Privacy Rights in Canada 2026: A Complete Guide for Individuals and Businesses
Privacy rights in Canada have entered a new era in 2026. With Quebec's Law 25 fully in force, ongoing federal reform efforts around the Consumer Privacy Protection Act (CPPA), and increasing enforcement action from the Office of the Privacy Commissioner (OPC), both Canadians and the organizations that handle their data face a more complex landscape than ever. Whether you're an individual wondering what companies can do with your personal information, or a business trying to stay compliant, understanding the current rules is essential.
This guide breaks down the state of Canadian privacy law in 2026, the rights you can exercise today, the obligations organizations must meet, and practical steps to safeguard your personal data.
The Canadian Privacy Framework in 2026
Canada's privacy regime is a layered system of federal, provincial, and sector-specific laws. Unlike the European Union's single GDPR framework, Canadians rely on a patchwork of statutes that overlap depending on where you live, where a business operates, and what kind of data is involved.
At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) continues to govern private-sector organizations that collect, use, or disclose personal information in the course of commercial activity. The Privacy Act covers federal government institutions. Provincially, Quebec, British Columbia, and Alberta have their own private-sector privacy laws deemed "substantially similar" to PIPEDA, while Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have health-sector privacy statutes.
Key Laws at a Glance
| Law | Jurisdiction | Applies To |
|---|---|---|
| PIPEDA | Federal | Private-sector organizations engaged in commercial activity |
| Privacy Act | Federal | Federal government institutions |
| Law 25 (Quebec) | Quebec | All private-sector organizations operating in Quebec |
| PIPA (BC and Alberta) | British Columbia, Alberta | Private-sector organizations in those provinces |
| PHIPA (Ontario) | Ontario | Health information custodians |
| CASL | Federal | Commercial electronic messages and metadata collection |
Your Core Privacy Rights as a Canadian
In 2026, Canadians can rely on a well-established set of privacy rights, several of which have been strengthened by Quebec's Law 25 and ongoing federal reforms. These rights apply against organizations that hold your personal information.
1. The Right to Know
You have the right to be informed about why an organization is collecting your personal information, how it will be used, and to whom it may be disclosed. Under Law 25, organizations must now provide this information in clear, plain language and separately identify each purpose.
2. The Right to Consent
Consent must be meaningful, informed, and, in most cases, obtained before collection. Silent or pre-checked consent is no longer acceptable in Quebec, and the OPC has signaled the same expectation nationally. For sensitive data such as health, financial, or biometric information, express consent is required.
3. The Right to Access
You can request a copy of the personal information an organization holds about you, along with information about how it has been used and disclosed. Organizations generally have 30 days to respond, though extensions are permitted in limited circumstances.
4. The Right to Correction
If your personal information is inaccurate, incomplete, or outdated, you can require the organization to correct it. Where correction is refused, they must document the disagreement.
5. The Right to Withdraw Consent
You can withdraw consent at any time, subject to legal or contractual restrictions. Organizations must inform you of the consequences before you do so.
6. The Right to Data Portability (Quebec)
As of 2024, Quebec residents can request their computerized personal information in a structured, commonly used technological format, and can require it to be transferred to another organization. This is Canada's first true portability right, and similar provisions are expected federally under the proposed CPPA.
7. The Right to De-indexing
Also under Law 25, Quebec residents can request that search engines or other organizations cease disseminating personal information or de-index links where dissemination causes serious harm that outweighs the public interest. This is Canada's version of the "right to be forgotten."
8. The Right to Be Informed About Automated Decisions
When decisions about you are made using automated processing alone, you have the right to be informed and, on request, to receive an explanation of the reasoning and main factors involved.
What Changed in 2025-2026
The past two years have brought some of the most significant privacy developments in Canada in over a decade.
Full Enforcement of Quebec's Law 25
All phases of Law 25 are now in force. This includes mandatory privacy impact assessments, appointment of a Privacy Officer (by default the person with the highest authority in the organization), mandatory breach notification, and heightened cross-border transfer requirements. Administrative monetary penalties can reach the greater of $10 million or 2% of worldwide turnover, with penal fines rising as high as 4%.
Federal Reform: Bill C-27 and the CPPA
Federal privacy modernization has moved unevenly. Elements of Bill C-27, which proposed the Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act (AIDA), remain under debate in 2026. However, the OPC has adopted many of the anticipated principles in its guidance, treating them as best practices even ahead of formal enactment. Organizations that align with the draft CPPA now will be well-positioned when it eventually passes.
