Bill C-27 Digital Charter: What You Need to Know in 2026
Canada's privacy landscape is on the verge of its biggest overhaul in more than two decades. Bill C-27, the Digital Charter Implementation Act, proposes to replace the aging Personal Information Protection and Electronic Documents Act (PIPEDA) with a modern framework that addresses consumer privacy, an independent tribunal, and—for the first time in Canadian law—the regulation of artificial intelligence systems. Whether you run a Canadian startup, manage marketing data, or simply care about how your personal information is handled, understanding Bill C-27 is essential.
This guide breaks down what Bill C-27 actually contains, who it affects, what the penalties look like, and what businesses should be doing now to prepare.
What Is Bill C-27?
Bill C-27, formally titled the Digital Charter Implementation Act, 2022, is a federal Canadian bill that bundles three new laws into one piece of legislation. It was introduced in the House of Commons in June 2022 and remains under parliamentary review as of 2026, with significant amendments debated at the committee stage.
The bill is built on the Government of Canada's Digital Charter, a set of ten guiding principles released in 2019 that includes universal internet access, safety and security online, control and consent, transparency, and strong enforcement. Bill C-27 turns those principles into enforceable law.
The Three Acts Inside Bill C-27
- Consumer Privacy Protection Act (CPPA) — Replaces the private-sector portions of PIPEDA and modernizes how organizations collect, use, and disclose personal information.
- Personal Information and Data Protection Tribunal Act (PIDPTA) — Creates a new specialized tribunal to review decisions by the Privacy Commissioner and impose administrative monetary penalties.
- Artificial Intelligence and Data Act (AIDA) — Canada's first federal law specifically targeting "high-impact" AI systems, regulating their design, deployment, and oversight.
Why Canada Needs Bill C-27
PIPEDA was passed in 2000. At that time, the iPhone did not exist, social media platforms were years away, and generative AI was science fiction. The law has been amended only modestly since then, leaving Canadian privacy protection well behind the EU's General Data Protection Regulation (GDPR), Quebec's Law 25, and several U.S. state laws like the California Consumer Privacy Act.
The European Commission's adequacy decision—which allows personal data to flow freely between the EU and Canada—is also up for review. Without modernized federal legislation, Canada risks losing that status, which would create costly compliance burdens for any Canadian business handling EU customer data.
Key Changes Under the Consumer Privacy Protection Act (CPPA)
The CPPA is the heart of Bill C-27 for most businesses. It introduces several rights and obligations that go well beyond PIPEDA.
1. Stronger and Clearer Consent
Organizations must obtain consent in plain language that an individual would reasonably understand. Buried clauses in 40-page terms of service will no longer qualify. Consent requests must specify:
- The purposes for which information is collected
- The way the information will be collected
- Any reasonably foreseeable consequences
- The specific types of personal information involved
- The names of any third parties to whom information will be disclosed
2. The Right to Disposal (Deletion)
For the first time, Canadians will have an explicit right to request that organizations delete their personal information. This mirrors the GDPR's "right to be forgotten" and applies even to data shared with service providers.
3. Algorithmic Transparency
If an organization uses an automated decision system to make a prediction, recommendation, or decision that could significantly affect an individual, the person must be informed and, on request, given an explanation of how the decision was made.
4. Data Mobility
Individuals will have the right to request that their personal information be transferred from one organization to another in a structured, commonly used format—similar to GDPR data portability rights.
5. Special Protections for Minors
Personal information of minors is treated as sensitive information by default, triggering higher consent standards and easier deletion rights for parents and guardians.
6. Codes of Practice and Certification
Industry groups can develop sector-specific codes of practice and certification programs, approved by the Privacy Commissioner, giving organizations a clearer compliance roadmap.
The New Privacy Tribunal
The Personal Information and Data Protection Tribunal is a brand-new body designed to sit between the Privacy Commissioner and the Federal Court. It will hear appeals of the Commissioner's findings and decide whether to impose administrative monetary penalties.
This two-step structure—investigation by the Commissioner, penalty decisions by the Tribunal—is meant to balance speed with due process. Critics argue it adds bureaucracy; supporters say it gives organizations a fairer hearing before being fined.
