une main qui tient une guitare

Article

Canada’s Protecting Privacy and Consumer Data Act (Bill C-36): BLG’s guide

Nous sommes désolés. Le contenu de cette page n'est présentement disponible qu'en anglais.

On June 15, 2026, the federal government introduced Bill C-36, An Act to enact the Protecting Privacy and Consumer Data Act (PPCDA). If enacted, this long‑awaited legislation would mark the most significant reform of Canada's federal private-sector privacy regime in more than two decades.

Most critically, the PPCDA would replace the privacy provisions found in the Personal Information Protection and Electronic Documents Act (PIPEDA) with a modernized and strengthened framework, introducing new individual rights, new consent rules, a new enforcement regime and a new privacy regulator for private-sector obligations: the Data Protection Commission of Canada.

The PPCDA reflects the federal government's broader digital policy agenda, complementing the AI for All national strategy and the Safe Social Media Act (Bill C-34). BLG prepared this guide to explain the proposed PPCDA, help organizations understand what may be coming, and offer comparative insights with PIPEDA, Québec's Private Sector Act and the GDPR; our handy table highlights key differences between Bill C-36 and the Private Sector Act.

This guide will be updated as Bill C-36 progresses through the legislative process.

What the guide covers

  • Enforcement: the proposed Digital Safety and Data Protection Commission, administrative penalties of up to $10 million or 3 per cent of global revenue, and fines of up to $25 million or 5 per cent for indictable offences;
  • Accountability and governance: proposed obligations for privacy management programs, the role of the privacy officer, and record-keeping requirements;
  • Consent: proposed new consent exceptions and validity requirements;
  • New individual rights: the proposed right to disposal, data mobility, and the right to explanation of automated decisions;
  • Children: new heightened standards for children’s personal information;
  • Artificial intelligence: proposed rules for de-identification, anonymization, and transparency requirements for automated decision systems;
  • Outsourcing and cross-border transfers: new obligations directly imposed on service providers and PIA requirement for cross-border transfers;
  • Safeguards and incident response; and
  • Retention and disposal.

The authors would like to thank Marianne Bellavance, articling student, for her contributions to the guide.

Key Contacts