Bill C-27 Digital Charter: What Canadian Businesses Need to Know in 2026
Canada's privacy and AI landscape is undergoing its most significant transformation in over two decades. Bill C-27, known as the Digital Charter Implementation Act, 2022, represents Parliament's attempt to modernize how organizations collect, use, and share personal information — and how artificial intelligence systems are designed and deployed across the country. If passed in its current or amended form, it will replace key parts of PIPEDA and introduce sweeping new obligations, enforcement powers, and penalties.
This guide breaks down what Bill C-27 contains, who it affects, the penalties for non-compliance, and the practical steps Canadian businesses should take now to prepare.
What Is Bill C-27?
Bill C-27, the Digital Charter Implementation Act, 2022, is a federal Canadian bill introduced in June 2022 that bundles three new pieces of legislation into a single package: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Artificial Intelligence and Data Act (AIDA).
The bill is designed to replace Part 1 of the existing Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada's two-decade-old federal privacy law — and to introduce Canada's first comprehensive AI regulatory framework. It is the legislative arm of the federal government's broader Digital Charter, a policy initiative announced in 2019 to build trust in the digital economy.
The Three Acts Inside Bill C-27
- Consumer Privacy Protection Act (CPPA) — Replaces PIPEDA's private-sector privacy rules with stronger consent, transparency, and individual rights provisions.
- Personal Information and Data Protection Tribunal Act (PIDPTA) — Creates a new tribunal to hear appeals of Privacy Commissioner decisions and impose administrative monetary penalties.
- Artificial Intelligence and Data Act (AIDA) — Canada's first dedicated AI law, focusing on "high-impact" AI systems and prohibiting reckless or malicious uses.
Why Canada Needs Bill C-27
PIPEDA was passed in 2000 — before smartphones, social media platforms, large-scale data brokers, generative AI, or modern adtech existed. Critics, including the Office of the Privacy Commissioner of Canada, have long argued that PIPEDA lacks meaningful enforcement teeth, has weak consent rules for modern data flows, and gives Canadians fewer rights than Europeans enjoy under the GDPR or Quebec residents enjoy under Law 25.
Bill C-27 attempts to close that gap. It also helps Canada maintain its adequacy status with the European Union, which permits the free flow of personal data between Canada and the EU — a status worth billions to Canadian businesses.
Key Changes Under the Consumer Privacy Protection Act (CPPA)
The CPPA is the centerpiece of Bill C-27 for most businesses. It introduces the following major changes compared to PIPEDA:
1. Stronger Consent Requirements
Organizations must obtain consent in plain language at or before the time of collection. The consent request must explain the purposes, the type of personal information, the reasonably foreseeable consequences, and any third parties involved. Bundled or buried consent in lengthy terms of service will no longer be acceptable.
2. New Right to Disposal (Deletion)
Individuals gain a statutory right to request that organizations dispose of their personal information, similar to the GDPR's "right to be forgotten." Organizations must comply unless a legal exception applies (e.g., legal hold, contractual necessity).
3. Algorithmic Transparency
If an organization uses an automated decision system to make a prediction, recommendation, or decision that could have a significant impact on an individual, it must provide a plain-language explanation of how the decision was made on request.
4. Data Mobility (Portability)
Once data mobility frameworks are established by regulation, individuals can request that their personal information be transferred from one organization to another in a structured format.
5. Enhanced Protections for Minors
Personal information of minors is automatically classified as sensitive information, triggering heightened protection requirements and stricter consent rules. Parents or guardians can exercise rights on behalf of minors.
6. Privacy Management Programs
Every organization must implement and document a privacy management program that includes policies, practices, training, and complaint procedures — and make it available to the Privacy Commissioner on request.
The Artificial Intelligence and Data Act (AIDA)
AIDA is Canada's first horizontal AI statute. It applies to organizations that design, develop, or make available "high-impact" AI systems used in international or interprovincial trade.
Core AIDA Obligations
- Risk assessments for high-impact AI systems before deployment
- Mitigation measures to address bias, harm, and discriminatory outputs
- Monitoring obligations to ensure ongoing compliance
- Transparency requirements — public descriptions of how high-impact systems work
- Record-keeping obligations
- Notification to the Minister if a system causes or is likely to cause material harm
AIDA also creates new criminal offences for using personal information obtained unlawfully to design AI systems, or for knowingly making available an AI system likely to cause serious harm.
Penalties: How Costly Is Non-Compliance?
