Protecting Privacy and Consumer Data Act (PPCDA)

Canada's Federal Personal Privacy Law Is Changing

Get Your Complimentary Quote Now
Conversational Form (#3)

Canada's Federal Personal Privacy Law Is Changing

Canada is once again overhauling its private-sector privacy regime.

On June 15, 2026, the federal government introduced Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA), which—if passed—would repeal Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and establish a new federal framework governing how organizations collect, use, disclose, retain, and protect personal information.

The proposed legislation is intended to modernize Canadian privacy law for an era defined by artificial intelligence, automated decision-making, children's online privacy, cross-border data flows, and increasingly sophisticated data-driven business models. According to the Government of Canada, the legislation recognizes privacy as a fundamental right while creating clearer rules for businesses operating in the digital economy.

At Substance Law, our privacy lawyers advise organizations across Canada on compliance with PIPEDA, provincial privacy legislation, CASL, data breaches, privacy policies, artificial intelligence governance, and emerging privacy legislation including the PPCDA.

What is the Protecting Privacy and Consumer Data Act?

The Protecting Privacy and Consumer Data Act (PPCDA) is proposed federal legislation introduced as Bill C-36.

Its purpose is to govern the protection of personal information collected, used, or disclosed in the course of commercial activities while recognizing both:

  • privacy as a fundamental right; and
  • organizations' legitimate need to collect and use personal information for appropriate purposes.

Unlike PIPEDA, the proposed legislation expressly recognizes privacy as a fundamental right and contains significantly expanded organizational obligations.

Will the PPCDA Replace PIPEDA?

Yes—if enacted.

Bill C-36 would:

  • repeal Part 1 of PIPEDA;
  • replace it with the Protecting Privacy and Consumer Data Act;
  • retain the remaining electronic documents provisions of PIPEDA under the renamed Electronic Documents Act; and
  • make consequential amendments to numerous federal statutes.

Accordingly, organizations currently complying with PIPEDA should expect substantial changes if the legislation receives Royal Assent.

Why is Canada Replacing PIPEDA?

PIPEDA came into force more than two decades ago.

The federal government has stated that it was drafted before:

  • modern artificial intelligence;
  • large-scale algorithmic decision-making;
  • deepfakes;
  • today's digital advertising ecosystem;
  • extensive online profiling; and
  • widespread collection of children's data.

The government has concluded that Canada's privacy framework no longer adequately addresses modern digital risks.

Key Changes Under the PPCDA

Privacy Recognized as a Fundamental Right

Perhaps the most significant philosophical change is that the legislation expressly recognizes privacy as a fundamental right.

The Act's stated purpose balances:

  • the fundamental right of individuals to privacy; and
  • organizations' legitimate commercial need to process personal information for reasonable purposes.

This shift could influence how regulators, courts, and organizations interpret the legislation.

Mandatory Privacy Management Programs

Organizations would no longer simply be expected to follow sound privacy practices.

Instead, every organization would be required to implement and maintain a documented privacy management program.

Among other things, that program must include:

  • privacy policies;
  • internal procedures;
  • complaint handling procedures;
  • employee training;
  • governance documentation; and
  • materials explaining privacy practices.

Organizations must also account for the volume and sensitivity of the personal information under their control.

For many businesses, this will require a far more structured compliance program than currently exists.

Expanded Accountability Requirements

Organizations remain responsible for personal information under their control—even where it is processed by third-party service providers.

The PPCDA specifically requires organizations transferring personal information to service providers to ensure, by contract or otherwise, that equivalent levels of protection are maintained.

This increases the importance of:

  • vendor due diligence;
  • data processing agreements;
  • cloud provider contracts;
  • outsourcing agreements; and
  • ongoing compliance monitoring.

Stronger Rules for Children's Information

The government has identified children's privacy as a central objective of the legislation.

Among other measures, the PPCDA would:

  • establish higher standards when organizations process children's information;
  • treat children's personal information as sensitive information; and
  • require organizations to provide stronger protections for minors.

Organizations operating websites, mobile apps, online platforms, educational technology, gaming services, and social media should pay particular attention to these requirements.

Meaningful Consent Requirements

Consent remains central to Canada's privacy framework.

However, the PPCDA emphasizes meaningful consent, requiring organizations to explain, in plain language:

  • why personal information is collected;
  • how it will be used;
  • who it may be shared with; and
  • other information necessary for individuals to make informed decisions.

Organizations relying on dense legal language or lengthy privacy policies may need significant revisions.

Automated Decision-Making Transparency

Artificial intelligence receives significantly greater attention than under PIPEDA.

