Canada’s main federal privacy law was written in 2000. Every major bill to replace it has died before passing. Your data is still governed by rules that predate the smartphone.
What this article covers
- What law governs your personal data in Canada right now?
- What was supposed to replace it?
- Why did it fail?
- What is the Privacy Commissioner doing without new legislation?
- Did any Canadian jurisdiction actually update its privacy law?
- What does this gap mean for your data?
- Bottom line
- Resources & tools
Canada’s federal private-sector privacy law has not been substantially updated since 2000.
In that time, smartphones were invented, social media scaled to billions of users, and AI became a daily tool for millions of Canadians. The rules governing how companies handle your data federally haven’t kept pace with any of it.
What law governs your personal data in Canada right now?
The Personal Information Protection and Electronic Documents Act (PIPEDA). It was passed in 2000 and covers how private-sector companies collect, use, and disclose personal information. Still the federal standard.
What was supposed to replace it?
Bill C-27 introduced in 2022. It was the most significant proposed overhaul in a generation. It included three parts:
- a new Consumer Privacy Protection Act,
- an AI and Data Act (AIDA), and
- an enforcement tribunal.
Why did it fail?
Parliament prorogued in January 2025. The April election wiped the legislative agenda. C-27 died on the order paper. So did C-26 (cybersecurity) and C-63 (online harms). The government has confirmed these will not return in their original form.
What is the Privacy Commissioner doing without new legislation?
Working within the existing framework. The OPC’s 2025–2026 annual report (released June 4) covers:
- the joint TikTok investigation,
- the 23andMe breach inquiry with the UK,
- a broadened probe into a social platform’s AI chatbot, and
- a youth privacy symposium.
Enforcement is happening but under 26-year-old rules.
Did any Canadian jurisdiction actually update its privacy law?
Yes, Quebec. Law 25 came into force in phases starting 2022. It introduced:
- transparency requirements,
- consent rules for automated decision-making,
- and data breach obligations.
It is the most modern privacy framework in Canada but applies only in Quebec.
If you collect data from Canadians
If you run a website, send email campaigns, or use any form of tracking or analytics, this gap affects you directly. Federally, PIPEDA still sets the bar and that bar is low. But if any of your audience is in Quebec, Law 25 applies to them now. That means stricter consent requirements, data portability rights, and mandatory breach notification.
The practical baseline: build your data practices to meet Law 25 for everyone. It’s the most modern framework in Canada, and it’s the standard most likely to inform whatever federal reform eventually passes.
What does this gap mean for your data?
The federal gap means the bar for how companies handle this varies enormously depending on where the company operates and which province you’re in.
Bottom line
Canada has the political will for privacy reform: every major party has signalled support. What it doesn’t have is a timeline. Until a new bill passes and receives royal assent, the rules governing your data federally remain a quarter-century old.
Resources & tools
Learn more
- OPC 2025–2026 Annual Report: Championing privacy in the age of AI (Office of the Privacy Commissioner of Canada) Published June 4, 2026
- Year in review 2025: Canadian digital policy (Gowling WLG)
- What 2026 may bring for Canada’s privacy reform efforts (IAPP)
- Artificial Intelligence 2026: Trends and developments (Chambers and Partners)
Get started
- New privacy obligations for businesses (Commission d’accès à l’information du Québec)
- A Guide for Individuals Protecting Your Privacy (Office of the Privacy Commissioner of Canada)