Skip to main content
Security & Compliance7 min read

Canada's New Privacy Law (Bill C-36) and Your AI

July 13, 2026By ChatGPT.ca Team

Canada is rewriting the rulebook on privacy for the first time in a generation, and AI is squarely in its sights. Bill C-36, the Protecting Privacy and Consumer Data Act, would retire the 25-year-old PIPEDA and replace it with rules built for a world where software makes decisions about people. It is not law yet, and there is no need to panic. But if your business uses AI, or plans to, the direction of travel is clear enough that a few smart moves now will save you a painful retrofit later.

What Bill C-36 actually changes

Strip away the legal language and the bill's core ideas are straightforward, and reasonable. Privacy becomes a recognized fundamental right rather than a checkbox. Businesses must get meaningful, plain-language consent instead of burying terms in a wall of text. People gain a right to have their data deleted. And, most relevant to AI, organizations must be transparent when automated systems make significant decisions about individuals. Cross-border data transfers, common when you run AI on servers outside Canada, would need documented risk assessments. It is essentially a nudge from "collect everything, explain nothing" toward "collect what you need, explain what you do."

Where AI sits in the crosshairs

The provision that matters most for AI users is transparency around automated decision-making. If you let AI meaningfully influence decisions about people, who gets hired, approved, priced, or prioritized, you would need to disclose that and be able to explain it. That is a direct challenge to "black-box" AI, and a good reason to prefer systems you can account for.

Risky under the new directionAligned with it
AI silently scoring or ranking peopleDisclosing AI use and being able to explain it
Consent buried in dense legal textPlain-language, meaningful consent
Hoarding personal data indefinitelyKeeping only what you need, honouring deletion

This builds on the compliance thinking we laid out in Canada's AI regulations in 2026, C-36 is the privacy backbone that AI governance now hangs on.

It's not law yet, but that's the point

Here is the nuance worth holding onto: C-36 has not passed, and its obligations are not in force. You are not out of compliance with it today. But two things are already true. First, the laws that do bind you right now, PIPEDA, Quebec's Law 25, provincial privacy laws, CASL, already apply to AI in full, and regulators are already enforcing them. Second, the direction C-36 points is unambiguous and mirrors global norms. So the winning move is not to wait, it is to align now, cheaply, while your AI footprint is small and easy to shape.

Where this leaves you

Treat Bill C-36 not as a threat but as a preview of the rules of the road, and build for them now. Know where AI touches personal data in your business, be transparent when it affects people, get real consent, keep only the data you need, and prefer AI systems you can explain. Do that and you get two wins at once: you are protected under the laws that already apply today, and you are future-proofed for the ones clearly coming. In a market where trust is a competitive advantage, being able to say "we use AI responsibly, and here's how" is worth more than the compliance headache it avoids.

Frequently Asked Questions

What is Bill C-36?

Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA), is Canada’s proposed overhaul of private-sector privacy law, the first major update in over 25 years. It would replace PIPEDA, the current federal law, with modern rules built for an era of AI and automated decision-making. It received first reading in the House of Commons in June 2026. Importantly, it is not yet law: it still has to pass several legislative stages and receive royal assent, and its obligations require a further order before they switch on. But its direction is clear, and it is worth understanding now.

How does Bill C-36 affect businesses that use AI?

The most AI-relevant piece is transparency around automated decision-making. If your business uses AI to make significant decisions about people, credit, hiring, eligibility, pricing, you would need to be transparent about it and able to explain it. The bill also recognizes privacy as a fundamental right, requires meaningful, plain-language consent, gives individuals a right to have their data deleted, and requires risk assessments before moving personal data outside Canada. In short, it pushes "black-box AI making decisions about people" toward "explainable, consented, documented AI".

What are the penalties, and should we be worried?

The proposed penalties are significant, reportedly tiered up to $25 million or 5% of global revenue for the most serious violations, which is why it is getting attention. But worried is the wrong word for today. The law is not yet in force, and the point is not to panic, it is to avoid building your AI systems in a way you will have to unwind later. If you adopt AI with transparency, consent, and good data hygiene from the start, you are already most of the way to compliance with where Canadian law is clearly heading.

Do we need to do anything right now if it is not law yet?

You do not need to overhaul anything overnight, but this is the moment to build good habits cheaply. The rules that already bind you, PIPEDA, Quebec’s Law 25, provincial privacy laws, CASL, apply to AI in full today, and enforcement is already happening through them. So the smart move is to align now with the clear direction: know what personal data your AI touches, be transparent when AI affects people, get real consent, and keep a light record of how your AI makes decisions. That protects you today and future-proofs you for C-36.

What is the practical checklist for a Canadian business?

Five things. First, inventory where AI touches personal information in your business. Second, be transparent, tell people when AI is involved in significant decisions about them, and be able to explain it in plain language. Third, get meaningful consent and offer a way to opt out of automated decisions. Fourth, honour deletion requests and do not hoard data you do not need. Fifth, if you run AI on infrastructure outside Canada, note it and assess the risk. None of this requires a legal department, it requires deciding your privacy posture on purpose.

Adopt AI that is ready for Canada's privacy rules

We help Canadian businesses put transparency, consent, and sound data practices in place, so your AI is compliant today and future-proofed for what's coming.

Related Articles

Security & Compliance

Canadian AI Regulations 2026: AIDA, Bill C-27 & What's Next

April 7, 2026Read more →
Security & Compliance

AI Copyright Lawsuits: What They Mean for You

July 10, 2026Read more →
Security & Compliance

HalluSquatting: When AI Hallucinations Turn Into Malware

July 9, 2026Read more →
AI
ChatGPT.ca Team

AI consultants with 100+ custom GPT builds and automation projects for 50+ Canadian businesses across 20+ industries. Based in Markham, Ontario. PIPEDA-compliant solutions.

Stay ahead of AI in Canada

Weekly case studies, new tools, and ROI playbooks for Canadian SMEs. One email, zero spam.