Privacy Rights in Canada 2026: Your Complete Guide to PIPEDA and Bill C-27

Privacy rights in Canada are evolving rapidly as the federal government modernizes its decades-old privacy framework. With Bill C-27 (the Digital Charter Implementation Act) reshaping how organizations collect, use, and disclose personal information, every Canadian should understand what protections apply in 2026 and how to enforce them.

This guide explains the current state of Canadian privacy law, the rights you have as an individual, what's changing with new legislation, and the practical steps you can take to protect your personal data online and offline.

What Are Privacy Rights in Canada?

Privacy rights in Canada are legal protections that give individuals control over how their personal information is collected, used, stored, and disclosed by governments and private organizations. These rights are grounded in both federal and provincial legislation, the Canadian Charter of Rights and Freedoms, and common law principles.

At the federal level, two primary statutes govern privacy:

• The Privacy Act – governs how federal government institutions handle personal information.
• PIPEDA (Personal Information Protection and Electronic Documents Act) – applies to private-sector organizations engaged in commercial activities.

Several provinces (Alberta, British Columbia, and Quebec) have their own substantially similar private-sector privacy laws, while Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have sector-specific health privacy laws.

The Core Privacy Rights Every Canadian Has in 2026

Under PIPEDA and equivalent provincial laws, Canadians have ten fair information principles that translate into enforceable rights. Here are the most important ones in 2026:

1. The Right to Be Informed

Organizations must clearly explain why they're collecting your personal information, how they'll use it, and who they'll share it with — before or at the time of collection.

2. The Right to Consent

Your meaningful consent is required for the collection, use, or disclosure of your personal information. Consent must be specific, informed, and can typically be withdrawn at any time.

3. The Right to Access Your Data

You can request to see what personal information an organization holds about you, how it has been used, and to whom it has been disclosed. Organizations generally must respond within 30 days.

4. The Right to Correction

If your personal information is inaccurate or incomplete, you have the right to challenge it and have it corrected.

5. The Right to Withdraw Consent

You can withdraw consent at any time, subject to legal or contractual restrictions, and the organization must inform you of the implications of doing so.

6. The Right to File a Complaint

If you believe an organization has mishandled your personal information, you can complain to the Office of the Privacy Commissioner of Canada (OPC) or your provincial commissioner.

7. The Right to Data Security

Organizations must protect your personal information with safeguards appropriate to its sensitivity, including physical, organizational, and technological measures.

Bill C-27 and the Future of Canadian Privacy Law

Bill C-27, the Digital Charter Implementation Act, is the most significant overhaul of Canadian private-sector privacy law in over two decades. It introduces three new statutes:

• Consumer Privacy Protection Act (CPPA) – replaces PIPEDA's privacy provisions.
• Personal Information and Data Protection Tribunal Act – establishes a new tribunal to hear privacy appeals and impose penalties.
• Artificial Intelligence and Data Act (AIDA) – Canada's first AI-specific legislation.

Key Changes Under the CPPA

Area	Current PIPEDA	CPPA (Bill C-27)
Maximum fines	Up to $100,000	Up to 5% of global revenue or $25 million
Right to data portability	Not explicitly recognized	Explicit right introduced
Right to disposal (deletion)	Limited	Express right to request deletion
Algorithmic transparency	Not addressed	Right to explanation for automated decisions
Children's privacy	Not specifically addressed	Minors' data treated as sensitive by default
Enforcement	OPC investigates and recommends	OPC issues binding orders; Tribunal imposes penalties

The Artificial Intelligence and Data Act (AIDA)

AIDA introduces obligations for organizations that develop or deploy "high-impact" AI systems, including risk assessments, transparency requirements, and bias mitigation. Penalties for non-compliance can reach up to 5% of global revenue or $25 million.

Provincial Privacy Laws You Should Know

Privacy in Canada is a shared jurisdiction between federal and provincial governments. Several provinces have their own private-sector privacy laws that apply instead of PIPEDA within their borders.

Quebec — Law 25

Quebec's Law 25 (formerly Bill 64) is the strictest privacy law in Canada. Fully in force since 2024, it includes:

• Mandatory privacy officers for all organizations.
• Privacy impact assessments for new technology projects.
• Explicit consent requirements for biometric and sensitive data.
• Fines up to 4% of worldwide turnover or $25 million.
• A robust right to data portability and the right to be forgotten.

Alberta and British Columbia — PIPA

Both provinces have their own Personal Information Protection Acts (PIPA) that closely mirror PIPEDA but with provincial enforcement through their respective privacy commissioners.

Health Privacy Laws

Ontario (PHIPA), New Brunswick (PHIPAA), Newfoundland and Labrador (PHIA), and Nova Scotia (PHIA) have health-sector-specific laws governing personal health information.

How to Exercise Your Privacy Rights

Knowing your rights is only half the battle. Here's a practical, step-by-step process for asserting them in 2026:

1. Identify the organization – Determine who holds your data and which law applies (federal, provincial, or sector-specific).
2. Find the privacy officer – Every organization subject to PIPEDA must designate someone responsible for privacy compliance. Their contact info should be on the company's website.
3. Submit a written request – Send a clear, written request specifying what you want (access, correction, deletion, withdrawal of consent). Keep a copy.
4. Wait for a response – Organizations generally have 30 days to respond. They can request a 30-day extension in limited circumstances.
5. Escalate if needed – If you're unsatisfied, file a complaint with the appropriate privacy commissioner.

How to File a Privacy Complaint in Canada

The Office of the Privacy Commissioner of Canada (OPC) is the federal regulator that investigates complaints under PIPEDA and the Privacy Act. The process is free and accessible to any individual.

Steps to File a Complaint

1. Try to resolve directly first – The OPC generally requires you to first raise your concern with the organization.
2. Gather documentation – Collect copies of correspondence, screenshots, dates, and any responses received.
3. Submit your complaint – File online at priv.gc.ca, by mail, or by phone. Complaints must usually be filed within one year of the issue.
4. Cooperate with the investigation – The OPC may interview you and the organization, request documents, and attempt mediation.
5. Receive findings – The OPC issues a Report of Findings. Under Bill C-27, the OPC will also gain order-making powers.
6. Apply to Federal Court – If unsatisfied, you can seek damages or other remedies in Federal Court.

Canadians dealing with international issues may also want to compare regulatory approaches — for example, our guide on filing OAIC complaints in Australia shows how similar Commonwealth regimes handle privacy breaches.

Common Privacy Threats Canadians Face in 2026

Understanding your rights is essential, but so is recognizing the threats. Here are the most common privacy risks Canadians encounter in 2026:

Data Breaches

Breaches involving "real risk of significant harm" must be reported to the OPC and affected individuals under PIPEDA. In 2025, Canada saw record-breaking breach notifications across financial, healthcare, and retail sectors.

Tracking and Profiling

Cookies, pixels, fingerprinting, and link tracking can build detailed profiles of your online behaviour. Privacy-focused tools — such as a URL shortener that doesn't sell click data, like Lunyb — can reduce your exposure when sharing links.

Phishing and Smishing

Fraudulent links delivered by email or SMS remain the leading cause of personal data compromise. Password-protecting sensitive shared links is one defence.

AI and Automated Decisions

From insurance pricing to job screening, automated decisions increasingly affect Canadians. Under the CPPA, you'll have a clearer right to an explanation when significant decisions are made about you by an algorithm.

Practical Tips to Protect Your Privacy in 2026

Beyond legal rights, there are concrete steps you can take to safeguard your personal information:

1. Read privacy policies – Focus on what data is collected, why, and with whom it's shared.
2. Use strong, unique passwords – Combined with a password manager and two-factor authentication.
3. Limit social media exposure – Review privacy settings every quarter and remove unused apps.
4. Be cautious with QR codes and short links – Always preview before clicking. See our QR code business guide for safe creation practices.
5. Encrypt sensitive communications – Use end-to-end encrypted messaging and email where possible.
6. Choose privacy-respecting tools – Pick services that minimize data collection. Our roundup of the best URL shorteners in 2026 evaluates each provider's privacy practices.
7. Request data deletion regularly – Periodically ask services you no longer use to delete your account and data.

Privacy Rights for Businesses Operating in Canada

If you run a business that handles Canadians' personal information, compliance is non-negotiable in 2026. Key obligations include:

• Appointing a privacy officer accountable for compliance.
• Maintaining a clear, accessible privacy policy.
• Obtaining meaningful consent before collection.
• Limiting collection to what's necessary for an identified purpose.
• Implementing appropriate safeguards based on data sensitivity.
• Reporting breaches involving real risk of significant harm.
• Conducting privacy impact assessments for new initiatives.
• Preparing for CPPA's expanded obligations, including data portability and deletion requests.

Pros and Cons of Canada's Privacy Framework in 2026

Pros:

• Strong principles-based framework adaptable to new technologies.
• Robust independent oversight by the OPC and provincial commissioners.
• Significant penalties under Quebec's Law 25 and incoming CPPA.
• Free, accessible complaint process for individuals.

Cons:

• Federal modernization (Bill C-27) has been slower than EU/UK reforms.
• Patchwork of federal/provincial laws creates complexity.
• Limited statutory damages for individuals compared to GDPR.
• AIDA has been criticized for vague definitions of "high-impact" AI.

Frequently Asked Questions

Is PIPEDA still in effect in 2026?

Yes. PIPEDA remains the governing federal private-sector privacy law in Canada until Bill C-27's Consumer Privacy Protection Act is fully proclaimed and replaces it. Even after replacement, transitional provisions are expected to apply.

Do I have a "right to be forgotten" in Canada?

Not in the same form as the EU's GDPR. However, under PIPEDA you can withdraw consent and request deletion in many cases, and Quebec's Law 25 includes an explicit right to de-indexing. Bill C-27's CPPA introduces a clearer right to disposal of personal information.

How long do I have to file a privacy complaint with the OPC?

Generally, you must file a complaint within one year of becoming aware of the issue. The OPC has discretion to accept late complaints in exceptional circumstances.

Can I sue an organization for a privacy breach in Canada?

Yes. After receiving an OPC report, individuals can apply to the Federal Court for damages and other remedies. Provincial torts such as "intrusion upon seclusion" (recognized in Ontario) also allow direct civil action. Class actions for major breaches are increasingly common.

Does Canadian privacy law apply to foreign companies?

Yes, when there is a real and substantial connection to Canada — for example, when foreign companies collect personal information from Canadians or do business in Canada. The OPC has asserted jurisdiction over global platforms in numerous investigations.

Final Thoughts

Privacy rights in Canada in 2026 sit at an inflection point. PIPEDA still governs the private sector federally, Quebec's Law 25 sets a high bar provincially, and Bill C-27 is poised to reshape the landscape with stronger penalties, new individual rights, and Canada's first AI-specific law. As a Canadian, you have meaningful tools — access requests, consent withdrawal, deletion requests, and free complaints to the OPC — to take control of your personal information.

The most effective strategy combines legal knowledge with practical privacy hygiene: choose privacy-respecting tools, audit your digital footprint regularly, and don't hesitate to exercise your rights when something feels wrong. In an era of constant data collection, informed Canadians are empowered Canadians.