Back to Bills

New Consumer Privacy Law

Full Title:
An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts

Summary#

Bill C-36 replaces Canada’s private‑sector privacy law (Part 1 of PIPEDA) with a new law called the Protecting Privacy and Consumer Data Act. It sets clear rules for how businesses collect, use, disclose, keep, and protect personal information in commercial activities. It also strengthens oversight and penalties, and renames the old PIPEDA as the Electronic Documents Act.

Key changes:

  • Creates new duties for organizations: designate a privacy lead, run a privacy management program, limit collection to what is needed, keep data accurate and secure, and delete it when no longer needed.
  • Requires valid consent with plain‑language information, and bans forcing extra consent not needed for a product or service. Lists many cases where consent is not required (for example, fraud prevention, certain “business activities,” or legal requests).
  • Gives people rights to access their data, ask for corrections, get breach notices, and receive an explanation when important decisions are made by automated systems (software that predicts or decides).
  • Requires privacy impact assessments before sending personal information outside Canada and for some “legitimate interest” uses without consent, and mandates breach reporting to the new Commission and to affected people when there is a real risk of significant harm.
  • Introduces data mobility (portability) so people can direct one organization to send their data to another, when a data mobility framework exists by regulation.
  • Establishes strong enforcement: administrative penalties up to the greater of $10 million or 3% of global revenue, criminal fines for knowing offences up to the greater of $25 million or 5% of global revenue, audits, orders, and a limited right to sue after a regulator’s finding.
  • Moves privacy oversight to the Digital Safety and Data Protection Commission of Canada and creates a Privacy and Consumer Data Commissioner and Division. Enables approved privacy codes and certification programs.

What it means for you#

  • Individuals and consumers

    • You must get clear information to consent. You can withdraw consent later.
    • You can ask if an organization has your personal information, how it is used, and to whom it was disclosed. You can request access and corrections.
    • You must be told about certain data breaches that create a real risk of significant harm (like identity theft or financial loss).
    • If an automated system made a decision about you that has a legal or similarly significant effect (for example, a loan denial), you can ask for an explanation and submit written arguments to a human reviewer at the organization.
    • You can ask an organization to dispose of your personal information in set situations (for example, if consent was withdrawn or the data is no longer needed), with some exceptions.
    • Data portability: you may be able to direct one organization to send your data to another when the government has set up a data mobility framework for that sector.
    • Children’s information is treated as sensitive. A parent or guardian can exercise rights for a child, unless the child is capable and wants to act for themselves.

  • Employees in federally regulated workplaces (banks, airlines, telecoms, etc.)

    • Your employer may collect, use, or disclose your personal information without consent if necessary to establish, manage, or end your employment and if you are informed.

  • Businesses and other organizations engaged in commercial activities

    • You must designate a privacy lead and maintain a privacy management program (policies, training, complaint handling, and public explanations of your practices).
    • Collect only what is necessary for stated purposes and record those purposes before collecting. Use plain language for consent, identify third parties, and avoid bundled consent beyond what is necessary to deliver the product or service.
    • You may rely on certain no‑consent grounds (for example, necessary business activities, specified legitimate interests after an assessment and risk mitigation, internal research on de‑identified data, transfers to service providers, emergencies, fraud prevention, or legal requests). Some activities are restricted (for example, using address‑harvesting tools or unlawfully accessing computer systems).
    • Before disclosing or transferring personal information outside Canada, conduct a privacy impact assessment and mitigate risks (for example, contracts or approved codes/certifications).
    • Put in place physical, organizational, and technological safeguards proportionate to sensitivity, keep breach records, report qualifying breaches to the Commission, notify affected individuals, and ensure service providers offer equivalent protection by contract.
    • Be transparent about your use of automated decision systems that could significantly affect people, cross‑border transfers, and retention periods for sensitive data. Respond to access requests within 30 days (with limited extensions).
    • Non‑compliance risks orders, audits, administrative penalties (up to the greater of $10 million or 3% of global revenue per investigation), and potential criminal fines for knowing offences or obstruction (up to the greater of $25 million or 5% of global revenue). Individuals may sue after a regulator’s contravention finding.
    • Approved codes of practice and certification programs may be available, but they do not replace your legal duties.

  • Service providers (including affiliates and contractors)

    • You must notify the controlling organization of any breach you detect. If you use data for any purpose other than the one you received it for, you assume full obligations under the Act.

  • Journalistic, artistic, or literary activities

    • Collection and use solely for these purposes are exempt.

  • Timing

    • The Act starts on a date set by the federal Cabinet (order in council).

Expenses#

No publicly available information.

Possible private costs and burdens:

  • Building and maintaining privacy management programs, staff training, and complaint handling.
  • Conducting privacy impact assessments (for cross‑border disclosures and “legitimate interest” uses), and putting mitigation measures and contracts in place.
  • Data security measures, breach record‑keeping, and breach reporting.
  • Systems to handle access, correction, deletion, and explanations of automated decisions.
  • Potential future costs to support data mobility frameworks once set by regulation.
  • Legal exposure from orders, penalties, audits, and possible private lawsuits.

Proponents' View#

  • The bill appears intended to strengthen privacy rights in the digital economy while allowing necessary data flows for commerce.
  • Requiring plain‑language consent, limits on collection, and breach notifications could improve transparency and trust.
  • Explanations and human review for impactful automated decisions could make algorithmic decisions fairer and more accountable.
  • Privacy impact assessments and safeguards for cross‑border transfers could better protect Canadians’ data when it leaves the country.
  • Stronger enforcement powers and meaningful penalties could drive compliance and deter misuse.
  • Data mobility could help consumers switch providers more easily and may support competition and innovation.
  • Allowing approved codes and certifications could give organizations clearer guidance and streamlined compliance.

Opponents' View#

  • One concern is the number of exceptions that allow collection, use, or disclosure without consent (for example, “business activities,” “legitimate interests,” fraud prevention, or broad disclosures to government for law enforcement and national security). This could be seen as weakening consent.
  • The bill permits transfers outside Canada after an assessment and mitigation, but it does not restrict such transfers outright. People may worry about protections in foreign jurisdictions.
  • Many key elements (for example, data mobility frameworks and details of “legitimate interest” assessments) are left to future regulations, so the real‑world impact is partly unclear.
  • Compliance duties (privacy programs, assessments, breach management, access requests, and explanations for automated decisions) could be challenging and costly, especially for smaller organizations.
  • Very high penalties and a private right of action after findings may increase legal risk and lead to more disputes.
  • The Act allows regulators to share some information domestically and with foreign counterparts under agreements. This may raise questions about confidentiality and oversight, even with stated limits.

Amendment analysis

Compare the current law against the bill text and review the change-by-change explanation for each affected provision.

Amendments
55
Sources
1462
Updated
Jun 16, 2026

Create an account to unlock PRO analysis

Sign up to read the amendment-by-amendment breakdown for this bill.

  • See each amended section in one place.
  • Compare the current wording against the proposed text.
  • Review the source material behind each change.
Sign upAlready have an account? Sign in