On June 15, 2026, the federal government introduced Bill C-36, An Act to enact the Protecting Privacy and Consumer Data Act (PPCDA). If enacted, this long‑awaited legislation would mark the most significant reform of Canada's federal private-sector privacy regime in more than two decades.
Most critically, the PPCDA would replace the privacy provisions found in the Personal Information Protection and Electronic Documents Act (PIPEDA) with a modernized and strengthened framework, introducing new individual rights, new consent rules, a new enforcement regime and a new privacy regulator for private-sector obligations: the Data Protection Commission of Canada.
The PPCDA reflects the federal government's broader digital policy agenda, complementing the AI for All national strategy and the Safe Social Media Act (Bill C-34). BLG prepared this guide to explain the proposed PPCDA, help organizations understand what may be coming, and offer comparative insights with PIPEDA, Québec's Private Sector Act and the GDPR; our handy table highlights key differences between Bill C-36 and the Private Sector Act.
This guide will be updated as Bill C-36 progresses through the legislative process.
What the guide covers
- Enforcement: the proposed Digital Safety and Data Protection Commission, administrative penalties of up to $10 million or 3 per cent of global revenue, and fines of up to $25 million or 5 per cent for indictable offences;
- Accountability and governance: proposed obligations for privacy management programs, the role of the privacy officer, and record-keeping requirements;
- Consent: proposed new consent exceptions and validity requirements;
- New individual rights: the proposed right to disposal, data mobility, and the right to explanation of automated decisions;
- Children: new heightened standards for children’s personal information;
- Artificial intelligence: proposed rules for de-identification, anonymization, and transparency requirements for automated decision systems;
- Outsourcing and cross-border transfers: new obligations directly imposed on service providers and PIA requirement for cross-border transfers;
- Safeguards and incident response; and
- Retention and disposal.
The authors would like to thank Marianne Bellavance, articling student, for her contributions to the guide.