Penalties: How Much Bill C-27 Could Cost You
Bill C-27 dramatically raises the financial stakes of non-compliance. Under PIPEDA, fines were minimal. Under the CPPA, penalties become some of the highest in the world.
| Violation Type | Maximum Penalty |
|---|---|
| Administrative monetary penalties (Tribunal) | The greater of $10 million CAD or 3% of global gross revenue |
| Serious offences (criminal, prosecuted) | The greater of $25 million CAD or 5% of global gross revenue |
| AIDA violations (high-impact AI) | Up to $25 million CAD or 5% of global revenue |
These numbers put Canada in line with the GDPR (which caps fines at 4% of global revenue) and well ahead of most U.S. state laws.
The Artificial Intelligence and Data Act (AIDA)
AIDA is the most novel—and most debated—part of Bill C-27. It is Canada's first attempt to create a horizontal AI regulatory framework, focused on "high-impact" AI systems.
What Counts as a High-Impact System?
The exact definition will be set out in regulations, but proposed amendments have outlined seven classes likely to qualify:
- AI used in employment decisions (hiring, promotion, termination)
- AI used in delivering essential services (banking, insurance)
- Biometric identification systems
- Content moderation and recommendation systems on large platforms
- AI used in healthcare or healthcare-adjacent services
- AI used by courts or law enforcement
- AI that could pose risks to safety or human rights
Core AIDA Obligations
- Risk assessment before deployment
- Mitigation measures for identified harms and bias
- Monitoring the system once deployed
- Record-keeping sufficient to demonstrate compliance
- Notification to the Minister of Innovation if the system causes or is likely to cause material harm
A new AI and Data Commissioner would be established within Innovation, Science and Economic Development Canada to oversee enforcement.
How Bill C-27 Compares to PIPEDA, GDPR, and Quebec's Law 25
| Feature | PIPEDA | Bill C-27 (CPPA) | GDPR | Quebec Law 25 |
|---|---|---|---|---|
| Right to deletion | Limited | Yes | Yes | Yes |
| Data portability | No | Yes | Yes | Yes |
| Algorithmic transparency | No | Yes | Partial | Yes |
| Maximum fine | $100,000 | 5% of global revenue | 4% of global revenue | 4% of global revenue |
| Dedicated AI law | No | Yes (AIDA) | Separate AI Act | No |
| Privacy by design required | Implied | Yes | Yes | Yes |
Who Does Bill C-27 Apply To?
The CPPA applies to every private-sector organization in Canada that collects, uses, or discloses personal information in the course of commercial activity. It also applies to interprovincial and international data flows.
This includes:
- Canadian small businesses and startups
- E-commerce stores serving Canadian customers
- SaaS platforms with Canadian users
- Marketing agencies handling customer lists
- Foreign companies that target Canadian consumers
Provincially regulated organizations in Quebec, Alberta, and British Columbia continue to follow their own substantially similar laws, but they will also need to align with federal expectations for any cross-border activity.
How Businesses Should Prepare for Bill C-27
Even though the bill is still being finalized, smart organizations are getting ahead of the curve. Quebec's Law 25 has already taught many Canadian businesses what a modernized privacy regime feels like, and the CPPA will be largely consistent with it.
A Practical Compliance Checklist
- Map your data. Know what personal information you collect, where it lives, who has access, and how long you keep it.
- Rewrite your privacy notices. Use plain language. Explain purposes, third parties, and consequences clearly.
- Build a consent management process. Track when consent was given, what it covered, and how it can be withdrawn.
- Implement deletion workflows. Set up internal processes to honour disposal requests within reasonable timeframes.
- Audit your automated decisions. If you use AI or scoring systems, document how they work and prepare explanations for affected individuals.
- Appoint a privacy lead. Even small organizations need someone formally responsible for privacy compliance.
- Review vendor contracts. Service providers must offer equivalent protections; update your data processing agreements accordingly.
- Plan for breach response. Test your incident response plan, including notification to the Privacy Commissioner and affected individuals.
What This Means for Marketers and Link Sharing
Marketers will feel Bill C-27 in everyday workflows. Email lists, advertising pixels, retargeting, and analytics all involve personal information. Consent must be specific and revocable, and inferred data (such as behavioural profiles) is squarely covered.
If your work involves tracking link performance, you should be using tools that respect Canadian privacy expectations. Privacy-conscious link platforms like Lunyb offer URL shortening with transparent analytics and minimal personal data collection, which makes consent and disclosure obligations much easier to meet. If you want to know more about how the platform handles user data, our honest review of Lunyb walks through it in detail, and our 2026 buyer's guide to URL shorteners compares the major options on privacy features.
