What Canada's New Privacy Rules Mean for Small Businesses

Canada's privacy rules are in the middle of their biggest shake-up in a generation, and it is happening across the whole country, not just in Quebec. A tougher federal law is on the way, Quebec's Law 25 is already fully in force with steep fines, and mandatory breach reporting applies to businesses of every size today.

If you run a small business and assume privacy law is a big-company problem, that gap is closing fast. Here is what is actually changing, and the short list of things worth doing about it.

What is changing across Canada

Federal reform is coming. PIPEDA, the federal private-sector privacy law since 2000, is set to be replaced. The government is expected to introduce a new private-sector privacy statute, along with a tribunal that can levy penalties. The proposed fines are serious: up to the greater of C$25 million or 5 percent of global revenue. Children's privacy and artificial intelligence, including deepfakes, are named priorities. As of early 2026 the bill has not been tabled yet, but reform is widely expected this year.
Quebec is the preview, not the exception. Quebec's Law 25 is fully in effect, with penalties reaching $25 million or 4 percent of worldwide turnover. It is the strictest regime in the country today, and a good indication of where the federal rules are heading.
The provinces already have teeth. Alberta and British Columbia have their own private-sector privacy laws, and BC added mandatory breach notification in 2023. If your business operates wholly within Alberta, BC, or Quebec, that provincial law generally applies, while PIPEDA still covers activity that crosses provincial or national borders.

Why it matters for a small business

The headline penalties grab attention, but the part that already applies to you is quieter: mandatory breach reporting covers organizations of every size, right now, no matter where in Canada you operate.

If a breach creates a "real risk of significant harm," you must report it to the relevant privacy commissioner, notify the people affected, and keep a record of it.
The fines under Law 25 today, and the coming federal law, are large enough to matter to a small business, not just a bank.
More of your clients will ask. Larger customers increasingly want proof that you handle data responsibly before they sign, so privacy basics are becoming a sales requirement, not only a legal one.

For a 1 to 50 person team in Canada

You do not need a legal department to get ahead of this, and you should not wait for the new federal bill to pass. The two things small Canadian businesses most often miss are simple: name someone accountable for privacy (an owner or manager is fine, it just needs an owner), and keep basic written due diligence on the vendors that touch your data. Add a short breach-response plan and an honest, up-to-date privacy policy, and you have covered most of what every Canadian privacy regime asks for, today and under the stricter rules coming.

Doing this now is inexpensive, and it doubles as the proof larger clients look for in security questionnaires. Our Cybersecurity Strategy advisory helps you put these basics in place and map which rules apply to where you operate. For a plain-language overview, start with our guide to regulatory compliance for Canadian small businesses.

What is changing across Canada

Why it matters for a small business

Related

Regulatory compliance for Canadian small businesses

Cybersecurity basics for Canadian small businesses

Cybersecurity Strategy