Bill C-27 Digital Charter: What You Need to Know in 2026
Canada's privacy landscape is on the verge of its biggest overhaul in more than two decades. Bill C-27, also known as the Digital Charter Implementation Act, 2022, proposes to replace parts of the aging Personal Information Protection and Electronic Documents Act (PIPEDA) with a modern framework built for the AI era. If passed and proclaimed in force, it will reshape how organizations collect, use, share, and protect personal information in Canada — and how artificial intelligence systems are governed.
Whether you're a small business owner, a marketer, a developer, or simply a Canadian who cares about your digital rights, understanding Bill C-27 is no longer optional. This guide breaks down the three pieces of legislation inside the bill, what they require, the penalties for getting it wrong, and what practical steps you should take today.
What Is Bill C-27?
Bill C-27 is a Canadian federal bill introduced in June 2022 that bundles three new laws into a single piece of legislation: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Artificial Intelligence and Data Act (AIDA). Together, they form the core of the federal government's Digital Charter implementation strategy.
The bill is the successor to Bill C-11, which died on the order paper in 2021. Bill C-27 incorporates lessons from that earlier attempt, feedback from the Office of the Privacy Commissioner of Canada (OPC), and pressure from international partners — particularly the European Union — to maintain Canada's adequacy status under the GDPR.
The Three Acts Inside Bill C-27
- Consumer Privacy Protection Act (CPPA) — Replaces Part 1 of PIPEDA and modernizes private-sector privacy rules.
- Personal Information and Data Protection Tribunal Act (PIDPTA) — Creates a new tribunal to review OPC decisions and impose administrative penalties.
- Artificial Intelligence and Data Act (AIDA) — Canada's first federal AI law, focused on "high-impact" AI systems.
The Consumer Privacy Protection Act (CPPA)
The CPPA is the heart of Bill C-27. It replaces PIPEDA's private-sector privacy provisions and introduces stronger rights for individuals, clearer obligations for organizations, and significantly higher penalties for non-compliance.
Key Individual Rights Under the CPPA
- Right to deletion (disposal): Individuals can request that an organization delete personal information about them, subject to limited exceptions.
- Right to data mobility: Individuals can request that their personal information be transferred from one organization to another under a designated framework.
- Algorithmic transparency: Organizations using automated decision systems to make significant predictions, recommendations, or decisions about an individual must, on request, provide an explanation.
- Enhanced consent rules: Consent must be obtained in plain language and at or before the time of collection. "Implied consent" remains valid only in narrower circumstances.
- Protections for minors: The information of minors is explicitly treated as "sensitive," triggering heightened protections.
New Obligations for Organizations
Under the CPPA, organizations must:
- Implement and maintain a documented privacy management program proportionate to the volume and sensitivity of personal information handled.
- Conduct and document privacy impact assessments for high-risk processing.
- Notify the OPC and affected individuals of breaches of security safeguards posing a "real risk of significant harm."
- Maintain records of consent, breaches, and de-identification practices.
- Be transparent about the use of automated decision-making systems.
De-identified vs. Anonymized Data
The CPPA introduces a crucial distinction. De-identified data remains personal information and is still regulated, just with relaxed rules for certain internal uses. Anonymized data — irreversibly altered so that no individual can be identified — falls outside the Act entirely. Many organizations mistakenly treat the two as interchangeable; under Bill C-27, that mistake could be expensive.
The Personal Information and Data Protection Tribunal
The PIDPTA creates a new six-member Personal Information and Data Protection Tribunal. Its role is twofold: hear appeals of OPC findings and orders, and impose administrative monetary penalties (AMPs) recommended by the Commissioner.
This is a significant structural change. Today, the OPC can investigate and make recommendations, but enforcement largely depends on the Federal Court. Under Bill C-27, the OPC will have order-making powers, and the Tribunal will provide a specialized, faster forum for review and penalty decisions.
Penalties: How Much Is at Stake?
The financial exposure under Bill C-27 is unprecedented in Canadian privacy law.
| Type of Violation | Maximum Penalty |
|---|---|
| Administrative monetary penalty (Tribunal) | Greater of $10 million CAD or 3% of global gross revenue |
| Serious offences (criminal prosecution) | Greater of $25 million CAD or 5% of global gross revenue |
| AIDA contraventions (high-impact AI) | Up to $25 million CAD or 5% of global gross revenue |
For comparison, PIPEDA's maximum fine is $100,000. The jump is intentional — it brings Canada in line with the GDPR's enforcement teeth and signals that privacy is now a board-level risk.
The Artificial Intelligence and Data Act (AIDA)
AIDA is Canada's first attempt at federal AI regulation. It focuses specifically on "high-impact" AI systems — a category to be defined more precisely through regulations, but generally covering systems that affect employment, essential services, biometric identification, content moderation at scale, healthcare, and law enforcement.
Core AIDA Obligations
- Risk assessment and mitigation: Organizations that design, develop, or deploy high-impact AI systems must identify, assess, and mitigate risks of harm and biased output.
- Monitoring: Continuous monitoring of compliance with mitigation measures and the effectiveness of those measures.
- Transparency: Publishing plain-language descriptions of high-impact systems, their intended use, and their limitations.
- Record-keeping: Maintaining documentation about data used, training methodologies, and risk-management measures.
- Reporting serious incidents: Notifying the Minister of material harm caused by the system.
Anonymized Data Under AIDA
AIDA also regulates the use of anonymized data — even though such data falls outside the CPPA. Organizations using anonymized data to build or train AI must establish measures regarding how that data is anonymized and used. This closes a potential loophole and is a unique feature of the Canadian approach.
How Bill C-27 Compares to GDPR and Other Frameworks
| Feature | Bill C-27 (Canada) | GDPR (EU) | PIPEDA (current) |
|---|---|---|---|
| Right to deletion | Yes (with exceptions) | Yes | Limited |
| Data portability | Yes (framework-based) | Yes | No |
| Algorithmic transparency | Yes | Yes (Art. 22) | No |
| Max fine | 5% of global revenue | 4% of global revenue | $100,000 |
| Dedicated AI law | Yes (AIDA) | Separate EU AI Act | No |
| Regulator order-making power | Yes | Yes | Recommendations only |
Who Does Bill C-27 Apply To?
The CPPA applies to every private-sector organization that collects, uses, or discloses personal information in the course of commercial activity in Canada — including foreign organizations whose activities have a "real and substantial connection" to Canada. There are no small-business exemptions in the privacy provisions, although obligations scale with the sensitivity and volume of data.
AIDA applies to anyone who designs, develops, or makes available a high-impact AI system in the course of international or interprovincial trade and commerce. Purely intra-provincial AI activity may fall under provincial law instead.
Pros and Cons of Bill C-27
Pros
- Strong alignment with GDPR helps preserve Canada's EU adequacy status.
- Higher penalties create real incentives for genuine privacy investment.
- Clear individual rights (deletion, portability, explanation) catch Canada up with international standards.
- Dedicated tribunal speeds up enforcement and adds expertise.
- AIDA addresses a genuine gap in AI governance.
Cons
- AIDA has been criticized for being too vague, leaving key definitions to regulations.
- Compliance costs may disproportionately burden small and mid-sized businesses.
- The "legitimate interest" exception to consent has raised concerns among privacy advocates.
- Overlap with provincial laws (Quebec's Law 25, for example) creates complexity.
- Implementation timeline and transition rules remain partially uncertain.
What Businesses Should Do Now
Even though Bill C-27 is still working its way through Parliament, waiting for royal assent is a costly strategy. Most provisions will require months — sometimes years — of preparation to meet. Here is a practical checklist:
- Map your data. You can't protect what you can't see. Inventory every system that collects or processes personal information.
- Audit your consent practices. Rewrite consent notices in plain language and document the basis for any implied consent.
- Stand up a privacy management program. Assign a privacy officer, write policies, train staff, and document everything.
- Review automated decision systems. Identify systems that make significant decisions and prepare explanation mechanisms.
- Update breach response plans. Ensure you can detect, assess, and notify within the CPPA's "real risk of significant harm" framework.
- Tighten vendor contracts. The CPPA holds you accountable for third-party processors. Update data processing agreements accordingly.
- Classify AI systems. If you build or deploy AI, assess whether any qualify as "high-impact" under AIDA.
