Bill C-27 Digital Charter: What You Need to Know in 2026
Canada's privacy laws are undergoing the most significant overhaul in more than two decades. Bill C-27, formally known as the Digital Charter Implementation Act, proposes to replace the aging Personal Information Protection and Electronic Documents Act (PIPEDA) and introduce Canada's first dedicated framework for artificial intelligence. If you run a business that collects personal data, build software, or simply want to understand your rights as a Canadian, this legislation matters.
This guide breaks down what Bill C-27 actually contains, why the federal government introduced it, how it compares to international standards like the GDPR, and what practical steps organizations should take to prepare.
What Is Bill C-27?
Bill C-27, the Digital Charter Implementation Act, is a federal Canadian bill that bundles three new statutes into a single piece of legislation. It was introduced in the House of Commons on June 16, 2022, and is designed to modernize how personal data and artificial intelligence are governed in Canada.
The bill contains three core acts:
- Consumer Privacy Protection Act (CPPA) — replaces PIPEDA and sets new rules for how private-sector organizations handle personal information.
- Personal Information and Data Protection Tribunal Act — creates a new tribunal to review decisions of the Privacy Commissioner and impose administrative penalties.
- Artificial Intelligence and Data Act (AIDA) — Canada's first law specifically targeting "high-impact" AI systems.
Together, these acts form the legislative backbone of the federal Digital Charter, a ten-principle policy framework first announced in 2019 that promises Canadians control, transparency, and protection in the digital economy.
Why Canada Needs a New Privacy Law
PIPEDA was enacted in 2000, well before smartphones, social media platforms, generative AI, or the modern data broker economy. It relies heavily on voluntary compliance, ombudsman-style enforcement, and modest fines that large technology companies can easily absorb as a cost of doing business.
The European Union's General Data Protection Regulation (GDPR), which came into force in 2018, raised global expectations dramatically. Without a meaningful update, Canada risked losing its "adequacy" status with the EU — a designation that allows personal data to flow freely between jurisdictions. Bill C-27 is, in large part, an effort to keep Canada aligned with international norms while reflecting domestic priorities around Indigenous data, minors' privacy, and AI safety.
Key Changes Under the Consumer Privacy Protection Act
The CPPA is the cornerstone of Bill C-27. It introduces several rights and obligations that go well beyond PIPEDA.
1. Meaningful Consent and Plain-Language Disclosure
Organizations must obtain consent in plain, understandable language. Long, legalistic privacy policies that bury key terms will no longer satisfy the standard. Consent requests must clearly identify the purpose, the type of information collected, and any third parties with whom it will be shared.
2. The Right to Data Mobility
Canadians will be able to request that their personal information be transferred from one organization to another within a designated framework. This is similar to the GDPR's right to data portability and is intended to reduce switching costs in industries like banking and telecommunications.
3. The Right to Disposal (Deletion)
Individuals can request that an organization dispose of personal information collected about them. There are exceptions — for example, where retention is required by law or necessary for ongoing legal claims — but the default tilts toward giving people more control over their digital footprint.
4. Algorithmic Transparency
If an organization uses an automated decision system to make a prediction, recommendation, or decision that could significantly affect an individual, it must provide an explanation on request. This includes the type of information used, the source, and the reasons behind the outcome.
5. Stronger Protections for Minors
The CPPA explicitly classifies minors' personal information as "sensitive," triggering higher standards for consent, retention, and disposal. Parents and guardians gain expanded rights to act on behalf of minors.
6. De-identified and Anonymized Data
The bill draws a clear line between de-identified data (which remains subject to most privacy rules) and anonymized data (which is generally outside the Act). Organizations must use technical and administrative safeguards proportionate to the risk of re-identification.
Major Penalties: How Bill C-27 Has Teeth
Perhaps the most attention-grabbing change is the new penalty regime. Under PIPEDA, the Privacy Commissioner can issue findings but has limited power to fine offenders. Bill C-27 changes that dramatically.
| Penalty Type | Maximum Amount | Applies To |
|---|---|---|
| Administrative monetary penalty | Greater of CAD $10 million or 3% of global revenue | Most CPPA contraventions |
| Offence on indictment | Greater of CAD $25 million or 5% of global revenue | Serious offences (e.g., obstruction, knowing violations) |
| AIDA — high-impact AI offences | Up to CAD $25 million or 5% of global revenue | Reckless or fraudulent use of high-impact AI systems |
For comparison, the GDPR caps fines at 4% of global turnover. Bill C-27's 5% indictable-offence maximum would actually make Canada's privacy regime one of the strictest in the world on paper.
