facebook-pixel

Privacy Rights in Canada 2026: A Complete Guide for Individuals and Businesses

L
Lunyb Security Team
··11 min read

Privacy rights in Canada have entered a new era in 2026. With Quebec's Law 25 fully in force, ongoing federal reform efforts around the Consumer Privacy Protection Act (CPPA), and increasing enforcement action from the Office of the Privacy Commissioner (OPC), both Canadians and the organizations that handle their data face a more complex landscape than ever. Whether you're an individual wondering what companies can do with your personal information, or a business trying to stay compliant, understanding the current rules is essential.

This guide breaks down the state of Canadian privacy law in 2026, the rights you can exercise today, the obligations organizations must meet, and practical steps to safeguard your personal data.

The Canadian Privacy Framework in 2026

Canada's privacy regime is a layered system of federal, provincial, and sector-specific laws. Unlike the European Union's single GDPR framework, Canadians rely on a patchwork of statutes that overlap depending on where you live, where a business operates, and what kind of data is involved.

At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) continues to govern private-sector organizations that collect, use, or disclose personal information in the course of commercial activity. The Privacy Act covers federal government institutions. Provincially, Quebec, British Columbia, and Alberta have their own private-sector privacy laws deemed "substantially similar" to PIPEDA, while Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have health-sector privacy statutes.

Key Laws at a Glance

LawJurisdictionApplies To
PIPEDAFederalPrivate-sector organizations engaged in commercial activity
Privacy ActFederalFederal government institutions
Law 25 (Quebec)QuebecAll private-sector organizations operating in Quebec
PIPA (BC and Alberta)British Columbia, AlbertaPrivate-sector organizations in those provinces
PHIPA (Ontario)OntarioHealth information custodians
CASLFederalCommercial electronic messages and metadata collection

Your Core Privacy Rights as a Canadian

In 2026, Canadians can rely on a well-established set of privacy rights, several of which have been strengthened by Quebec's Law 25 and ongoing federal reforms. These rights apply against organizations that hold your personal information.

1. The Right to Know

You have the right to be informed about why an organization is collecting your personal information, how it will be used, and to whom it may be disclosed. Under Law 25, organizations must now provide this information in clear, plain language and separately identify each purpose.

2. The Right to Consent

Consent must be meaningful, informed, and, in most cases, obtained before collection. Silent or pre-checked consent is no longer acceptable in Quebec, and the OPC has signaled the same expectation nationally. For sensitive data such as health, financial, or biometric information, express consent is required.

3. The Right to Access

You can request a copy of the personal information an organization holds about you, along with information about how it has been used and disclosed. Organizations generally have 30 days to respond, though extensions are permitted in limited circumstances.

4. The Right to Correction

If your personal information is inaccurate, incomplete, or outdated, you can require the organization to correct it. Where correction is refused, they must document the disagreement.

5. The Right to Withdraw Consent

You can withdraw consent at any time, subject to legal or contractual restrictions. Organizations must inform you of the consequences before you do so.

6. The Right to Data Portability (Quebec)

As of 2024, Quebec residents can request their computerized personal information in a structured, commonly used technological format, and can require it to be transferred to another organization. This is Canada's first true portability right, and similar provisions are expected federally under the proposed CPPA.

7. The Right to De-indexing

Also under Law 25, Quebec residents can request that search engines or other organizations cease disseminating personal information or de-index links where dissemination causes serious harm that outweighs the public interest. This is Canada's version of the "right to be forgotten."

8. The Right to Be Informed About Automated Decisions

When decisions about you are made using automated processing alone, you have the right to be informed and, on request, to receive an explanation of the reasoning and main factors involved.

What Changed in 2025-2026

The past two years have brought some of the most significant privacy developments in Canada in over a decade.

Full Enforcement of Quebec's Law 25

All phases of Law 25 are now in force. This includes mandatory privacy impact assessments, appointment of a Privacy Officer (by default the person with the highest authority in the organization), mandatory breach notification, and heightened cross-border transfer requirements. Administrative monetary penalties can reach the greater of $10 million or 2% of worldwide turnover, with penal fines rising as high as 4%.

