Bill C-27 Digital Charter: What You Need to Know in 2026
Canada's privacy landscape is undergoing its most significant transformation in over two decades. Bill C-27, formally known as the Digital Charter Implementation Act, 2022, represents Ottawa's most ambitious attempt to modernize how personal data and artificial intelligence are regulated across the country. For businesses, developers, and everyday Canadians, understanding this legislation is no longer optional — it's essential.
This guide breaks down what Bill C-27 actually contains, why it matters, how it compares to existing laws, and what practical steps organizations should take to prepare.
What Is Bill C-27?
Bill C-27, the Digital Charter Implementation Act, 2022, is a Canadian federal bill introduced in June 2022 that proposes to replace the private-sector privacy framework in the Personal Information Protection and Electronic Documents Act (PIPEDA) and introduce Canada's first dedicated artificial intelligence law. It is the successor to the previously stalled Bill C-11.
The legislation is structured around three distinct statutes packaged together:
- The Consumer Privacy Protection Act (CPPA) — modernizes private-sector privacy rules.
- The Personal Information and Data Protection Tribunal Act (PIDPTA) — creates a new tribunal to hear privacy appeals and issue penalties.
- The Artificial Intelligence and Data Act (AIDA) — establishes federal oversight for "high-impact" AI systems.
Together, these three acts form the legislative backbone of Canada's renewed Digital Charter — a set of ten principles released in 2019 that includes universal access, safety and security, control and consent, transparency, and strong enforcement.
Why Bill C-27 Matters for Canadians
PIPEDA was drafted in 2000, long before smartphones, social media, generative AI, or sophisticated profiling existed at scale. Bill C-27 attempts to close that gap by giving Canadians stronger rights over their personal information and by introducing meaningful penalties for organizations that mishandle data.
For individuals, the bill means:
- Clearer rules around consent and how it can be obtained.
- A new right to request the deletion ("disposal") of personal information.
- Greater transparency when automated decision-making systems are used.
- Special protections for minors, whose information is explicitly classified as "sensitive."
- Stronger enforcement, including administrative monetary penalties.
For organizations, it means a significant shift in compliance obligations, accountability frameworks, and potential liability — particularly for those building or deploying AI.
The Consumer Privacy Protection Act (CPPA)
The CPPA is the centrepiece of Bill C-27 and would replace Part 1 of PIPEDA. It retains many familiar concepts but introduces several important changes.
Key Changes Under the CPPA
- Enhanced consent requirements: Consent must be obtained in plain language and provide specific information about the purpose, type of data collected, and any third parties involved.
- Legitimate interest exception: Organizations can collect or use personal data without consent in certain business activities, provided privacy impacts are assessed and mitigated.
- Right to disposal: Individuals can request that their personal data be deleted, subject to legal retention requirements.
- Data mobility: Consumers may direct organizations to transfer their personal information to another organization within a designated framework.
- Algorithmic transparency: Organizations must explain, in plain language, how automated decision systems affect individuals.
- Codes of practice and certification: Industry-specific compliance programs can be approved by the Privacy Commissioner.
Penalties Under the CPPA
One of the most discussed elements of Bill C-27 is its enforcement teeth. Penalties scale based on the severity of the violation:
| Violation Type | Maximum Penalty |
|---|---|
| Administrative monetary penalty | The greater of $10 million or 3% of global gross revenue |
| Serious offences (e.g., obstruction, retaliation against whistleblowers) | The greater of $25 million or 5% of global gross revenue |
These figures place Canada in the same conversation as the EU's GDPR, which caps fines at 4% of global turnover.
The Personal Information and Data Protection Tribunal Act
The PIDPTA creates a new administrative tribunal — separate from the Office of the Privacy Commissioner of Canada (OPC) — that would hear appeals of Commissioner findings and impose the administrative monetary penalties described above.
The tribunal model has been controversial. Supporters argue it provides procedural fairness and a specialized forum. Critics, including some privacy advocates, contend it adds a layer of complexity that could slow enforcement and weaken the Commissioner's authority.
