.gc.ca
- DLA Piper. *Canada Tables Bill C-36: The Protecting Privacy and Consumer Data Act.* June 2026. dlapiper.com
- Grant Thornton Canada. *Law 25: The Issue of Automated Decisions.* rcgt.com
- Hicks Morley. *New Year, New Rules: Ontario Job Posting Requirements Take Effect January 1, 2026.* hicksmorley.com
Canada's AI governance landscape is moving faster than Parliament — and the compliance obligations on your organization today are real, even without a federal AI statute. Cloud Forces' AI Advisory service helps Canadian SMBs inventory their AI tools, assess privacy risk, build internal governance policies, and prepare for the requirements coming in Bill C-36. Book a consultation to understand where your current AI use stands under PIPEDA, Quebec Act 25, and Ontario's employment rules.
Anton Kuznetsov is the founder and principal engineer of Cloud Forces, the Toronto firm he started in 2018 to make custom software and AI practical and affordable for Canadian SMEs. He works hands-on across application development, cloud architecture, and the production systems Cloud Forces runs for its clients.
Ready to bring AI to your business?
Book a free AI Readiness Consultation — no commitment required.
Book Free Consultation