Bill C-36 Consumer Data Act
C-36 An Act to Enact the Protecting Privacy and Consumer Data Act, to Amend the Personal Information Protection and Electronic Documents Act and to Make Amendments to Other Acts
Bill Type: House Government Bill
Bill Sponsor: Minister of Artificial Intelligence and Digital Innovation
STATUS
Status: Introduced — 1st Reading, June 15, 2026 This Bill comes into force by Order in Council.
How would YOU vote? Scroll down to vote and comment below.
WHAT IS THIS BILL FOR?
Bill C-36 replaces Canada's existing private-sector Privacy Law (PIPEDA) with a new, stronger Act called the Protecting Privacy and Consumer Data Act. It sets out rules for how businesses collect, use and share your personal information and creates a new enforcement body with real teeth to hold them accountable.
WHO GAINS POWER
- The new Digital Safety and Data Protection Commission of Canada — a renamed and expanded version of the existing Digital Safety Commission — gets broad authority to investigate, audit, fine and order businesses to comply
- The Privacy and Consumer Data Commissioner (a newly designated role within the Commission) can launch complaints, conduct audits and enter business premises without a warrant
- The Privacy and Consumer Data Division handles dispute resolution, certification programs and interim orders
- Government institutions retain the ability to request personal information from businesses for Law Enforcement, National Security and regulatory purposes — without your knowledge or consent
- Individuals gain new rights: access to their data, the right to have it deleted, the right to move it to another organization and the right to sue for damages after a confirmed violation
- ⚠️ The Governor in Council (Government) can exempt entire Provinces, classes of organizations or activities from this Act by Order — with no requirement for a Parliamentary vote = Singular Authority
WHO LOSES POWER
- Businesses lose the ability to collect, use or share personal information without a clear lawful basis — consent, legitimate interest or a listed exception
- Organizations using automated decision systems must now explain to individuals how decisions affecting them were made and allow written representations
- Service providers (contractors, subsidiaries, affiliates) are bound by the same data protection standards as the organizations they serve
- ⚠️ Individuals lose access to information about government requests for their data if a government institution objects — and the organization is prohibited from even telling you that a request was made or that the Commission was notified
WHO GAINS MONEY
- Individuals can sue organizations directly for damages after a confirmed contravention — in Federal Court or a Provincial Superior Court
- The Receiver General collects all administrative monetary penalties paid under this Act
- Legal and compliance professionals will see significant demand as organizations build privacy management programs, conduct privacy impact assessments and navigate certification processes
WHO LOSES MONEY
- Businesses that violate the Act face penalties up to the greater of $10,000,000 or 3% of gross global revenue per investigation
- Serious offenders (knowingly concealing breaches, obstructing investigations) face criminal fines up to the greater of $25,000,000 or 5% of gross global revenue
- All organizations face compliance costs: privacy management programs, impact assessments, breach reporting systems, data mobility infrastructure and potential third-party audits
THE CATCH
- ⚠️ "Legitimate interest" is defined by the organization itself — a business can collect or use your data without consent if it decides its interest outweighs your privacy, subject to a self-conducted impact assessment. The Commission reviews this after the fact, not before
- ⚠️ Regulations define the details — what counts as a "business activity," what information can be collected without consent, what security safeguards are required and what data can be publicly disclosed are all left to regulations made by the Governor in Council, meaning the rules can change without Parliament voting on them
- ⚠️ Government access without your knowledge — businesses can share your data with Government institutions for Law Enforcement, National Security and regulatory purposes without telling you and are prohibited from disclosing that the request was made
- ⚠️ The Bill does not come into force until a separate Bill (C-34, the Safe Social Media Act) also receives Royal Assent — meaning this privacy Law is contingent on unrelated Legislation passing first
- ⚠️ De-identified data is not fully protected — organizations can re-identify individuals in specific circumstances authorized by the Division and de-identified data remains "personal information" under the Act
SOURCE