The Artificial Intelligence and Data Act (AIDA)
AIDA is the most novel — and the most debated — component of Bill C-27. It would be Canada's first statute specifically aimed at AI systems.
What AIDA Regulates
AIDA focuses on "high-impact" AI systems. Although the bill leaves much of the definitional work to future regulation, the government has signalled that high-impact systems include those used in:
- Employment decisions (hiring, firing, promotion)
- Provision of services and access to essential goods
- Biometric identification
- Content moderation and recommendation at scale
- Health-care decision support
- Law enforcement and court-related applications
Core Obligations for AI Developers and Operators
- Risk assessment — identify and document potential harms or biased output.
- Mitigation measures — implement safeguards to reduce identified risks.
- Monitoring — continuously evaluate system performance after deployment.
- Record keeping — maintain documentation that regulators can review.
- Transparency — publish plain-language descriptions of high-impact systems.
AIDA also creates new criminal offences for knowingly using unlawfully obtained personal information to design or use an AI system, or for deploying a system that is likely to cause serious harm.
Bill C-27 vs. GDPR vs. PIPEDA
If you operate across jurisdictions, understanding how Bill C-27 stacks up against existing frameworks is essential.
| Feature | PIPEDA (current) | Bill C-27 (CPPA) | GDPR (EU) |
|---|---|---|---|
| Right to deletion | Limited | Yes ("right to disposal") | Yes ("right to erasure") |
| Data portability | No | Yes (within framework) | Yes |
| Algorithmic transparency | No | Yes | Yes (Art. 22) |
| Maximum fine | CAD $100,000 | 5% of global revenue | 4% of global turnover |
| Dedicated AI regulation | No | Yes (AIDA) | Separate EU AI Act |
| Enforcement model | Ombudsman | Commissioner + Tribunal | Supervisory authorities |
Who Bill C-27 Affects
The CPPA applies to every private-sector organization in Canada that collects, uses, or discloses personal information in the course of commercial activity, as well as foreign organizations whose activities have a real and substantial connection to Canada. In practice this means:
- Small and medium-sized businesses that handle customer data of any kind.
- Software-as-a-service providers hosting Canadian user data.
- Marketers and ad-tech vendors using behavioural tracking.
- AI developers whose tools may be classified as high-impact.
- Foreign platforms serving Canadian users at scale.
Federally regulated employees and government data are largely covered by separate statutes, but private-sector entities — from independent shops to multinationals — will all need to revisit their privacy programs.
How to Prepare Your Business for Bill C-27
Although the bill is still moving through Parliament and certain provisions could change, the direction of travel is clear. Organizations that begin preparing now will avoid a scramble later.
Step 1: Conduct a Data Inventory
Map what personal information you collect, where it lives, who has access to it, and how long it is retained. You cannot govern data you cannot see.
Step 2: Rewrite Consent and Privacy Notices
Replace legalese with plain-language explanations of purposes, third parties, retention, and rights. Consider layered notices that summarize key points up front.
Step 3: Build a Rights-Request Workflow
Create processes to handle access, correction, disposal, and portability requests within statutory time limits. Train customer-facing staff to escalate properly.
Step 4: Review Vendor Contracts
Your obligations follow the data. Update data-processing agreements with cloud providers, analytics tools, and marketing platforms to reflect CPPA accountability requirements.
Step 5: Implement Privacy-by-Design
Bake privacy considerations into product development from day one. Minimize data collection, use privacy-enhancing technologies, and document your decisions. Tools like Lunyb can help reduce exposure when sharing links — by avoiding bloated tracking parameters in shared URLs, you collect less unnecessary data in the first place and produce cleaner audit trails.
Step 6: Establish an AI Governance Program
If you build or deploy AI, start documenting model purpose, training data sources, risk assessments, and human-oversight measures now. AIDA's specifics will be filled in by regulation, but the underlying expectations are predictable.