What Individuals Should Know
For Canadians, Bill C-27 promises stronger control over personal data — but those rights only matter if you use them. Practical steps include reviewing the privacy policies of services you use, exercising deletion and access rights where supported, and being more selective about which tools and links you trust online.
For example, every time you click a shortened link, your data — IP address, device, referrer — can be logged. Choosing a privacy-respecting URL shortener like Lunyb matters because it determines who collects that data and how it is handled. We explore this further in our honest review of Lunyb and our 2026 buyer's guide to URL shorteners, both of which evaluate how providers handle the same kinds of obligations Bill C-27 imposes.
Where Bill C-27 Stands Today
As of early 2026, Bill C-27 has moved through extensive committee study. Amendments have been proposed to tighten AIDA's definitions, strengthen protections for minors, and refine the legitimate-interest provisions. The bill is widely expected to pass in some form, though its exact final shape and the timing of royal assent remain in flux. Once enacted, most provisions will come into force on dates set by Order in Council, typically with a transition period of 12 to 24 months.
Frequently Asked Questions
When will Bill C-27 come into force?
If passed, most CPPA and AIDA provisions will not take effect immediately. The government has signaled a transition period — likely 12 to 24 months after royal assent — to give organizations time to comply. Some AIDA provisions may take longer because key definitions depend on regulations that have not yet been drafted.
Does Bill C-27 replace PIPEDA entirely?
Not entirely. The CPPA replaces Part 1 of PIPEDA (the private-sector privacy rules), but PIPEDA's electronic documents provisions remain. Provincial laws like Quebec's Law 25, Alberta's PIPA, and B.C.'s PIPA also continue to apply in their respective jurisdictions where they are deemed substantially similar.
What counts as a "high-impact" AI system under AIDA?
The bill itself does not list specific systems. Instead, regulations will define categories — expected to include AI used in employment decisions, biometric identification, healthcare, content moderation at scale, essential services, and law enforcement. Until regulations are finalized, organizations should err on the side of treating any consequential AI system as potentially high-impact.
How does Bill C-27 affect small businesses?
Small businesses are not exempt from the CPPA, but obligations are scaled to the sensitivity and volume of data they handle. A small e-commerce shop with basic customer data has lighter obligations than a fintech company processing financial records. That said, every business should still document a privacy program, obtain valid consent, and prepare for breach notification.
Will Bill C-27 affect Canada's GDPR adequacy status?
That is one of the main reasons for the bill. The European Commission periodically reviews Canada's adequacy designation, and PIPEDA was increasingly seen as outdated compared to GDPR. The CPPA's stronger rights, higher penalties, and order-making powers are designed to maintain — and in some areas exceed — GDPR alignment, preserving the free flow of personal data between Canada and the EU.
Final Thoughts
Bill C-27 is more than a legal update — it is a signal that Canada is taking digital rights, AI accountability, and data protection seriously. For organizations, the message is clear: privacy is no longer a compliance afterthought but a core operating discipline with multi-million-dollar consequences. For individuals, it is a long-awaited expansion of meaningful control over personal information in the digital economy.
The smart move — for businesses and citizens alike — is to start preparing now. The frameworks, habits, and tools you adopt today will determine how smoothly you adapt when Bill C-27 finally becomes the law of the land.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and the GDPR both protect personal data, but they take very different approaches to consent, individual rights, and penalties. This guide breaks down the key differences and shows Canadian businesses how to build a unified compliance program for 2026.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a layered privacy landscape in 2026, from PIPEDA and Quebec's Law 25 to the proposed CPPA. This guide breaks down compliance step by step, including consent, security, breach response, and cross-border transfers.
GDPR After Brexit: What Changed for UK Businesses in 2026
GDPR after Brexit means UK organisations now navigate two parallel regimes: UK GDPR enforced by the ICO and EU GDPR for any processing of EU residents' data. This guide explains exactly what changed, what stayed the same, and the practical steps UK businesses must take in 2026 to remain compliant.
UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act promises a safer internet, but its age checks, content scanning powers and data retention rules carry real privacy costs. Here's what the law actually does, who it affects, and how to protect your information in 2026.