facebook-pixel

Bill C-27 Digital Charter: What You Need to Know in 2026

L
Lunyb Security Team
··10 min read

Canada's privacy landscape is on the cusp of its biggest shake-up in more than two decades. Bill C-27, the Digital Charter Implementation Act, 2022, promises to modernize how personal information is collected, used, and protected — and for the first time in Canadian history, it introduces federal rules governing artificial intelligence. If you run a business that touches Canadian consumers, or you're simply a Canadian who cares about your data, this legislation matters.

This guide breaks down what Bill C-27 is, what it changes, who it affects, and how to prepare, in plain language.

What Is Bill C-27?

Bill C-27 is a proposed Canadian federal law formally titled the Digital Charter Implementation Act, 2022. It bundles three separate but connected statutes into a single piece of legislation, replacing the aging Personal Information Protection and Electronic Documents Act (PIPEDA) with a modernized privacy framework and adding new rules for AI systems.

The bill was introduced in the House of Commons in June 2022 by the Minister of Innovation, Science and Industry. It represents the federal government's second attempt to modernize PIPEDA, following the earlier Bill C-11, which died on the order paper in 2021.

The Three Acts Inside Bill C-27

  1. Consumer Privacy Protection Act (CPPA) — replaces the private-sector privacy provisions of PIPEDA.
  2. Personal Information and Data Protection Tribunal Act — creates a new tribunal to review decisions of the Privacy Commissioner and impose administrative penalties.
  3. Artificial Intelligence and Data Act (AIDA) — introduces Canada's first federal AI regulation, targeting "high-impact" systems.

Why Bill C-27 Matters

PIPEDA was enacted in 2000, long before smartphones, social platforms, generative AI, or ad-tech tracking became everyday realities. Regulators, businesses, and privacy advocates broadly agree that Canadian privacy law needs to catch up with the EU's GDPR, Quebec's Law 25, and modern consumer expectations.

Bill C-27 aims to:

  • Give Canadians clearer, stronger rights over their personal information.
  • Raise the bar on transparency, consent, and accountability for businesses.
  • Introduce meaningful penalties for non-compliance — up to 5% of global revenue or $25 million, whichever is greater.
  • Establish Canada's first regulatory framework for AI systems that could impact health, safety, or human rights.

Key Provisions of the Consumer Privacy Protection Act (CPPA)

The CPPA is the centerpiece of Bill C-27. It governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity.

1. Stronger, Clearer Consent Requirements

Organizations must obtain meaningful consent in plain language. That means telling individuals — at or before the time consent is requested — the purposes of collection, the way information will be used, any reasonably foreseeable consequences, the specific types of information involved, and any third parties who may receive it.

2. New Individual Rights

The CPPA introduces or strengthens several rights Canadians will have over their data:

  • Right to disposal (deletion): Individuals can request their personal information be deleted.
  • Right to data mobility: Individuals can request that their data be transferred to another organization within the same designated framework.
  • Right to explanation: Where automated decision-making is used to make a significant prediction, recommendation, or decision about an individual, they can request a plain-language explanation.
  • Right to withdraw consent at any time, subject to legal or contractual restrictions.

3. Special Protections for Minors

The CPPA treats the personal information of minors as sensitive by default. This means heightened consent standards, stricter retention rules, and stronger rights to request deletion — a significant win for youth privacy.

4. Privacy Management Programs

Every organization subject to the CPPA must implement and maintain a documented privacy management program that includes policies, practices, and procedures for handling complaints, training staff, and responding to requests. The Privacy Commissioner can request to see this program at any time.

5. Breach Notification

Organizations must notify the Privacy Commissioner and affected individuals of any breach of security safeguards that creates a "real risk of significant harm." Records of all breaches — even minor ones — must be retained.

Penalties Under Bill C-27

One of the most talked-about aspects of Bill C-27 is its enforcement teeth. PIPEDA has long been criticized for being toothless; the CPPA changes that dramatically.

Violation TypeMaximum Penalty
Administrative monetary penalties (AMPs)3% of global revenue or $10 million, whichever is greater
Serious offences (prosecution)5% of global revenue or $25 million, whichever is greater
Private right of actionIndividuals can sue for damages after regulatory finding

These are among the toughest privacy penalties in the world — comparable to, and in some cases exceeding, the GDPR's 4% global revenue cap.

The Artificial Intelligence and Data Act (AIDA)

AIDA is Canada's first attempt at federal AI regulation. It focuses on "high-impact" AI systems — a category that will be further defined in regulations, but likely includes systems used in employment decisions, biometric identification, healthcare, criminal justice, and content moderation at scale.

Core AIDA Obligations

  1. Risk assessment: Identify whether an AI system is high-impact.
  2. Risk mitigation: Establish measures to identify, assess, and mitigate risks of harm or biased output.
  3. Monitoring: Continuously monitor compliance and effectiveness of mitigation measures.
  4. Transparency: Publish plain-language descriptions of high-impact systems on a public website.
  5. Record-keeping: Maintain records demonstrating compliance.

AIDA Penalties

AIDA introduces both administrative penalties and criminal offences. The most serious offences — including making an AI system available knowing it is likely to cause serious harm — can result in fines up to 5% of global revenue or $25 million, with potential imprisonment for individuals.

The New Privacy Tribunal

Bill C-27 creates the Personal Information and Data Protection Tribunal, a six-member body that will:

  • Hear appeals of Privacy Commissioner findings.
  • Impose administrative monetary penalties.
  • Provide a faster, specialized alternative to Federal Court review.

This tribunal structure is meant to speed up enforcement while keeping the Privacy Commissioner as an independent investigator and adjudicator.