How the Process Would Work
- The Privacy Commissioner investigates a complaint or initiates an inquiry.
- The Commissioner issues findings and may recommend a penalty.
- The new Tribunal reviews and decides on the actual penalty amount.
- Tribunal decisions may be subject to judicial review by the Federal Court.
The Artificial Intelligence and Data Act (AIDA)
AIDA is Canada's first attempt at horizontal AI regulation and applies to private-sector AI systems used in interprovincial or international trade. It introduces a risk-based framework that focuses on "high-impact systems."
What Counts as a High-Impact System?
Following amendments proposed in late 2023, the government identified seven classes of high-impact AI, including systems used in:
- Employment decisions (screening, hiring, promotions)
- Provision of services to individuals
- Biometric processing for identification or behaviour inference
- Content moderation and prioritization on online platforms
- Healthcare and emergency services
- Court and law enforcement decision-making
- Critical infrastructure
Core Obligations Under AIDA
- Identifying and mitigating risks of harm and biased output.
- Establishing accountability and governance measures.
- Publishing plain-language descriptions of high-impact systems.
- Notifying the Minister of material harm.
- Maintaining records demonstrating compliance.
Non-compliance can result in administrative penalties, regulatory orders, and — in cases of reckless or fraudulent conduct — criminal liability with fines up to $25 million or 5% of global gross revenue.
Bill C-27 vs. PIPEDA vs. GDPR
To understand where Canada is heading, it helps to compare Bill C-27 to the law it replaces and to the global benchmark.
| Feature | PIPEDA (Current) | Bill C-27 (CPPA) | GDPR (EU) |
|---|---|---|---|
| Right to deletion | Limited | Yes ("disposal") | Yes (erasure) |
| Data mobility | No | Yes | Yes (portability) |
| Algorithmic transparency | No | Yes | Yes |
| Maximum fine | $100,000 | 5% of global revenue | 4% of global turnover |
| Dedicated AI law | No | Yes (AIDA) | Separate EU AI Act |
| Independent regulator with order-making power | Limited | Yes | Yes |
How Bill C-27 Affects Businesses
Any organization that handles personal information of Canadians in the course of commercial activity will be touched by Bill C-27. The impact, however, varies by sector and size.
Small and Medium Businesses
SMBs will need to revisit privacy policies, consent flows, and breach response plans. While penalties scale with revenue, the compliance burden — particularly around documentation — applies broadly.
Marketing, Analytics, and Tracking
Marketers should pay close attention to consent rules, profiling restrictions, and the new transparency requirements for automated decision-making. Even routine practices like link tracking, retargeting, and audience segmentation may require updated disclosures. Privacy-respecting tools matter here: for example, when sharing campaign links, services like Lunyb offer a straightforward URL shortener with analytics that can be configured to minimize unnecessary data collection. If you're evaluating options, our 2026 buyer's guide to URL shorteners walks through the privacy and feature trade-offs.
AI Developers and Deployers
Organizations building or deploying AI — even when integrating third-party models — will need to determine whether their systems qualify as "high-impact." If they do, AIDA imposes a structured risk management lifecycle: assessment, mitigation, monitoring, documentation, and disclosure.
Where Bill C-27 Stands Today
Bill C-27 was introduced in June 2022 and has moved through multiple stages of parliamentary review, including extensive committee study at the House of Commons Standing Committee on Industry and Technology. The bill has been subject to significant proposed amendments, particularly to AIDA, and its progress has been affected by prorogation and shifting political priorities.
As of 2026, organizations are advised to track the bill's status closely. Even if the final version differs from current drafts, the direction of travel — stronger consent, greater transparency, real penalties, and AI accountability — is clear and reflects global trends.
Practical Steps to Prepare for Bill C-27
Organizations don't need to wait for royal assent to start preparing. Most of the work involves good privacy hygiene that aligns with both PIPEDA and what's coming.
- Map your data. Document what personal information you collect, where it's stored, who has access, and how long it's retained.
- Review consent mechanisms. Ensure consent requests are specific, plain-language, and granular where appropriate.
- Update privacy policies. Add language addressing automated decision-making, data disposal rights, and mobility.
- Build a privacy management program. Assign accountability, train staff, and document your decisions.
- Inventory your AI systems. Identify any tools that could fall under AIDA's "high-impact" categories.
- Strengthen breach response. Ensure you can detect, contain, document, and report breaches quickly.
- Vendor due diligence. Review contracts with processors and ensure they support the new rights and obligations.
Criticisms and Ongoing Debate
Bill C-27 has not been universally welcomed. Civil liberties groups, academics, and the federal Privacy Commissioner have raised concerns including:
- Whether privacy should be recognized as a fundamental human right within the act's preamble (amendments have proposed this).
- Whether the Tribunal weakens enforcement compared to giving the Commissioner direct order-making authority.
- Whether AIDA was developed with sufficient public consultation and whether its definitions are clear enough.
- The broad exceptions allowing data use without consent under "legitimate interest" and "business activities."
These debates have shaped, and will likely continue to shape, the final form of the legislation.
Frequently Asked Questions
When will Bill C-27 come into force?
There is no fixed effective date. The bill must complete parliamentary review, receive royal assent, and then most provisions will come into force on dates set by Order in Council. Even after assent, organizations are typically given a transition period — often 12 to 24 months — before enforcement begins.
Does Bill C-27 apply to provincial privacy laws?
Bill C-27 is federal legislation governing private-sector activity. Provinces like Quebec (Law 25), British Columbia (PIPA), and Alberta (PIPA) have their own substantially similar private-sector laws. Where provincial laws are deemed substantially similar, they continue to apply within that province, while the federal law governs interprovincial and international activity.
How does Bill C-27 treat children's data?
The CPPA explicitly defines minors' personal information as "sensitive," which triggers heightened obligations around consent, retention, and the right to disposal. Organizations serving or likely to be used by minors should plan for more rigorous safeguards.
What is the difference between AIDA and the EU AI Act?
Both are risk-based frameworks, but the EU AI Act is far more detailed, with prohibited practices, prescriptive obligations for general-purpose models, and a tiered classification system. AIDA is more principles-based and delegates significant detail to regulations that would follow enactment.
Do I need to comply with Bill C-27 if I'm based outside Canada?
Yes, if you handle the personal information of Canadians during commercial activity or deploy high-impact AI systems used in Canada. Like GDPR, Bill C-27 has extraterritorial reach when there is a real and substantial connection to Canada.
Final Thoughts
Bill C-27 represents a long-overdue modernization of Canada's privacy and AI regulation. Whether it passes in its current form or evolves through further amendments, the message to organizations is unmistakable: data accountability, algorithmic transparency, and meaningful enforcement are becoming the new baseline. Starting preparation now — by mapping data, reviewing consent, and inventorying AI use — is the most reliable way to be ready when the law takes effect.
For more on building a privacy-conscious online presence, see our honest review of Lunyb and our broader 2026 URL shortener comparison.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
UK Data Protection Act vs GDPR Explained: A 2026 Compliance Guide
The UK Data Protection Act 2018 and EU GDPR look alike but differ in important ways — from regulators and fines to children's consent and international transfers. This 2026 guide explains the overlaps, the divergences, and the practical compliance steps UK businesses need to take.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces sweeping reforms including a right to erasure, a statutory tort for privacy invasions, and penalties up to 30% of turnover. Here's a complete guide to your new rights, business obligations, and how to prepare.
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and GDPR both protect personal data, but they take very different approaches to consent, individual rights, breach notification, and penalties. This 2026 guide explains the key differences and what Canadian businesses need to do to comply with both.
UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act reshapes how platforms moderate content and verify users—but it also changes what data you share online. Here's a plain-English guide to the privacy trade-offs and practical steps to stay in control.