Common Criticisms and Open Questions
Bill C-27 is not without its critics. Privacy advocates have argued that:
- The CPPA contains broad "legitimate interest" exceptions that could weaken consent in practice.
- The new Tribunal adds a layer between the Commissioner and enforcement, potentially slowing remedies.
- AIDA leaves too much to future regulation, creating uncertainty for developers.
- The bill does not adequately address surveillance by political parties or government agencies.
Industry groups, meanwhile, have warned about compliance costs for small businesses and the risk of overlapping obligations between AIDA and sector-specific rules. The parliamentary committee process has already produced amendments, and further changes are likely before any final passage.
How Bill C-27 Connects to Everyday Online Privacy
Strong laws matter, but personal habits still play a major role. While Bill C-27 forces organizations to behave responsibly, individuals can also reduce exposure by using encrypted DNS resolvers, privacy-respecting browsers, password managers, and minimal-tracking tools. For example, when sharing links across social media, email, or messaging, a privacy-focused shortener such as Lunyb avoids tacking on invasive tracking parameters. If you're evaluating link tools more broadly, our 2026 buyer's guide to URL shorteners compares the leading options on privacy, analytics, and pricing.
Frequently Asked Questions
When will Bill C-27 come into force?
As of 2026, Bill C-27 has not yet received Royal Assent in its final form. Even after passage, most provisions are expected to be brought into force over a transition period — likely 12 to 24 months — to give organizations time to comply. Watch for Governor-in-Council orders and accompanying regulations.
Does Bill C-27 replace provincial privacy laws?
No. Provinces like Quebec, British Columbia, and Alberta already have private-sector privacy statutes deemed "substantially similar" to PIPEDA, and they will continue to apply within their jurisdictions. The federal CPPA covers interprovincial and international activity, and provincial laws may themselves evolve in response. Quebec's Law 25, for instance, already imposes GDPR-style obligations.
Will small businesses be exempt from Bill C-27?
No general small-business exemption exists. However, the scale of compliance is proportional to risk. A neighbourhood bakery's obligations look very different from those of a national e-commerce platform. The Office of the Privacy Commissioner has historically provided practical guidance for smaller organizations, and that approach is expected to continue.
How does AIDA affect open-source AI projects?
AIDA primarily targets organizations that make available for use or operate high-impact AI systems in the course of international or interprovincial trade and commerce. Pure research and many open-source contributions may fall outside scope, but anyone integrating such systems into commercial products will need to assess risk and implement governance measures.
What happens if my business violates the CPPA?
The Privacy Commissioner can investigate, issue compliance orders, and recommend penalties to the new Tribunal. Administrative penalties can reach the greater of CAD $10 million or 3% of global revenue, while serious offences prosecuted on indictment can attract penalties up to CAD $25 million or 5% of global revenue. Reputational damage from public findings can be just as costly.
Final Thoughts
Bill C-27 represents Canada's most ambitious attempt to bring privacy and AI governance into the modern era. Whether or not the final legislation matches the current draft, the direction is clear: meaningful consent, stronger individual rights, real enforcement, and accountability for automated systems. Organizations that begin preparing now — by mapping data, rewriting notices, building rights workflows, and adopting privacy-by-design — will not only reduce regulatory risk but also build the kind of trust that increasingly drives customer loyalty in the digital economy.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act is fully in force in 2026, bringing age checks, content scanning powers and new duties for platforms. Here's a plain-English guide to what it means for your privacy, your rights as a user, and the practical steps you can take to stay protected online.
GDPR After Brexit: What Changed for UK Businesses in 2026
GDPR did not disappear when the UK left the EU - it evolved into the UK GDPR. This guide explains exactly what changed for British businesses, how UK and EU rules now differ, and what compliance teams should prioritise in 2026.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a layered privacy landscape in 2026, from PIPEDA to Quebec's Law 25. This guide breaks down compliance essentials, security safeguards, breach reporting, and the steps every Canadian organization should take to build a defensible privacy program.
Data Protection Act 2018 Ireland: Complete Guide
A complete guide to the Data Protection Act 2018 in Ireland — covering scope, key definitions, individual rights, the Data Protection Commission, penalties, breach notification, and a practical compliance checklist for Irish businesses.