Who Does Bill C-27 Apply To?

The CPPA applies to every private-sector organization that collects, uses, or discloses personal information in the course of commercial activity in Canada. That includes:

  • Canadian businesses of every size — startups, SMBs, and enterprises.
  • Foreign businesses that offer goods or services to Canadians or handle their data.
  • Non-profits and charities, but only when engaged in commercial activity.

Provinces with "substantially similar" laws — currently Quebec, British Columbia, and Alberta for private-sector privacy — may continue to operate under their own regimes, but the CPPA still applies to inter-provincial and international data flows.

How Bill C-27 Compares to GDPR and Quebec's Law 25

FeatureBill C-27 (CPPA)GDPR (EU)Quebec Law 25
Max Fine5% global revenue / $25M CAD4% global revenue / €20M4% global revenue / $25M CAD
Right to DeletionYesYesYes
Data PortabilityLimited (framework-based)YesYes (from 2024)
Automated Decision ExplanationYesYesYes
Minors' Data SensitiveYesSpecial rulesYes
AI RegulationYes (AIDA)Separate EU AI ActIncluded partially

How to Prepare Your Business for Bill C-27

Even though Bill C-27 has moved slowly through Parliament and continues to be amended in committee, prudent organizations are preparing now. Compliance work is time-consuming, and Quebec's Law 25 already imposes similar obligations for anyone handling Quebec residents' data.

1. Conduct a Data Inventory

Map every piece of personal information your organization collects, where it comes from, where it's stored, who has access, and how long it's kept. You cannot protect what you cannot see.

2. Review and Update Consent Practices

Audit your privacy notices, cookie banners, sign-up flows, and marketing consent language. Make sure everything is written in plain, understandable language and clearly identifies purposes and third-party recipients.

3. Establish a Privacy Management Program

Document your privacy policies, roles, training, complaint-handling, and breach-response procedures. Appoint an accountable individual (a privacy officer) responsible for compliance.

4. Tighten Vendor and Marketing Tech Stacks

Third-party trackers, ad pixels, and unaudited link handlers can quietly leak user data. Review every tool that touches user information and demand data-processing agreements. When sharing links with customers or collecting analytics, choose privacy-respecting infrastructure — for example, a Canadian-friendly link shortener like Lunyb that keeps analytics tight and doesn't monetize user behavior. If you're comparing options, our 2026 URL shortener buyer's guide walks through the privacy trade-offs of the major players.

5. Prepare for Individual Rights Requests

Build workflows to handle deletion, access, correction, and portability requests within reasonable timeframes. Under the CPPA, ignoring or fumbling these requests is a fast route to a complaint and, ultimately, a penalty.

6. Assess AI Systems

If you use or develop AI — for hiring, lending, content moderation, biometric ID, or any decision that could materially affect a person — begin AIDA impact assessments now. Document the model, training data, testing, bias mitigation, and human oversight.

Common Misconceptions About Bill C-27

"It's just PIPEDA with a new name."

Not quite. The CPPA raises enforcement dramatically, adds new individual rights (like deletion and portability), and applies specific rules to minors and automated decisions. Combined with AIDA, it's a substantial expansion of Canadian data law.

"Only big tech needs to worry."

False. The CPPA applies to any private-sector organization handling personal information in commercial activity. Small businesses are not exempt — although the Privacy Commissioner is expected to take size and resources into account when assessing compliance.

"AIDA only applies to companies building AI."

Also false. AIDA applies to organizations that design, develop, make available, or manage the operation of high-impact AI systems. That includes companies that deploy vendor AI tools in high-impact contexts.

The Road Ahead

As of 2026, Bill C-27 has moved through committee study with significant amendments and continues to be debated. The final law may differ from the version originally tabled — particularly around AIDA, which has drawn extensive stakeholder feedback. Expect a transition period of 12 to 24 months after royal assent before full enforcement kicks in.

In the meantime, Quebec's Law 25 is already in force, GDPR continues to shape global standards, and public expectations around privacy have never been higher. Businesses that treat Bill C-27 as a compliance opportunity rather than a burden will be best positioned to earn — and keep — customer trust.

Frequently Asked Questions

When will Bill C-27 come into force?

Bill C-27 has not yet received royal assent as of early 2026 and continues to be studied and amended in Parliament. Once passed, most provisions typically come into force after a transition period — often 12 to 24 months — to give organizations time to comply.

Does Bill C-27 apply to small businesses?

Yes. The Consumer Privacy Protection Act applies to any private-sector organization engaged in commercial activity, regardless of size. However, the Privacy Commissioner is expected to consider the size and resources of an organization when evaluating what constitutes reasonable compliance efforts.

How is Bill C-27 different from Quebec's Law 25?

Quebec's Law 25 is already in force and applies specifically to organizations handling Quebec residents' data. Bill C-27 is federal and applies across Canada. The two are broadly aligned on core rights (consent, deletion, portability, transparency), but Bill C-27 adds federal AI regulation through AIDA, which Law 25 does not.

What counts as a "high-impact" AI system under AIDA?

The exact definition is being finalized in regulations, but high-impact systems generally include AI used in employment decisions, biometric identification, healthcare, essential services, criminal justice, and large-scale content moderation. Any system whose output could materially affect a person's rights, health, safety, or economic interests is a candidate.

What are the penalties for non-compliance with Bill C-27?

Administrative monetary penalties can reach 3% of global revenue or $10 million, whichever is greater. For serious offences prosecuted in court, fines can rise to 5% of global revenue or $25 million. AIDA introduces additional penalties, including potential criminal liability for the most severe violations.

This article provides general information and is not legal advice. Consult a qualified Canadian privacy lawyer for guidance specific to your organization.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles