On June 15, 2026, the federal government tabled Bill C-36, which would enact the Protecting Privacy and Consumer Data Act (PPCDA) and replace the privacy half of PIPEDA, the law that has governed how Canadian businesses handle personal information for 25 years. It is the third attempt at this reform, and the most serious yet: a new regulator, much larger fines, and a clear expectation that every business runs a real privacy program. Here is what it would change, and what a small business should do about a law that is not yet law.
What Bill C-36 actually is
Bill C-36 would repeal Part 1 of PIPEDA and put the new Protecting Privacy and Consumer Data Act in its place as the main federal rulebook for how private companies collect, use, and share personal information. It follows two earlier failed attempts (Bill C-11 in 2020 and Bill C-27 in 2022), and it goes further than both: it frames privacy as a fundamental right, tightens the rules on consent, and gives people stronger rights to have their data deleted and moved. The leftover, non-privacy parts of PIPEDA would be renamed the Electronic Documents Act.
What would change for businesses
The PPCDA is built around the idea that handling personal information should be deliberate and documented, not ad hoc. The obligations that matter most to a small business:
- A privacy management program becomes the baseline expectation: a documented, repeatable way of handling personal data, including privacy impact assessments before risky processing.
- Meaningful, plain-language consent: burying permissions in dense legal text would no longer count, and sensitive uses need clearer, more specific consent.
- Stronger individual rights: people could ask you to delete their personal information and to hand over a copy to move it elsewhere.
- Higher standards for children: a child is anyone under 18, and their information is treated as sensitive, so any business serving young people faces extra obligations.
- Transparency about automated decisions: if software makes meaningful decisions about people, you have to be able to explain it.
A new regulator with real teeth
The biggest structural change is enforcement. Bill C-36 would create a new Digital Safety and Data Protection Commission of Canada, with a dedicated Privacy and Consumer Data Commissioner, and give it the power to issue binding orders. Private-sector privacy enforcement would move from the Office of the Privacy Commissioner, which would refocus on the public sector, to this new body. The penalties are what get attention: administrative monetary penalties up to the greater of $10 million or 3% of global annual revenue, rising to the greater of $25 million or 5% for the most serious offences. Those ceilings are aimed at large companies, but they signal that privacy is moving from a soft expectation to something with financial consequences.
But it is only a bill, for now
Here is the part that keeps this in perspective: Bill C-36 is at first reading, which means it is the very start of the process, not the end. It still has to pass the House, committee study, the Senate, and royal assent before any of it binds anyone, and the government has said it expects review and changes over the coming months. Canada has been here twice before and the bills died. So this is not a reason to panic or to overhaul anything this week. It is a strong signal of direction, and the direction is unmistakable.
Sources:Parliament of Canada, An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other ActsIAPP, Canada's Bill C-36 introduces privacy reforms, enforcement changesMcCarthy Tétrault, Bill C-36: What Organizations Need to Know About Canada's New Privacy Reform