Canada's federal privacy framework rests on a law written before most people had broadband. The Personal Information Protection and Electronic Documents Act (PIPEDA), enacted in 2000, governs how private-sector organisations collect, use, and disclose personal information during commercial activities. For more than two decades it has been the baseline - but that baseline has not kept pace with the reality of modern data collection, behavioural tracking, or cross-border data flows.
Bill C-27, the Digital Charter Implementation Act, was supposed to change that. Introduced in June 2022, it bundled three pieces of legislation: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA). The bill made it through second reading and into clause-by-clause committee review before Parliament was prorogued in January 2025, killing it on the Order Paper.
A new privacy reform bill is expected from the federal government in 2026. Privacy Commissioner Philippe Dufresne has publicly stated that Canada needs modernised privacy laws, and the Carney government's federal budget has signalled a new private-sector privacy statute with a companion tribunal bill. Until that legislation is introduced and passed, PIPEDA remains the law in force.
Why PIPEDA Needs Replacing
PIPEDA was built around ten fair information principles drawn from the CSA Model Code (CAN/CSA-Q830-96). Those ten principles - accountability, identifying purposes, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access, and challenging compliance - still form a sensible foundation. The problem is enforcement, not philosophy.
The Privacy Commissioner of Canada can investigate complaints, conduct audits, and publish findings. What the Commissioner cannot do under PIPEDA is issue binding orders or impose fines. The maximum penalty for an offence under PIPEDA is CAD 100,000 - a figure that barely registers for large organisations. Compare that to the GDPR's maximum of 4% of global annual turnover, or Quebec's Law 25, which permits administrative penalties up to CAD 10 million or 2% of worldwide turnover, with court-imposed fines reaching CAD 25 million or 4%.
PIPEDA also lacks modern data subject rights that have become standard internationally. There is no explicit right to erasure, no right to data portability, and no right to object to automated decision-making. The right to erasure that EU residents take for granted does not exist under federal Canadian law.
What Bill C-27 Would Have Changed
The CPPA, had it passed as Part 1 of Bill C-27, would have replaced Part 1 of PIPEDA entirely. The scope would have remained similar - private-sector organisations engaged in commercial activity - but nearly every mechanism would have been upgraded.
Consent and Transparency
The CPPA required meaningful consent to be obtained in plain language. Implied consent, which PIPEDA permits for non-sensitive information under certain conditions, would have been restricted further. Organisations would have needed to explain the purpose of data collection in terms an ordinary person could understand - no more burying disclosures in pages of legalese.
Children's data was treated as sensitive by default. That designation would have triggered the express consent standard for any collection involving minors, regardless of the type of information.
New Individual Rights
The CPPA proposed a right to data portability, allowing individuals to request their personal information in a structured, machine-readable format and have it transferred to another organisation. It also included a right to request disposal (deletion) of personal information. A private right of action would have allowed individuals to sue organisations directly for privacy violations after the Commissioner upheld a complaint - a mechanism that does not exist under PIPEDA.
Enforcement With Teeth
The proposed penalty structure was significantly harsher. Administrative monetary penalties could reach CAD 10 million or 3% of global revenue for standard violations. For the most serious offences, the ceiling rose to CAD 25 million or 5% of global revenue - whichever was greater. A new Personal Information and Data Protection Tribunal would have heard appeals and imposed penalties, giving the enforcement regime an institutional backbone that PIPEDA lacks.
The Privacy Commissioner would have gained binding order-making powers, the ability to approve compliance agreements with financial conditions, and broader audit authority. Under PIPEDA, the Commissioner's findings are recommendations only.
Legitimate Interest and Appropriate Purpose
The CPPA introduced an "appropriate purpose" test under Section 12(2), which would have required organisations to weigh factors including the sensitivity of information, whether less intrusive alternatives existed, and whether the individual would reasonably expect the collection. This was distinct from the GDPR's legitimate interest framework but served a similar function - providing a basis for processing without direct consent in limited circumstances.
This provision drew criticism from privacy advocates who argued it functioned as an exception to consent rather than a separate, balanced legal basis. The framing is likely to be revisited in successor legislation.
Why Bill C-27 Failed
The bill did not fail on substance alone. Several procedural and political factors converged to prevent passage.
Bundling privacy reform with artificial intelligence regulation was the most commonly cited problem. AIDA, the AI component, drew sustained criticism for being vague - it left the definition of "high-impact system" to future regulations rather than specifying it in the statute. That ambiguity made it difficult for parliamentarians and stakeholders to assess the bill's real-world impact. Many observers believed the CPPA would have passed more quickly if AIDA had been separated into its own bill.
The proposed Data Protection Tribunal was another fault line. Opposition parties argued it would add a layer of bureaucracy between citizens and their privacy rights, potentially delaying enforcement rather than strengthening it. The Privacy Commissioner's office itself expressed concerns about the Tribunal's structure.
In January 2025, Prime Minister Trudeau prorogued Parliament, automatically killing all legislation in progress. A snap federal election followed in April 2025, and with it came a change of government priorities. The result: Canada entered 2026 still running on a privacy law from the turn of the millennium.
What Comes Next: The 2026 Reform Outlook
The Carney government has signalled that a new federal private-sector privacy statute is coming. The federal budget announcement indicated new legislation could be introduced in late 2025 or early 2026, though the bill did not materialise before the end of 2025. Privacy observers report that draft legislation was prepared but held back, possibly due to concerns about integrating data sovereignty provisions.
Several themes are expected to carry over from Bill C-27 into whatever replaces it. Stronger individual rights, binding enforcement powers for the Commissioner, meaningful consent requirements, and significant financial penalties are considered near-certain inclusions. AI regulation, however, is expected to proceed as a separate bill this time around - a direct response to the lessons of C-27's failure.
New priorities are also shaping the debate. The Carney government released a Digital Sovereignty Framework in November 2025, and data sovereignty - ensuring Canadian data is not freely accessible to foreign governments or companies - is now a central policy concern. Children's privacy has gained further attention both domestically and internationally, and the next bill is expected to go further than C-27 did in this area.
Privacy Commissioner Dufresne has urged Parliament to recognise privacy as a fundamental right in any successor legislation and to strengthen the framework for automated decision-making. Whether Parliament takes that step remains to be seen.
Quebec's Law 25: The De Facto Standard
While Ottawa deliberates, Quebec has already acted. Law 25 (formerly Bill 64) was adopted in September 2021 and rolled out in three phases, with the final provisions - including data portability - taking effect in September 2024. It applies to any organisation carrying on an enterprise in Quebec that handles personal information of Quebec residents, regardless of where the organisation is based.
Law 25 requires express opt-in consent for sensitive data, mandatory privacy impact assessments for new technology projects involving personal information, breach notification to the Commission d'acces a l'information (CAI), and a designated privacy officer. The penalty regime is substantial: administrative monetary penalties up to CAD 10 million or 2% of worldwide turnover, with court-imposed fines reaching CAD 25 million or 4%.
For organisations operating across Canada, Law 25 already sets a higher bar than PIPEDA. Many businesses have adopted it as their practical baseline, along with the GDPR for European operations and the CCPA/CPRA for California.
PIPEDA, CPPA, Law 25, and GDPR Compared
| Feature | PIPEDA (current) | CPPA (proposed) | Quebec Law 25 | GDPR |
|---|---|---|---|---|
| Year enacted/proposed | 2000 | 2022 (died 2025) | 2021 (fully effective 2024) | 2016 (effective 2018) |
| Right to erasure | No | Yes | Yes | Yes |
| Data portability | No | Yes | Yes | Yes |
| Private right of action | No | Yes | Yes (min CAD 1,000) | Yes |
| Maximum fines | CAD 100,000 | CAD 25M / 5% global revenue | CAD 25M / 4% worldwide turnover | EUR 20M / 4% global turnover |
| Binding orders by regulator | No | Yes | Yes | Yes |
| Children's data protections | Limited guidance | Sensitive by default | Consent for under-14s | Article 8 parental consent |
| Cookie consent model | Implied (non-sensitive) | Meaningful, plain language | Express opt-in | Prior opt-in (ePrivacy) |
What PIPEDA Says About Cookies Today
PIPEDA does not mention cookies by name. Instead, the law's consent and transparency requirements apply to any collection of personal information, which the Office of the Privacy Commissioner (OPC) has interpreted to include IP addresses, device identifiers, and browsing behaviour collected through cookies and similar tracking technologies.
The OPC's guidance on online behavioural advertising takes the position that tracking for advertising purposes generally constitutes collection of personal information. For non-sensitive data, implied consent - such as continuing to browse after being informed about cookies - may suffice under PIPEDA, provided the individual has a genuine ability to opt out. For sensitive information, express consent is required.
Tracking technologies that offer no viable opt-out mechanism - the OPC specifically mentions zombie cookies, super cookies, and device fingerprinting - should not be used for behavioural advertising under PIPEDA, because meaningful consent is impossible when the individual cannot exercise control.
Under the CPPA as proposed, these rules would have become stricter. Consent requirements would have been elevated to a plain-language, meaningful standard for all collection, and deceptive design patterns (dark patterns) in consent interfaces would have been explicitly prohibited. If you use a consent management platform to handle cookie consent, aligning with the stricter standard now means less disruption when new legislation arrives.
How to Prepare Your Website Now
Waiting for the new law to pass before acting is a risky strategy. The direction of reform is clear even if the timeline is not. Organisations that align with the tougher standards already in force elsewhere will have less to do when Canada's new privacy statute arrives.
Audit Your Cookie and Tracking Practices
Run a cookie scan to identify every cookie and tracker on your site. Document the purpose, duration, and provider for each one. If you cannot explain why a cookie exists, you probably should not be setting it. Pay attention to third-party scripts - analytics tools, social media widgets, and advertising pixels often set cookies that your visitors never agreed to.
Implement Meaningful Consent
Even under PIPEDA's current implied consent model, the OPC expects clear information about what data is collected and genuine user choice. Move towards express opt-in consent for analytics and marketing cookies. Quebec's Law 25 already requires this, and the CPPA would have mandated it. Use a clear category-based approach so visitors understand what they are agreeing to.
Document Everything
The CPPA would have required privacy management programmes with documented policies and procedures. Start building this now: maintain records of what personal information you collect, why, how long you keep it, and who you share it with. If you operate under the GDPR's records of processing requirements already, you have a head start.
Prepare for New Rights
Data portability and the right to deletion are coming. Ensure your systems can respond to requests to export personal data in a standard format and to delete records when asked. The right to data portability will require technical infrastructure, not just a policy statement.
Mind Provincial Laws
If you have customers in Quebec, Law 25 applies to you today. British Columbia and Alberta each have their own Personal Information Protection Acts that may impose additional requirements. Ontario, Alberta, and Nova Scotia also passed significant reforms to public-sector privacy legislation in 2024 and 2025. Provincial compliance is not optional - and federal reform will not override stricter provincial rules where those rules are deemed substantially similar to the federal standard.
The EU Adequacy Factor
The European Commission renewed Canada's data adequacy decision in January 2024, but explicitly noted that Bill C-27's progress was a factor. The Commission said it would closely monitor future efforts to update PIPEDA. If Canada fails to pass meaningful reform, that adequacy status could come under pressure at the next review - which would complicate cross-border data transfers between the EU and Canada and create real problems for Canadian businesses reliant on European data flows.
Frequently Asked Questions
Has Bill C-27 been passed into law?
No. Bill C-27 died on the Order Paper when Parliament was prorogued in January 2025. The CPPA and AIDA were never enacted. PIPEDA remains Canada's federal private-sector privacy law.
When will Canada's new privacy law take effect?
A successor bill is expected to be introduced in 2026, but no legislation has been tabled yet as of March 2026. Even after introduction, the parliamentary process - committee review, readings, and royal assent - means any new law is unlikely to take effect before 2027 at the earliest.
Do I need cookie consent for Canadian visitors under PIPEDA?
PIPEDA requires meaningful consent for the collection of personal information, which includes data gathered through cookies and tracking technologies. For non-sensitive data, implied consent may be acceptable if users are clearly informed and can opt out. For sensitive data or behavioural tracking, express consent is recommended.
How does Quebec's Law 25 differ from PIPEDA?
Law 25 is significantly stricter. It requires express opt-in consent for tracking technologies, mandatory privacy impact assessments, a designated privacy officer, breach notification, and data portability. Penalties under Law 25 can reach CAD 25 million or 4% of worldwide turnover - far exceeding PIPEDA's maximum of CAD 100,000.
Will the new Canadian privacy law apply to websites outside Canada?
PIPEDA currently applies to organisations that collect personal information from Canadian residents during commercial activity, regardless of where the organisation is based. The CPPA would have maintained this extraterritorial scope, and successor legislation is expected to do the same.
What fines could the CPPA have imposed?
The CPPA proposed administrative monetary penalties of up to CAD 10 million or 3% of global revenue for standard violations, rising to CAD 25 million or 5% of global revenue for the most serious offences.
Should I comply with the CPPA even though it has not passed?
Treating the CPPA's standards as a practical target is a sound strategy. The core provisions - meaningful consent, data portability, right to deletion, and robust documentation - are likely to appear in whatever bill Parliament introduces next. Aligning now reduces the compliance burden later.
Get Ahead of Canada's Privacy Reform
If your website collects data from Canadian visitors and you are still relying on a basic cookie notice with no real consent mechanism, the gap between where you are and where the law is heading is widening. Kukie.io detects every cookie and tracker on your site, categorises them, and provides a consent banner that meets the standards already in force under Quebec's Law 25
