In brief
On June 15, 2026, the Government of Canada tabled Bill C-36, Protecting of Privacy and Consumer Data Act (“Bill C-36”), which, if passed, would effectively replace Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) as the federal private sector privacy law governing the collection, use, and disclosure of Canadians’ personal information in the course of commercial activities.
Organizations can anticipate a more interventionist privacy regulator, new and expanded compliance obligations, and greater exposure to enforcement, compliance orders, litigation risk, and penalties. Bill C‑36 may also create targeted opportunities for greater operational flexibility, particularly around the collection of consent, through the proposed introduction of a “legitimate interests” ground and expanded business activity exceptions. These may allow organizations to rely less on consent for certain uses, provided they complete required assessments, including privacy impact assessments, and can demonstrate that the impact on individuals is proportionate and consistent with reasonable expectations.
Key takeaways
A more interventionist regulator with audit-style oversight
- Canada’s federal privacy regulator, the Office of the Privacy Commissioner of Canada, could require organizations to provide access to their privacy management program (including “policies, practices and procedures”) and recommend corrective measures following review.
- Bill C-36 would introduce formal audit powers and structured investigation, compliance agreement, and penalty processes (ss. 98–120), hinting at a more active regulator.
Greater enforcement exposure, including penalties and private actions
- Bill C-36 would introduce administrative monetary penalties that could be the greater of CAD 10,000,000 and 3% of the organization’s gross global revenue in the prior financial year, and grounds for penalties would be expanded beyond the limited grounds available under PIPEDA.
- Individuals could also have a private right of action for damages following a finding of contravention or final decision by the federal privacy regulator, which was not previously the case under PIPEDA, which could increase downstream litigation risk for non-compliance.
Privacy management programs become auditable evidence
- Bill C-36 would require organizations to “implement and maintain” a privacy management program and prescribe what needs to be covered in the program. It would also require organizations to give the regulator access to documents in the program upon request.
Cross-border transfers and internal uses become assessment-driven
- Before transferring or disclosing personal information “outside of Canada,” organizations would need to conduct a privacy impact assessment and implement prescribed mitigation measures (s. 57).
- Similar assessment requirements would apply to other high-risk uses, including reliance on legitimate interests, creating new, auditable workflows for global data operations.
De‑identified data remains regulated and constrained
- Bill C-36 confirms that “de‑identified personal information does not cease to be personal information” (s. 2(2)), meaning it remains subject to core compliance obligations.
- Organizations would need to apply “proportional technical and administrative measures” and would be subject to prohibitions on misuse of de‑identified data, which could limit unrestricted use of de-identified personal information for analytics, AI training and secondary purposes.
- Bill C-36 would formally introduce the concept of “anonymization” of personal information under the statute, and distinguish it from de-identified personal information, where “anonymized” would mean to “irreversibly and permanently modify personal information to ensure that there is no reasonably foreseeable risk in the circumstances that an individual can be identified from the information, whether directly or indirectly, by any means.”
Automated decision-making is brought within regulatory scope
- The concept of an “automated decision system” would be introduced, which would be broadly defined to include machine learning, predictive analytics and rules-based systems (s. 2).
- Organizations would need to provide, upon request from a data subject, meaningful information in plain language about how personal information is used in making automated decisions affecting them, requiring an explanation of the prediction, recommendation or decision.
Expanded individual rights with respect to disposal of personal information
- Individuals would gain a right to request “disposal” of their personal information, defined as permanent deletion or anonymization (ss. 2, 54), requiring robust data lifecycle controls.
Targeted operational flexibility through structured alternatives to consent
- Bill C-36 would introduce a “legitimate interest” ground that could permit the collection, use or disclosure of personal information without consent where the organization could demonstrate that its interest “outweighs any reasonably foreseeable adverse effect” on the individual and aligns with reasonable expectations (s. 18(3)).
- An expanded “business activity” exception could allow organizations to use personal information without consent for defined operational purposes (e.g., providing services, system security, product safety), provided the activity is one a reasonable person would expect and is not used to influence an individual’s behaviour or decisions (s. 18(1)-(2)).
Conclusion
While Bill C‑36 remains at an early stage of review and may evolve through the legislative process, its direction of travel signals a clear shift toward more operational, enforceable privacy compliance. Organizations could proactively assess gaps in their governance, data use practices, and cross-border controls to position themselves for a more interventionist and audit-driven regulatory environment.