This is where Bill C-27 fundamentally changes the game. PIPEDA's enforcement was largely reputational — the Privacy Commissioner could investigate and recommend, but had no power to fine. Bill C-27 introduces two enforcement tracks with substantial financial consequences.
| Penalty Type | Trigger | Maximum Fine |
|---|---|---|
| Administrative Monetary Penalty (AMP) | Specified CPPA contraventions | Greater of $10 million CAD or 3% of global gross revenue |
| Criminal Offence (CPPA) | Serious violations (e.g., obstruction, retaliation against whistleblowers) | Greater of $25 million CAD or 5% of global gross revenue |
| AIDA Regulatory Penalty | Violations of AIDA obligations | To be set by regulation (significant) |
| AIDA Criminal Offence | Reckless or malicious AI use causing serious harm | Up to $25 million CAD or 5% of global gross revenue |
To put this in perspective: a Canadian company with $500 million in annual global revenue could face a fine of up to $25 million for a single serious violation. These penalties match or exceed those under the GDPR.
Who Does Bill C-27 Apply To?
The CPPA applies to every private-sector organization that collects, uses, or discloses personal information in the course of commercial activities — essentially the same scope as PIPEDA. This includes:
- Federally regulated businesses (banks, telecoms, airlines, interprovincial transport)
- Provincially regulated businesses operating across provincial lines
- Foreign organizations with a real and substantial connection to Canada (including many e-commerce and SaaS providers)
Provinces with substantially similar legislation — currently Quebec, British Columbia, and Alberta — may continue to operate under their own provincial laws, though Quebec's Law 25 already exceeds many CPPA requirements.
AIDA applies more narrowly to organizations involved in international or interprovincial trade or commerce in AI systems, with specific obligations triggered by "high-impact" classification.
Bill C-27 vs. GDPR vs. PIPEDA: A Quick Comparison
| Feature | PIPEDA (current) | Bill C-27 (CPPA) | EU GDPR |
|---|---|---|---|
| Right to deletion | Limited | Yes | Yes |
| Data portability | No | Yes (by regulation) | Yes |
| Maximum fine | $100,000 | 5% of global revenue | 4% of global revenue |
| Algorithmic transparency | No | Yes | Yes (Art. 22) |
| Special protection for minors | No explicit rule | Yes (deemed sensitive) | Yes |
| Mandatory privacy program | Recommended | Required | Required (DPO threshold) |
| Independent appeals tribunal | No | Yes (PIDPTA) | Varies by member state |
How to Prepare: A Practical Compliance Roadmap
Even though Bill C-27 has not yet received Royal Assent at the time of writing, organizations should begin preparing now. Many requirements echo Quebec's Law 25 and the GDPR — frameworks already in force — and the bill's requirements are unlikely to weaken significantly during final passage.
Step 1: Conduct a Personal Data Audit
You can't protect what you don't know you have. Map every personal information data flow in your organization: what you collect, why, where it's stored, who has access, and when it's deleted. A thorough personal data audit is the foundation of every compliance program.
Step 2: Update Consent and Privacy Notices
Rewrite privacy policies in plain language. Separate consent for distinct purposes. Ensure your notices identify all third parties and disclose any automated decision-making.
Step 3: Build a Privacy Management Program
Document your policies, train staff annually, designate a privacy officer, and establish a complaint-handling process. Keep records — the Privacy Commissioner can request them.
Step 4: Implement Individual Rights Workflows
Create internal processes to handle access, correction, disposal, and explanation requests within reasonable timeframes. Most well-prepared organizations target 30 days.
Step 5: Inventory and Assess AI Systems
If you use or develop AI, classify each system by risk. For anything that could be "high-impact" — hiring, lending, healthcare, content moderation, biometric ID — begin building the risk assessment, mitigation, and monitoring documentation AIDA will require.
Step 6: Review Vendor and Service Provider Contracts
Update data processing agreements to reflect CPPA requirements. Ensure vendors offer equivalent protection and that you can pass through individual rights requests.
Step 7: Strengthen Security and Link Hygiene
Privacy and security are inseparable. Use trusted infrastructure for marketing, communications, and customer-facing links. Tools like Lunyb let Canadian businesses share short, branded, privacy-respecting URLs and QR codes without leaking customer data to third-party trackers — a small but meaningful step in a CPPA-aligned stack. For campaign-driven use cases, our guide on QR code marketing best practices walks through compliant patterns.
Common Misconceptions About Bill C-27
"It only affects big tech companies."
False. The CPPA applies to virtually every business that collects personal information from Canadians in commercial activities, including small e-commerce shops, SaaS startups, and professional services firms.
"Quebec's Law 25 already covers us."
Partly true. If you operate only in Quebec, Law 25 may govern most of your activity. But if you serve customers across Canada, the federal CPPA will apply outside Quebec — and you'll need to harmonize practices across both regimes.
"AIDA only applies to companies building AI models."
Not exactly. AIDA also applies to organizations that make available or manage the operations of high-impact AI systems — meaning many businesses deploying third-party AI tools could fall within scope.
Status of Bill C-27 in 2026
Bill C-27 has had a complex legislative journey. It was introduced in June 2022, passed Second Reading in April 2023, and spent extensive time before the House of Commons Standing Committee on Industry and Technology (INDU). Substantial amendments — particularly to AIDA — were proposed throughout 2023 and 2024. Following the prorogation of Parliament in early 2025, the bill's status was reset, and reintroduction or replacement legislation has been the subject of ongoing political debate.
Regardless of the precise legislative timeline, the policy direction is unambiguous: Canada is moving toward stronger privacy enforcement, AI governance, and individual rights. Organizations that wait for final Royal Assent before acting will find themselves scrambling.
FAQ
When will Bill C-27 come into force?
As of early 2026, Bill C-27 has not yet received Royal Assent. After passage, the CPPA and AIDA are expected to have transition periods (likely 12–24 months) before key obligations take effect. Watch for federal announcements and follow your provincial privacy regulator for guidance.
Does Bill C-27 replace PIPEDA entirely?
No. Bill C-27 replaces Part 1 of PIPEDA (the private-sector privacy rules) with the CPPA. The electronic documents provisions of PIPEDA remain. Public-sector privacy continues to be governed by the Privacy Act, which is being addressed separately.
How does Bill C-27 compare to Quebec's Law 25?
Both laws modernize consent, introduce data portability, require privacy management programs, and impose significant fines. Law 25 is already in force and in some areas (such as privacy impact assessments and explicit consent for sensitive data) is stricter than the proposed CPPA. Organizations operating in both jurisdictions should aim for the higher standard.
What qualifies as a "high-impact" AI system under AIDA?
The bill leaves much of this to regulation, but proposed amendments identify categories such as employment decisions, provision of services, biometric identification, content moderation at scale, healthcare, and law enforcement. If your AI system materially affects rights, opportunities, or safety, assume it could be classified as high-impact.
Do small businesses need to comply?
Yes. The CPPA does not exempt small businesses, though regulators typically tailor enforcement expectations to organizational size and risk. Small businesses should still maintain a privacy policy, document their practices, respond to individual requests, and report breaches that pose a real risk of significant harm.
Final Thoughts
Bill C-27 is more than a policy update — it's a generational shift in how Canada governs data and AI. The combination of meaningful penalties, expanded individual rights, and a dedicated AI statute brings Canada into closer alignment with leading global frameworks while reflecting distinctly Canadian values around consent, transparency, and accountability.
The organizations that thrive under this new regime won't be the ones who treat compliance as a checkbox. They'll be the ones who use Bill C-27 as a catalyst to build genuine trust with their customers — through clearer communication, better data hygiene, and tools and partners that respect privacy by default.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Privacy Rights in Canada 2026: Your Complete Guide to PIPEDA and Bill C-27
A complete 2026 guide to privacy rights in Canada, covering PIPEDA, Quebec's Law 25, Bill C-27's incoming Consumer Privacy Protection Act and AIDA, and how to file complaints with the OPC. Learn what protections you have and how to exercise them.
OAIC Complaints: How to Report a Privacy Breach in Australia (2026 Guide)
If your personal information has been mishandled by an Australian organisation, you can lodge a free complaint with the OAIC. This step-by-step guide covers eligibility, evidence, the complaint process, and likely outcomes under the Privacy Act 1988.
UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act introduces sweeping age verification rules and powers that could weaken encryption. Here's what every UK internet user needs to know about how the Act affects your privacy in 2026, and the steps you can take to protect yourself.
GDPR After Brexit: What Changed for UK Businesses in 2026
Brexit didn't end GDPR in the UK — it forked it. This guide explains how UK GDPR differs from EU GDPR, what changed for data transfers, and what UK businesses must do to stay compliant in 2026.