What Is Bill C-36? Canada's New Privacy Law for Small Businesses

What is Bill C-36?

Bill C-36 — the Protecting Privacy and Consumer Data Act — is Canada's new federal commercial privacy law. It received first reading in the House of Commons on June 15, 2026.

The bill replaces the privacy provisions of PIPEDA with a new statute: the Protecting Privacy and Consumer Data Act (PPCDA). PIPEDA itself is renamed the Electronic Documents Act and survives only in its electronic documents and signatures provisions.

For Canadian small businesses, the PPCDA is the most significant change to federal privacy law since PIPEDA came into force in 2001.

---

What does it replace?

PIPEDA — the Personal Information Protection and Electronic Documents Act — has governed how private-sector organizations collect, use, and disclose personal information in commercial activities since 2001.

Bill C-36 repeals Part 1 of PIPEDA entirely. The new PPCDA takes its place. The regulator changes name too: the Office of the Privacy Commissioner becomes part of the Digital Safety and Data Protection Commission of Canada, with a newly designated Privacy and Consumer Data Commissioner.

---

When does it come into force?

Bill C-36 received first reading on June 15, 2026. First reading is the earliest stage of the legislative process — the bill still needs to pass second reading, committee review, third reading, Senate review, and royal assent before it becomes law.

Even after royal assent, the PPCDA's privacy obligations do not come into force automatically. They require a separate Order in Council — and that Order cannot be issued until Bill C-34 (the Safe Social Media Act) has also received royal assent and the Digital Safety and Data Protection Commission is operational.

Realistic timeline: 12 to 24 months from first reading, at minimum.

PIPEDA remains the operative federal privacy law in the meantime. Your current compliance obligations do not change today.

---

What stays the same: breach reporting

The most important thing for most Canadian SMBs to know: breach reporting obligations are unchanged.

Section 58 of the PPCDA mirrors PIPEDA's existing breach reporting rules almost exactly:

• The "real risk of significant harm" (RROSH) standard is identical
• The definition of significant harm is identical — bodily harm, humiliation, financial loss, identity theft, damage to reputation or relationships, loss of employment or business opportunities, negative effects on credit
• The factors for assessing RROSH are identical — sensitivity of the information, probability of misuse
• The obligation to report to the regulator is unchanged
• The obligation to notify affected individuals is unchanged
• The obligation to maintain breach records is unchanged
• The obligation for service providers to notify the controlling organization is unchanged

If your breach response process is correctly built under PIPEDA, it transfers to the PPCDA without modification.

---

What changes: new obligations for Canadian businesses

1. Privacy management program (section 9)

Every organization must implement and maintain a privacy management program — a documented set of policies, practices, and procedures covering:

• How personal information is protected
• How access requests and complaints are received and handled
• Staff training on privacy obligations
• Public-facing materials explaining the organization's privacy practices

The program must be proportionate to the volume and sensitivity of personal information the organization holds. The Commission can request access to it at any time.

This is a new mandatory compliance artifact. Most Canadian SMBs do not have a formal privacy management program today. Under PIPEDA, there was no explicit requirement to document one.

2. Legitimate interest (section 18(3))

The PPCDA introduces a legitimate interest basis for collecting, using, or disclosing personal information without consent — borrowed from the GDPR framework used in Europe.

An organization can rely on legitimate interest if:

• It has a genuine business interest that outweighs the foreseeable adverse effects on individuals
• A reasonable person would expect the collection, use, or disclosure
• The information is not being used to influence the individual's behaviour or decisions

Before relying on legitimate interest, the organization must conduct a Privacy Impact Assessment, identify adverse effects, and take steps to mitigate them. The legitimate interest basis and the PIA must be documented and disclosed publicly.

This is entirely new to Canadian federal privacy law. SMBs that have been relying on vague "implied consent" for certain data uses may find that legitimate interest is the correct basis — but it comes with documentation requirements.

3. Cross-border transfer Privacy Impact Assessment (section 57)

Before transferring or disclosing personal information outside Canada, an organization must:

1. Conduct a Privacy Impact Assessment
2. Implement measures to mitigate the identified risks — contractual protections, certification programs, or other prescribed measures

Most Canadian SMBs using US-based cloud services — email hosting, payroll software, CRM platforms, payment processors — are transferring personal information outside Canada routinely. Under PIPEDA, a transfer to a service provider did not require a PIA. Under the PPCDA, it does.

4. Right to disposal (section 54)

Individuals gain a stronger right to request that an organization permanently delete their personal information if:

• The information was collected in contravention of the Act
• The individual has withdrawn consent
• The information is no longer necessary for the product or service they requested

The organization must also notify service providers to delete the same information. There are limited exceptions — legal defence, conflicting retention obligations, undue burden — but the default shifts toward deletion on request.

5. Automated decision system transparency (section 63)

If your organization uses an automated system to make decisions with legal or similarly significant effects on individuals — approvals, denials, assessments, pricing — affected individuals have the right to:

• An explanation of what personal information was used
• The source of that information
• The reasons or principal factors behind the decision
• The ability to make written representations to a human reviewer

6. Private right of action (section 132)

This is the most significant enforcement change. Under PIPEDA, the Privacy Commissioner could investigate and make recommendations — but had no power to impose penalties and individuals could not sue directly.

Under the PPCDA, after a confirmed contravention finding, individuals can sue the organization for damages in Federal Court or a provincial superior court.

This changes the risk calculation for Canadian SMBs. Non-compliance is no longer just a regulatory risk — it is a direct litigation risk.

7. Higher penalties (section 114)

Administrative monetary penalties increase dramatically:

Tier	Maximum penalty
Administrative (non-criminal)	Greater of $10,000,000 or 3% of gross global revenue
Criminal (indictable offence)	Greater of $25,000,000 or 5% of gross global revenue
Criminal (summary conviction)	Greater of $20,000,000 or 4% of gross global revenue

PIPEDA had no administrative monetary penalty regime and very limited criminal penalties. For large SMBs, the percentage-of-revenue cap is the operative limit.

---

What Alberta and BC businesses need to know

Alberta and BC each have their own provincial PIPA laws that govern intra-provincial commercial activity. The PPCDA does not displace these.

The substantially similar provincial exemption is preserved in section 139(2)(b). Alberta PIPA (administered by the OIPC Alberta) and BC PIPA (administered by the BC OIPC) continue to apply to commercial activity that occurs entirely within those provinces.

However, the PPCDA applies to any inter-provincial or international commercial activity — which includes most Alberta and BC businesses that have customers, vendors, or data flows outside the province.

Both provinces are also undergoing their own PIPA reform processes that will run in parallel with the federal changes. See the Alberta PIPA reform guide and BC PIPA reform guide for current status.

---

What Canadian SMBs should do now

Bill C-36 is not yet law. PIPEDA remains operative. You do not need to rebuild your compliance program today.

What you should do now:

1. Confirm your current breach reporting process is PIPEDA-compliant. It will transfer directly to the PPCDA.
2. Start documenting your privacy management program. The PPCDA will require one. Building it now — while there is no enforcement pressure — is far easier than building it under a compliance deadline.
3. Map which vendors receive personal information and where they are located. Cross-border transfer PIAs will be required under the PPCDA. Knowing your data flows now means you are ready when the obligation comes into force.
4. Monitor C-36's legislative progress. The bill needs to pass through several more stages before it becomes law. ClearBreach will track each stage here.

---

Track Bill C-36's progress

Stage	Status
First Reading	✓ June 15, 2026
Second Reading	Pending
Committee Review	Pending
Third Reading	Pending
Senate	Pending
Royal Assent	Pending
In Force (Order in Council)	Pending