Increased OPC Enforcement
The Privacy Commissioner has become more assertive, launching joint investigations with provincial counterparts into large platforms, AI providers, and data brokers. High-profile findings in the past year have addressed facial recognition, use of scraped data to train generative AI, and inadequate breach response practices.
Mandatory Breach Reporting Matures
Since 2018, organizations subject to PIPEDA have been required to report breaches that pose a "real risk of significant harm" to affected individuals and the OPC. In 2026, expectations for the speed, detail, and quality of these reports have risen sharply, with the OPC publishing more granular guidance on assessment.
Obligations for Businesses Operating in Canada
If your organization collects personal information from Canadians, you must comply with PIPEDA at a minimum, and often with additional provincial laws. Below is a practical compliance checklist for 2026.
- Appoint a Privacy Officer. Publicly identify who is accountable for privacy compliance and how to contact them.
- Maintain an up-to-date privacy policy. Include specific purposes, retention periods, third-party disclosures, and cross-border transfers.
- Conduct Privacy Impact Assessments (PIAs). Required by Law 25 for any project involving personal information, and strongly recommended nationally.
- Implement data minimization. Collect only what you need for the identified purpose.
- Secure the data. Use encryption in transit and at rest, strong access controls, and regular security testing.
- Prepare a breach response plan. Document how you will assess, contain, notify, and record incidents.
- Vet vendors and processors. Contractually require equivalent protections, especially for offshore providers.
- Honour data subject requests. Have a documented workflow for access, correction, deletion, and portability.
- Assess automated decision-making. Document logic, test for bias, and prepare explanations.
- Train staff regularly. Human error remains the leading cause of breaches.
Cross-Border Data Transfers
Canadian law does not prohibit transfers of personal information outside Canada, but organizations remain accountable for it. Under Law 25, before disclosing personal information outside Quebec, organizations must conduct a formal assessment of the receiving jurisdiction's protections and enter contractual safeguards. Nationally, the OPC recommends similar practices.
This matters for anything from cloud storage to marketing automation. Even a routine tool such as a link shortener may transmit metadata across borders. Choosing services that are transparent about where data is processed, such as Lunyb for shortening and sharing links with clear privacy handling, helps limit exposure. For a broader look at the market, see our 2026 URL shortener buyer's guide.
Privacy Rights for Individuals: Practical Steps
Knowing your rights is only half the battle. Exercising them, and protecting yourself proactively, is where real privacy lives.
How to Make an Access Request
- Identify the organization's Privacy Officer or contact page.
- Submit a written request describing the information you want and specifying that it is a formal access request under PIPEDA (or the applicable provincial law).
- Provide enough information to verify your identity, but no more than necessary.
- Set a clear deadline referencing the statutory 30-day timeframe.
- If refused or ignored, file a complaint with the OPC or your provincial commissioner.
Reducing Your Data Footprint
- Review app permissions on your devices quarterly and revoke anything unnecessary.
- Use encrypted DNS resolvers such as 1.1.1.1 or 9.9.9.9 to reduce ISP-level tracking.
- Prefer privacy-respecting browsers and search engines.
- Enable multi-factor authentication on any account that supports it.
- Use unique email aliases when signing up for services to isolate breaches.
- Regularly opt out of data broker databases and marketing lists.
- Consider a password manager to eliminate reused credentials.
Filing a Complaint
If you believe an organization has mishandled your personal information, you can file a complaint with the Office of the Privacy Commissioner of Canada, or with the Commission d'accès à l'information (Quebec), Office of the Information and Privacy Commissioner (BC, Alberta), or the applicable provincial body. Complaints are free, and commissioners have the power to investigate, mediate, and, increasingly, impose penalties.
Sector Spotlights
Health Information
Health data is treated as especially sensitive across Canada. Provincial health privacy statutes such as PHIPA in Ontario and HIA in Alberta impose strict rules on custodians. Patients have robust access and correction rights, and breaches involving health data receive heightened scrutiny.
Employment
Employers must limit collection of employee information to what is reasonably necessary. Workplace monitoring, including of remote workers, must be transparently disclosed. In Ontario, employers with 25 or more employees must maintain a written electronic monitoring policy.
Children and Youth
The OPC and provincial counterparts have signaled that consent from minors requires special care. Under Law 25, personal information of a child under 14 generally requires parental consent, and marketing to minors is tightly restricted.
AI and Automated Decisions
Organizations using AI systems that process personal information must be prepared to explain the system's logic, assess and mitigate risks, and, in Quebec, notify individuals when a decision is based exclusively on automated processing.
Penalties and Enforcement Trends
Canadian privacy enforcement has historically been lighter than in Europe, but that is changing rapidly.
| Regime | Maximum Administrative Penalty | Notes |
|---|---|---|
| PIPEDA (current) | Up to $100,000 per violation for specific offences | Limited AMP powers; primarily investigative |
| Proposed CPPA | Up to 5% of global revenue or $25 million | Subject to passage of Bill C-27 |
| Quebec Law 25 | Up to 4% of worldwide turnover or $25M (penal) | Plus AMPs up to $10M or 2% |
| CASL | Up to $10 million per violation | Enforced by CRTC |
Reputational damage often exceeds financial penalties. Public findings from the OPC, class action lawsuits following breaches, and heightened media coverage all raise the stakes for organizations that treat privacy as an afterthought.
Looking Ahead: What to Expect Beyond 2026
Several trends are shaping the next chapter of Canadian privacy:
- Federal modernization is expected to eventually pass in some form, bringing Canada closer to GDPR-style penalties and rights.
- AI-specific regulation, whether through AIDA or successor bills, will impose transparency and impact assessment duties on high-risk systems.
- Children's privacy codes modeled on the UK's Age Appropriate Design Code are under discussion.
- Cross-border enforcement cooperation between Canadian, EU, and US regulators is intensifying.
- Biometric and neuro data are emerging categories that will require targeted rules.
For organizations, the safest posture is to design for the strictest applicable law, typically Quebec's Law 25 or the GDPR, and treat that as the baseline nationally. For individuals, staying informed and using privacy-respecting tools is the best defense. If you're evaluating third-party services, look for transparency about data handling, as we discuss in our honest review of Lunyb and our Rebrandly review.
Frequently Asked Questions
Does PIPEDA apply to small businesses in Canada?
Yes. PIPEDA applies to any organization engaged in commercial activity that collects, uses, or discloses personal information, regardless of size. There are limited exceptions, such as personal or journalistic activities, but most small businesses, including sole proprietors, are covered.
Do I need to comply with Quebec's Law 25 if my business is outside Quebec?
If you collect, use, or disclose personal information of individuals in Quebec in the course of business, Law 25 likely applies to you regardless of where your business is headquartered. Given its extraterritorial reach and steep penalties, most national organizations now align their practices with Law 25 across Canada.
How long does an organization have to respond to a privacy access request?
Under PIPEDA and most provincial statutes, organizations must respond within 30 days of receiving a valid access request. A single 30-day extension is permitted in limited circumstances, and you must be notified in writing of any delay along with your right to complain to the Privacy Commissioner.
What counts as a reportable breach in Canada?
Under PIPEDA, a breach must be reported to the OPC and affected individuals if it involves personal information and poses a "real risk of significant harm." This includes bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, identity theft, or negative effects on credit records. Organizations must also keep records of all breaches, even minor ones.
Can I sue a company directly for privacy violations in Canada?
Yes, in many circumstances. Common law torts such as "intrusion upon seclusion" (recognized in Ontario) and statutory rights of action under Quebec's Law 25 and BC's Privacy Act allow individuals to seek damages. Class actions following major breaches have become increasingly common, and courts have shown willingness to award both compensatory and, occasionally, punitive damages.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Bill C-27 Digital Charter: What You Need to Know in 2026
Bill C-27 overhauls Canadian privacy law with the Consumer Privacy Protection Act, a new enforcement tribunal, and the Artificial Intelligence and Data Act. Learn what has changed from PIPEDA, who is affected, and how Canadian businesses can prepare for compliance in 2026.
UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act reshapes online privacy for millions of Britons. From age verification to encryption-scanning powers, here's what the law really means for your data — and the practical steps you can take to protect yourself.
DPC Ireland: How to File a Privacy Complaint (2026 Guide)
Learn exactly how to file a privacy complaint with Ireland's Data Protection Commission (DPC). This step-by-step guide covers your GDPR rights, required evidence, realistic timelines, and what to expect at every stage of the investigation.
Data Protection Act 2018 Ireland: The Complete Guide for 2026
The Data Protection Act 2018 is Ireland's national data protection law, working alongside the GDPR to protect personal data. This complete guide explains scope, rights, penalties, and practical steps Irish businesses must take to stay compliant in 2026.