A Big Change Is on the Way

Canada is getting ready for a major update to how businesses handle personal information. On June 15, 2026, the federal government introduced Bill C-36. This bill would create a new law called the Protecting Privacy and Consumer Data Act, or PPCDA. ^[1]

If it passes, this law will replace key parts of PIPEDA, which has been in place since 2001. It would also be the biggest change to Canada’s private sector privacy rules in over 20 years. ^[2]

For businesses, that means change is coming, and it’s smart to start paying attention now.

Who This Affects

If your business collects, uses, or shares personal information, this law likely applies to you. That includes small businesses, local service providers, online stores, and companies using tools like CRMs, email marketing platforms, or cloud services. In simple terms, if you have customer data, you need to understand this change.

More Responsibility for Businesses

One of the biggest updates is the requirement for a formal privacy management program. This goes beyond having a privacy policy on your website. Businesses will need clear internal processes for handling personal information, training staff, and dealing with complaints or issues. Regulators may ask to review this program at any time, so it needs to be real, documented, and kept up to date.

Clearer Consent Rules

Consent is still a key part of privacy, but the rules are getting stricter. Businesses will need to clearly explain what data they are collecting, why they are collecting it, and how it will be used. This information needs to be easy to understand before a person agrees. While there are some limited exceptions, most businesses will still rely on clear, informed consent. ^[2]

Only Collect What You Need

The new law introduces the idea of data minimization. This means you should only collect information that you truly need to provide your service. Many businesses collect extra data “just in case,” but that approach won’t meet the new expectations. Going forward, it’s about being intentional and careful with every piece of information you collect.

Customers Have More Control

The PPCDA gives individuals more control over their personal data. One of the biggest changes is the right to request that their information be deleted or anonymized in certain situations. There are still exceptions, such as legal or tax requirements, but the overall message is clear. If you don’t need the information, you shouldn’t keep it. ^[1]

Data Mobility Is Coming

Another change to watch is data mobility. In the future, people may be able to request their personal information and move it to another provider. Think of it like switching banks or phone companies, but taking your data with you. The details are still being developed, but it’s something businesses will need to plan for.

New Rules for AI and Automation

The law also starts to address tools like artificial intelligence and automated decision systems. If your business uses software to help make decisions about people, you will need to be more transparent about how those systems work and how they impact individuals. As AI becomes more common, this is an area many businesses will need to watch closely. ^[1]

Stricter Rules for Data Outside Canada

Many businesses rely on tools that store data outside Canada. Under the new law, that is still allowed, but your responsibility does not end when the data leaves the country. You will need to make sure your vendors and service providers are protecting that information properly at every step.

Stronger Enforcement and Bigger Penalties

Bill C-36 also introduces a new regulator called the Digital Safety and Data Protection Commission of Canada. This body will have stronger powers than the current system, including the ability to audit businesses, issue orders, and enforce compliance.

The penalties are significant. The maximum fine can reach $10,000,000 or 3% of global revenue, whichever is higher. This is a major step up and shows how seriously the government is treating privacy. ^[3]

New Risk: Lawsuits

For the first time at the federal level, individuals may be able to take legal action against organizations for privacy violations. This adds another layer of risk for businesses and makes it even more important to handle personal information properly.

What You Should Do Now

It’s important to remember that Bill C-36 is not law yet. It still needs to go through the full legislative process before it comes into force. However, waiting until it becomes law is not the best approach. ^[4]

Now is a good time to review what data you collect and why. Make sure your privacy policy is clear and easy to understand. Take a look at how you are asking for consent, and review the tools and vendors you rely on. Small steps now can make a big difference later.

Final Thoughts

At the end of the day, this new law is about trust. People want to know their information is handled with care. Businesses that take privacy seriously will stand out and build stronger relationships with their customers.

The rules may be changing, but the goal is simple. Protect people, be transparent, and handle data responsibly.

Sources and Further Reading

1. canada.ca
2. lawsonlundell.com
3. iapp.org
4. gowlingwlg.com