Where Canada’s privacy law stands

Canada’s main federal privacy law was written in 2000. Every major bill to replace it has died before passing. Your data is still governed by rules that predate the smartphone.

Canada’s federal private-sector privacy law has not been substantially updated since 2000.
In that time, smartphones were invented, social media scaled to billions of users, and AI became a daily tool for millions of Canadians. The rules governing how companies handle your data federally haven’t kept pace with any of it.

What law governs your personal data in Canada right now?

The Personal Information Protection and Electronic Documents Act (PIPEDA). It was passed in 2000 and covers how private-sector companies collect, use, and disclose personal information. Still the federal standard.

What was supposed to replace it?

Bill C-27 introduced in 2022. It was the most significant proposed overhaul in a generation. It included three parts:

  • a new Consumer Privacy Protection Act,
  • an AI and Data Act (AIDA), and
  • an enforcement tribunal.

Why did it fail?

Parliament prorogued in January 2025. The April election wiped the legislative agenda. C-27 died on the order paper. So did C-26 (cybersecurity) and C-63 (online harms). The government has confirmed these will not return in their original form.

What is the Privacy Commissioner doing without new legislation?

Working within the existing framework. The OPC’s 2025–2026 annual report (released June 4) covers:

  • the joint TikTok investigation,
  • the 23andMe breach inquiry with the UK,
  • a broadened probe into a social platform’s AI chatbot, and
  • a youth privacy symposium.

Enforcement is happening but under 26-year-old rules.

Did any Canadian jurisdiction actually update its privacy law?

Yes, Quebec. Law 25 came into force in phases starting 2022. It introduced:

  • transparency requirements,
  • consent rules for automated decision-making,
  • and data breach obligations.

It is the most modern privacy framework in Canada but applies only in Quebec.

If you collect data from Canadians

If you run a website, send email campaigns, or use any form of tracking or analytics, this gap affects you directly. Federally, PIPEDA still sets the bar and that bar is low. But if any of your audience is in Quebec, Law 25 applies to them now. That means stricter consent requirements, data portability rights, and mandatory breach notification.

The practical baseline: build your data practices to meet Law 25 for everyone. It’s the most modern framework in Canada, and it’s the standard most likely to inform whatever federal reform eventually passes.

What does this gap mean for your data?

The federal gap means the bar for how companies handle this varies enormously depending on where the company operates and which province you’re in.

2000
Year PIPEDA was enacted / Canada’s current federal private-sector privacy law
Still in force today
3
Major federal bills that died on the order paper in January 2025
C-27, C-26, C-63
57%
Canadians who have used an AI tool, up from 47% just months earlier
83% of those aged 18–34
26.8%
Canadian internet users aged 16+ using ChatGPT monthly in 2026
Jumped to 6th most-visited site in Canada
$25M
Maximum fine proposed under the failed Bill C-27 or 5% of gross global revenue
PIPEDA’s current max: $100K
1
Canadian jurisdiction with a modern privacy framework: Quebec, since 2022
No federal equivalent exists

Bottom line

Canada has the political will for privacy reform: every major party has signalled support. What it doesn’t have is a timeline. Until a new bill passes and receives royal assent, the rules governing your data federally remain a quarter-century old.

Resources & tools

Learn more

Get started