Current Status and Timeline
As of 2026, Bill C-27 has been working its way through the parliamentary committee process for an extended period. AIDA in particular has attracted substantial debate, with proposed amendments narrowing definitions and clarifying obligations. Industry groups, civil liberties organizations, and Indigenous communities have all weighed in.
Once the bill receives Royal Assent, expect a transition period of 12 to 24 months before the CPPA fully comes into force, with AIDA likely phased in more gradually as regulations are developed. Organizations that wait until the law is proclaimed will find themselves scrambling; those that align with Quebec's Law 25 and GDPR principles now will be well positioned.
Criticisms and Open Questions
Bill C-27 is not without controversy. Common critiques include:
- AIDA's vagueness. Critics argue that leaving "high-impact" to regulations gives the executive branch too much discretion.
- The Tribunal layer. Some privacy advocates feel it slows enforcement compared to giving the Commissioner direct order-making power.
- Consent fatigue. Plain-language consent is good in principle but risks producing yet more pop-up overload.
- Public-sector gap. Bill C-27 does not reform the federal Privacy Act, which governs government handling of personal data.
These debates will continue to shape the final version of the law and the regulations that follow.
FAQ
1. When will Bill C-27 take effect in Canada?
Bill C-27 is still progressing through Parliament as of 2026. After Royal Assent, most provisions of the CPPA are expected to take effect after a transition period of 12 to 24 months, while AIDA will likely be phased in more slowly as supporting regulations are developed.
2. Does Bill C-27 replace PIPEDA entirely?
It replaces the private-sector portions of PIPEDA with the Consumer Privacy Protection Act. The electronic documents provisions of PIPEDA remain. The federal Privacy Act, which governs government institutions, is not affected by Bill C-27.
3. Does Bill C-27 apply to small businesses?
Yes. The CPPA applies to any organization engaged in commercial activity, regardless of size. Small businesses may have proportionally simpler obligations, but core requirements like consent, breach reporting, and the right to disposal still apply.
4. How is Bill C-27 different from Quebec's Law 25?
Quebec's Law 25 already implements many similar rights, including data portability, algorithmic transparency, and stronger consent. Bill C-27 brings the federal regime closer to Law 25 but adds the Privacy Tribunal and the AIDA framework for AI systems, which Quebec does not have.
5. What happens if my organization is non-compliant?
Penalties under Bill C-27 can reach the greater of $25 million CAD or 5% of global gross revenue for the most serious offences. Beyond fines, organizations face reputational damage, civil claims by affected individuals, and operational disruption while remediation is carried out.
Final Thoughts
Bill C-27 represents a generational shift in Canadian privacy and AI law. It modernizes consent, gives individuals real control over their data, raises the cost of non-compliance dramatically, and—through AIDA—establishes Canada as one of the first countries to regulate high-impact AI systems with binding rules.
For Canadian businesses, the message is clear: do not wait. Map your data, fix your consent flows, document your automated decisions, and choose vendors that align with strong privacy principles. The organizations that treat Bill C-27 as a compliance opportunity—rather than a compliance burden—will build the kind of customer trust that becomes a real competitive advantage in the years ahead.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Privacy Rights in Canada 2026: A Complete Guide for Individuals and Businesses
Canada's privacy landscape in 2026 brings stronger enforcement, new rights, and stricter rules for AI and children's data. This guide explains your privacy rights, the laws that protect them, and what businesses must do to comply under PIPEDA, Quebec's Law 25, and Bill C-27.
Australian Data Breach Notification Scheme: Complete Compliance Guide
Australia's Notifiable Data Breaches scheme requires organisations to disclose eligible breaches to the OAIC and affected individuals. This guide covers obligations, the 30-day assessment window, penalties up to AU$50 million, and how to build a compliant response programme.
UK Data Protection Act vs GDPR Explained: Key Differences for 2026
Confused about how the UK Data Protection Act 2018 and the GDPR work together after Brexit? This 2026 guide breaks down the key differences, overlaps, and compliance steps every UK business needs to know, including the latest reforms under the Data (Use and Access) Act.
GDPR After Brexit: What Changed for UK Businesses in 2026
Brexit did not end GDPR in Britain — it created a parallel UK regime alongside EU GDPR. This guide explains what changed for UK businesses, what stayed the same, and the practical steps you need to take in 2026 to stay compliant under both regulations.