What the Protecting Privacy and Consumer Data Act means for your business

Prepared by Derek Lackey, Newport Thomson                                          June 16, 2026

Summary

Ottawa has tabled a bill that would replace the privacy half of PIPEDA. It is the biggest change to private-sector privacy law in 25 years. It is not law yet. The right move now is to understand it and get ready, not to rewrite your privacy program over a bill that could still change.

On June 15, 2026, the federal government introduced Bill C-36, the Protecting Privacy and Consumer Data Act. It received first reading the same day. It is a cornerstone of Canada’s new national AI strategy.

The bill replaces Part 1 of PIPEDA, the part that governs how private companies collect, use, and share personal information. The rest of PIPEDA gets renamed the Electronic Documents Act and keeps only its electronic documents and e-signature rules. A new regulator takes over, and it comes with penalties that have real teeth.

What changes for your customers

• Privacy as a fundamental right. The bill states privacy is a fundamental right, which sets the tone for how the rest of the law is read.
• Stronger rules for children’s data. Companies are held to a higher standard when they handle the personal information of children.
• A right to deletion. People can ask a company to delete or dispose of their personal information in certain situations, with some exceptions.
• Clearer consent and explanations. Consent has to be meaningful, and specific. Companies must explain in plain terms what they are doing with personal information.
• Transparency on automated decisions. When AI or an automated system makes a decision about a person, there are new transparency obligations.

What changes for your business

• Limits on surveillance pricing. Using someone’s browsing history, location, or device to set an individual price for them is treated as an unfair use of data. If you run personalized pricing, look here first.
• Cross-border transfers. Before sending personal information outside Canada, you must assess and reduce the privacy risk. This matters if your tools and servers are hosted in the United States. Transfer Impact Assessments (like Law25 in Quebec) should be used.
• Data mobility. People can move their information securely from one organization to another where a framework applies.
• A proportionate approach for smaller firms. The regulator is directed to consider the needs and limits of small and medium businesses. The rules are not meant to land on a ten-person shop the same way they land on a bank.
• Clearer rules for de-identified data. There is more certainty around de-identification and anonymization, plus optional tools like codes of practice and certification to show you comply.

The new regulator and the penalties

The Office of the Privacy Commissioner’s role moves into a new body, the Digital Safety and Data Protection Commission of Canada. A designated Privacy and Consumer Data Commissioner leads enforcement. The Commission can issue binding orders, which means it can order you to do something and you have to do it.

This is the part that changes the math. PIPEDA never had this kind of bite.

Where it stands

This is a bill, not a law. It has only had first reading. Before the new privacy rules switch on, three things have to happen: the bill has to pass Parliament, the new Commission has to be set up, and a separate order has to bring the rules into force. Any of the details can shift as it moves through the process.

What to do now

1. Know what data you hold. You cannot protect or delete what you have not mapped. A simple data inventory is the foundation for everything else.
2. Check your pricing. If you use personal data to set different prices for different customers, flag it now and be ready to explain or change it.
3. Map your cross-border flows. List the tools and vendors that store Canadian customer data outside Canada. That list is where the cross-border work will start.
4. Watch the children’s data point. If your audience includes anyone under 18, the higher standard for children’s data deserves a closer look.
5. Do not overhaul yet. No good picking up speed if you’re on the wrong road. Track the bill, get your house in order, and wait for the final rules before rebuilding anything.

How Newport Thomson can help

We can run a readiness review against Bill C-36, map your cross-border data flows, and give you a plain-language plan that fits the size of your business. When the final rules land, you will already be most of the way there. The implementation of any Privacy Management Program starts with an in-depth Privacy Review.

Sources

This brief is drawn from primary and official sources, listed closest-to-the-law first.

• Government of Canada, Backgrounder (ISED). The government’s own summary of what the bill does, including the penalty figures.
• Parliament of Canada, Bill C-36, First Reading text. The actual statutory text for the precise wording. (Less focus on specifics, as it is likely to change throughout the process of becoming law and coming into force)
• Office of the Privacy Commissioner, Statement on Bill C-36. The current regulator’s read on the bill. There is still a lot of work to do.
• Gowling WLG, Bill C-36 timeline. A law firm tracking the bill’s progress through Parliament.
• Canadian Civil Liberties Association, analysis of Bill C-36. A critical view arguing some rights restate existing law. Useful for a balanced perspective.

This brief provides general information based on a bill at first reading. It is not legal advice. For decisions tied to your specific situation, speak with privacy counsel.