Federal Reform: Bill C-27 and the CPPA

Federal privacy modernization has moved unevenly. Elements of Bill C-27, which proposed the Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act (AIDA), remain under debate in 2026. However, the OPC has adopted many of the anticipated principles in its guidance, treating them as best practices even ahead of formal enactment. Organizations that align with the draft CPPA now will be well-positioned when it eventually passes.

Increased OPC Enforcement

The Privacy Commissioner has become more assertive, launching joint investigations with provincial counterparts into large platforms, AI providers, and data brokers. High-profile findings in the past year have addressed facial recognition, use of scraped data to train generative AI, and inadequate breach response practices.

Mandatory Breach Reporting Matures

Since 2018, organizations subject to PIPEDA have been required to report breaches that pose a "real risk of significant harm" to affected individuals and the OPC. In 2026, expectations for the speed, detail, and quality of these reports have risen sharply, with the OPC publishing more granular guidance on assessment.

Obligations for Businesses Operating in Canada

If your organization collects personal information from Canadians, you must comply with PIPEDA at a minimum, and often with additional provincial laws. Below is a practical compliance checklist for 2026.

  1. Appoint a Privacy Officer. Publicly identify who is accountable for privacy compliance and how to contact them.
  2. Maintain an up-to-date privacy policy. Include specific purposes, retention periods, third-party disclosures, and cross-border transfers.
  3. Conduct Privacy Impact Assessments (PIAs). Required by Law 25 for any project involving personal information, and strongly recommended nationally.
  4. Implement data minimization. Collect only what you need for the identified purpose.
  5. Secure the data. Use encryption in transit and at rest, strong access controls, and regular security testing.
  6. Prepare a breach response plan. Document how you will assess, contain, notify, and record incidents.
  7. Vet vendors and processors. Contractually require equivalent protections, especially for offshore providers.
  8. Honour data subject requests. Have a documented workflow for access, correction, deletion, and portability.
  9. Assess automated decision-making. Document logic, test for bias, and prepare explanations.
  10. Train staff regularly. Human error remains the leading cause of breaches.

Cross-Border Data Transfers

Canadian law does not prohibit transfers of personal information outside Canada, but organizations remain accountable for it. Under Law 25, before disclosing personal information outside Quebec, organizations must conduct a formal assessment of the receiving jurisdiction's protections and enter contractual safeguards. Nationally, the OPC recommends similar practices.

This matters for anything from cloud storage to marketing automation. Even a routine tool such as a link shortener may transmit metadata across borders. Choosing services that are transparent about where data is processed, such as Lunyb for shortening and sharing links with clear privacy handling, helps limit exposure. For a broader look at the market, see our 2026 URL shortener buyer's guide.

Privacy Rights for Individuals: Practical Steps

Knowing your rights is only half the battle. Exercising them, and protecting yourself proactively, is where real privacy lives.

How to Make an Access Request

  1. Identify the organization's Privacy Officer or contact page.
  2. Submit a written request describing the information you want and specifying that it is a formal access request under PIPEDA (or the applicable provincial law).
  3. Provide enough information to verify your identity, but no more than necessary.
  4. Set a clear deadline referencing the statutory 30-day timeframe.
  5. If refused or ignored, file a complaint with the OPC or your provincial commissioner.

Reducing Your Data Footprint

  • Review app permissions on your devices quarterly and revoke anything unnecessary.
  • Use encrypted DNS resolvers such as 1.1.1.1 or 9.9.9.9 to reduce ISP-level tracking.
  • Prefer privacy-respecting browsers and search engines.
  • Enable multi-factor authentication on any account that supports it.
  • Use unique email aliases when signing up for services to isolate breaches.
  • Regularly opt out of data broker databases and marketing lists.
  • Consider a password manager to eliminate reused credentials.

Filing a Complaint

If you believe an organization has mishandled your personal information, you can file a complaint with the Office of the Privacy Commissioner of Canada, or with the Commission d'accès à l'information (Quebec), Office of the Information and Privacy Commissioner (BC, Alberta), or the applicable provincial body. Complaints are free, and commissioners have the power to investigate, mediate, and, increasingly, impose penalties.

Sector Spotlights

Health Information

Health data is treated as especially sensitive across Canada. Provincial health privacy statutes such as PHIPA in Ontario and HIA in Alberta impose strict rules on custodians. Patients have robust access and correction rights, and breaches involving health data receive heightened scrutiny.

Employment

Employers must limit collection of employee information to what is reasonably necessary. Workplace monitoring, including of remote workers, must be transparently disclosed. In Ontario, employers with 25 or more employees must maintain a written electronic monitoring policy.

Children and Youth

The OPC and provincial counterparts have signaled that consent from minors requires special care. Under Law 25, personal information of a child under 14 generally requires parental consent, and marketing to minors is tightly restricted.

AI and Automated Decisions

Organizations using AI systems that process personal information must be prepared to explain the system's logic, assess and mitigate risks, and, in Quebec, notify individuals when a decision is based exclusively on automated processing.

Penalties and Enforcement Trends

Canadian privacy enforcement has historically been lighter than in Europe, but that is changing rapidly.

RegimeMaximum Administrative PenaltyNotes
PIPEDA (current)Up to $100,000 per violation for specific offencesLimited AMP powers; primarily investigative
Proposed CPPAUp to 5% of global revenue or $25 millionSubject to passage of Bill C-27
Quebec Law 25Up to 4% of worldwide turnover or $25M (penal)Plus AMPs up to $10M or 2%
CASLUp to $10 million per violationEnforced by CRTC

Reputational damage often exceeds financial penalties. Public findings from the OPC, class action lawsuits following breaches, and heightened media coverage all raise the stakes for organizations that treat privacy as an afterthought.

Looking Ahead: What to Expect Beyond 2026

Several trends are shaping the next chapter of Canadian privacy:

  • Federal modernization is expected to eventually pass in some form, bringing Canada closer to GDPR-style penalties and rights.
  • AI-specific regulation, whether through AIDA or successor bills, will impose transparency and impact assessment duties on high-risk systems.
  • Children's privacy codes modeled on the UK's Age Appropriate Design Code are under discussion.
  • Cross-border enforcement cooperation between Canadian, EU, and US regulators is intensifying.
  • Biometric and neuro data are emerging categories that will require targeted rules.

For organizations, the safest posture is to design for the strictest applicable law, typically Quebec's Law 25 or the GDPR, and treat that as the baseline nationally. For individuals, staying informed and using privacy-respecting tools is the best defense. If you're evaluating third-party services, look for transparency about data handling, as we discuss in our honest review of Lunyb and our Rebrandly review.

Frequently Asked Questions

Does PIPEDA apply to small businesses in Canada?

Yes. PIPEDA applies to any organization engaged in commercial activity that collects, uses, or discloses personal information, regardless of size. There are limited exceptions, such as personal or journalistic activities, but most small businesses, including sole proprietors, are covered.

Do I need to comply with Quebec's Law 25 if my business is outside Quebec?

If you collect, use, or disclose personal information of individuals in Quebec in the course of business, Law 25 likely applies to you regardless of where your business is headquartered. Given its extraterritorial reach and steep penalties, most national organizations now align their practices with Law 25 across Canada.

How long does an organization have to respond to a privacy access request?

Under PIPEDA and most provincial statutes, organizations must respond within 30 days of receiving a valid access request. A single 30-day extension is permitted in limited circumstances, and you must be notified in writing of any delay along with your right to complain to the Privacy Commissioner.

What counts as a reportable breach in Canada?

Under PIPEDA, a breach must be reported to the OPC and affected individuals if it involves personal information and poses a "real risk of significant harm." This includes bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, identity theft, or negative effects on credit records. Organizations must also keep records of all breaches, even minor ones.

Can I sue a company directly for privacy violations in Canada?

Yes, in many circumstances. Common law torts such as "intrusion upon seclusion" (recognized in Ontario) and statutory rights of action under Quebec's Law 25 and BC's Privacy Act allow individuals to seek damages. Class actions following major breaches have become increasingly common, and courts have shown willingness to award both compensatory and, occasionally, punitive damages.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles