PPCDAAll sectors

Legitimate Interest Under Bill C-36 (PPCDA): New to Canadian Privacy Law

Bill C-36's PPCDA introduces legitimate interest under section 18(3) — a new basis for using personal information without consent in Canada.

What legitimate interest is

Legitimate interest is a legal basis for collecting, using, or disclosing personal information without consent from the individual.

It has existed in European privacy law — GDPR Article 6(1)(f) — for years. Section 18(3) of Bill C-36's Protecting Privacy and Consumer Data Act introduces it to Canadian federal privacy law for the first time.

Under section 18(3) of the PPCDA, an organization can process personal information without consent if three conditions are all met:

The organization has a legitimate interest
The collection, use, or disclosure is necessary for that interest
The interest is not outweighed by the foreseeable adverse effects on the individual

All three must be satisfied. Two out of three is not sufficient.

Why this matters for Canadian SMBs

PIPEDA operates primarily on consent — organizations need the individual's express or implied consent for most data uses. In practice, many low-risk business activities have been justified through implied consent, sometimes in ways that stretched the concept further than the OPC intended.

Bill C-36 and the PPCDA resolve some of that grey area by recognizing legitimate interest as a distinct legal basis. Activities that were previously justified through broad implied consent interpretations may now have a cleaner legal footing under the PPCDA — if the three conditions are met and the documentation requirements are followed.

The documentation requirements are where most SMBs will find this more demanding than expected. Legitimate interest is not a replacement for consent or a way to avoid it. It is a different legal basis with its own obligations attached.

The three conditions

Condition 1: A legitimate interest

The PPCDA does not define "legitimate interest" exhaustively. Drawing on GDPR jurisprudence — which Canadian drafters borrowed from in writing section 18(3) — the following types of activities generally qualify:

Fraud prevention and security monitoring where the organization detects, investigates, and prevents fraudulent transactions or unauthorized access
Network and information security — monitoring systems for intrusions or vulnerabilities
Internal compliance functions — audits and risk assessments necessary for legal or regulatory compliance
Analytics that identify aggregate patterns without identifying or profiling individual people
Direct marketing to existing customers for products or services closely related to those they already purchased

The following generally do not qualify as legitimate interests under GDPR interpretation — and are unlikely to qualify under the PPCDA:

Selling personal information to data brokers, advertisers, or other third parties
Building detailed profiles of individuals who have not interacted with the organization
Collecting personal information for purposes unrelated to the service the individual requested
Any processing where the individual would clearly object if told about it

The Commission will develop its own interpretation of legitimate interest over time. Organizations that rely on this basis before the Commission has published guidance take on some interpretive risk.

Condition 2: Necessity

The collection, use, or disclosure must be necessary for the legitimate interest — not merely useful, convenient, or more efficient.

This is a meaningful constraint. If the same business purpose can be achieved using less personal information, or without relying on legitimate interest at all, the necessity condition is not met. If an organization collects 10 data fields and only 3 are needed for the stated interest, the necessity condition applies to the 7 that are not needed.

An organization that cannot articulate why each piece of personal information it collects is specifically necessary for its stated legitimate interest has a necessity problem.

Condition 3: The balancing test

The third condition requires the organization to weigh the foreseeable adverse effects on individuals against the strength of its legitimate interest.

This is not a declaration — it is an analysis. The organization must ask:

What harm could the individual experience as a result of this use of their information?
How likely is that harm?
How severe is it?
Does the organization's interest, weighed against the probability and severity of harm, still come out ahead?

The balancing test must be documented. A bare assertion that "our interest outweighs the privacy impact" will not satisfy the Commission if challenged. The analysis must be specific to the activity and the type of information involved.

The documentation requirements under sections 18(4)-(5) and 62

Before relying on legitimate interest under the PPCDA, the organization must complete four steps:

1. Conduct a Privacy Impact Assessment

The PIA must be done before the activity begins — not after the fact. It must identify the foreseeable adverse effects on individuals and the specific measures the organization will take to mitigate them. The PIA must be documented and must be available to the Commission on request.

2. Identify and describe the legitimate interest in writing

Section 18(5) requires a written description — not a general statement. "We rely on legitimate interest for fraud prevention" is not sufficient. The description must connect the specific activity to the specific interest and explain why the collection or use is necessary.

3. Take reasonable measures to mitigate adverse effects

Where the PIA identifies risks, the organization must take concrete steps to reduce them. What constitutes "reasonable measures" depends on the sensitivity of the information and the nature of the activity.

4. Disclose publicly

Section 62(2)(b) of the PPCDA requires the organization to include in its public-facing privacy notice a description of any legitimate interest basis it relies on and the nature of the activities conducted under that basis.

This last requirement is the one most organizations do not anticipate. Relying on legitimate interest is not a private decision. It must appear in the organization's public privacy notice. Relying on legitimate interest without disclosing it publicly is not permitted under the PPCDA.

What changes under PIPEDA while waiting for the PPCDA

Legitimate interest does not exist as a legal basis under PIPEDA. While Bill C-36 is not yet in force, PIPEDA's consent framework applies. Organizations should not represent to individuals or regulators that they are relying on legitimate interest under current Canadian law.

What this period is useful for: identifying which of your current data uses rely on stretched implied consent, and assessing whether those uses would qualify under legitimate interest once the PPCDA comes into force. That analysis can be done now, before the obligation becomes enforceable.

Scope note

This article covers the PPCDA (Bill C-36), which applies to private-sector organizations engaged in inter-provincial or international commercial activity. Quebec organizations primarily engaged in intra-provincial commercial activity are governed by Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64). Law 25 does not use the term "legitimate interest" — its consent and exception framework is distinct from the PPCDA's. Quebec obligations are not covered here.

What to do before Bill C-36 comes into force

Four steps that prepare an organization for the legitimate interest obligation:

Inventory your current data uses. For each one, identify the legal basis you currently rely on — express consent, implied consent, legal obligation, or something else. Flag any that rely on implied consent for activities that feel like a stretch.
For each flagged use, assess whether it meets the legitimate interest test. Is there a genuine business interest? Is each piece of information necessary for it? Would the individuals affected be surprised if told about the use, or would they expect it?
Draft written descriptions of the activities you expect to rely on legitimate interest for. Getting this language right before the obligation is enforceable is easier than writing it under time pressure after a complaint is filed.
Plan your PIA process for those activities. You do not need to complete formal PIAs now — the PPCDA is not in force. But identifying which activities will need PIAs and what information you will need to gather makes the process faster when the time comes.

Start your breach assessment

Breach reporting obligations under the PPCDA are identical to PIPEDA. Your current breach assessment process transfers directly. Confirm it is in place now.

Start your breach assessment →

Privacy Management Program assessment coming soon. Phase 2 ClearBreach includes tools for documenting legitimate interest assessments and PIAs. Notify me when available →

Frequently asked questions

What is legitimate interest under Bill C-36 and the PPCDA?

Legitimate interest is a legal basis that allows an organization to collect, use, or disclose personal information without obtaining consent from the individual. Section 18(3) of the PPCDA allows this if three conditions are all met: the organization has a legitimate interest, the collection or use is necessary for that interest, and the interest is not outweighed by the foreseeable adverse effects on the individual. All three must be satisfied simultaneously.

Is legitimate interest available under PIPEDA today?

No. PIPEDA does not contain a legitimate interest basis. Under PIPEDA, organizations must rely on consent — express or implied — for most data uses. Some organizations have stretched implied consent to cover activities that are better characterized as legitimate interests. Bill C-36's PPCDA introduces legitimate interest as a recognized basis, but it comes with documentation requirements that implied consent did not.

What is the difference between legitimate interest and implied consent under PIPEDA?

Implied consent under PIPEDA is inferred from context — the individual would reasonably expect their information to be used in a particular way. Legitimate interest under the PPCDA is a formal legal basis with a defined three-part test, a mandatory Privacy Impact Assessment, a written description of the interest, and a public disclosure requirement. Legitimate interest provides more legal clarity than implied consent — but requires more documentation.

Does an organization need to conduct a Privacy Impact Assessment before relying on legitimate interest?

Yes. Section 18(4)(b) of the PPCDA requires the organization to conduct a Privacy Impact Assessment before relying on legitimate interest. The PIA must be done before the collection, use, or disclosure begins — not after the fact. It must identify the foreseeable adverse effects on individuals and the measures the organization will take to mitigate them. Legitimate interest cannot be claimed retroactively.

What happens if the Commission disagrees with our legitimate interest assessment under the PPCDA?

If the Commission investigates and concludes that the organization's reliance on legitimate interest was not justified — because the interest was not legitimate, the use was not necessary, or the adverse effects were not adequately weighed — it may find a contravention of section 18(3). Under section 132 of the PPCDA, a confirmed contravention finding opens the door to civil suits from affected individuals. The written documentation of the interest and the PIA are the evidentiary record if the assessment is challenged.

This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.