Organizations making significant decisions using automated decision systems would be required to provide transparency regarding those systems.

The legislation defines automated decision systems broadly to include technologies using:

  • machine learning;
  • neural networks;
  • predictive analytics;
  • regression analysis; and
  • rules-based decision-making.

This could affect employers, financial institutions, insurers, technology companies, and many businesses deploying AI-assisted decision-making.

Right to Request Deletion

One notable addition is a statutory right allowing individuals to request deletion of their personal information in specified circumstances.

This reflects similar developments seen under international privacy legislation such as the GDPR's “right to erasure.”

Organizations should anticipate developing formal deletion request procedures if the legislation is enacted.

Data Mobility

The PPCDA would support data mobility by allowing Canadians to securely transfer personal information between organizations where an approved framework exists.

This may have significant implications for financial services, telecommunications, healthcare, and digital platform businesses.

Cross-Border Data Transfers

Unlike PIPEDA's relatively limited treatment of international transfers, the PPCDA would require organizations to implement robust safeguards and conduct risk assessments before transferring personal information outside Canada.

Organizations using foreign cloud providers should expect greater compliance obligations.

Who Will Enforce the PPCDA?

Enforcement would move beyond the existing framework.

The legislation proposes a new Digital Safety and Data Protection Commission of Canada, which would oversee the PPCDA while also administering the proposed Digital Safety Act.

The Commission would have significant enforcement powers, including:

  • investigations;
  • compliance orders;
  • audits;
  • compliance agreements;
  • administrative penalties;
  • appeals; and
  • other enforcement mechanisms.

Significant Financial Penalties

The proposed legislation introduces substantial administrative penalties.

According to the government's announcement, organizations could face:

  • penalties of up to $10 million or 3% of global revenue, whichever is greater; and
  • fines of up to $25 million or 5% of global revenue, whichever is greater, for the most serious offences.

These penalties represent a significant increase in enforcement exposure compared to Canada's historical privacy regime.

Who Will Need to Comply?

The legislation generally applies to organizations collecting, using, or disclosing personal information in the course of commercial activities, including federally regulated employers handling employee information.

Potentially affected organizations include:

  • retailers;
  • SaaS providers;
  • financial institutions;
  • insurers;
  • professional firms;
  • healthcare technology companies;
  • e-commerce businesses;
  • manufacturers;
  • marketing agencies;
  • AI developers; and
  • online platforms.

What Should Businesses Do Now?

Although Bill C-36 remains proposed legislation, organizations should begin evaluating their privacy compliance frameworks.

Practical preparation may include:

  • reviewing existing PIPEDA compliance programs;
  • updating privacy policies;
  • implementing documented privacy management programs;
  • reviewing service provider contracts;
  • assessing AI governance practices;
  • strengthening consent mechanisms;
  • improving data retention and deletion procedures;
  • reviewing children's privacy practices; and
  • conducting privacy impact assessments where appropriate.

Organizations that begin preparing early are likely to face a smoother transition if the PPCDA becomes law.

How Substance Law Can Help

Substance Law advises organizations throughout Canada on privacy law compliance, including:

  • PIPEDA compliance
  • PPCDA transition planning
  • Privacy management programs
  • Privacy policies
  • Website compliance
  • Artificial intelligence governance
  • Cross-border data transfers
  • Data breach response
  • CASL compliance
  • Vendor and cloud services agreements
  • Privacy impact assessments
  • Regulatory investigations

Whether your organization is preparing for the PPCDA or strengthening its existing privacy compliance program, obtaining legal advice early can help reduce regulatory risk.

Frequently Asked Questions About the PPCDA

Is the PPCDA currently law?

No. The PPCDA was introduced as Bill C-36 on June 15, 2026, and must complete the parliamentary process before coming into force.

Will PIPEDA disappear?

If Bill C-36 is enacted, Part 1 of PIPEDA would be repealed and replaced by the PPCDA, while the remaining portions of PIPEDA would continue as the Electronic Documents Act.

Does the PPCDA recognize privacy as a fundamental right?

Yes. The proposed legislation expressly recognizes privacy as a fundamental right while balancing organizations' legitimate commercial needs.

Will businesses need a privacy management program?

Yes. Every organization would be required to implement and maintain a documented privacy management program that includes policies, procedures, complaint handling processes, employee training, and governance measures.

How large are the proposed penalties?

The government has proposed administrative penalties of up to $10 million or 3% of global revenue, and fines of up to $25 million or 5% of global revenue for the most serious contraventions.

Lawyer Harrison Jordan
Sidebar