ARTICLE
26 June 2026

Canada’s Privacy Reboot: An Article-by-article Comparison Of Bills C-36 (PPCDA) And C-27 (CPPA)

GW
Gowling WLG

Contributor

Gowling WLG logo
Gowling WLG is an international law firm built on the belief that the best way to serve clients is to be in tune with their world, aligned with their opportunity and ambitious for their success. Our 1,400+ legal professionals and support teams apply in-depth sector expertise to understand and support our clients’ businesses.
Explore Firm Details
On June 15, 2026, the Government of Canada introduced Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA), as the successor to the Consumer Privacy Protection Act (CPPA) previously proposed under Bill C-27.
Canada Privacy
Antoine Guilmain,Wendy Wagner, and Nawal Sassi
Your Author LinkedIn Connections
Antoine Guilmain’s articles from Gowling WLG are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Banking & Credit, Insurance and Technology industries

On June 15, 2026, the Government of Canada introduced Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA), as the successor to the Consumer Privacy Protection Act (CPPA) previously proposed under Bill C-27. The PPCDA would overhaul Canada’s federal private-sector privacy framework, replacing the Personal Information Protection and Electronic Documents Act (PIPEDA) with a modernized statute.

While the PPCDA carries forward much of the CPPA’s structure and substance, it introduces a number of significant changes, including a new regulator named the Digital Safety and Data Protection Commission of Canada, expanded definitions, stronger cross-border transfer requirements, and a consolidated enforcement model that replaces the proposed Tribunal under Bill C-27.

The accompanying table provides a detailed, article-by-article comparison of the PPCDA and the CPPA, and is intended to help readers easily identify and understand what has changed between the two bills. Where applicable, select corresponding provisions from PIPEDA have also been included for reference and comparison purposes.

Comparative Analysis of PPCDA, CPPA, and PIPEDA

PPCDA (BILL C-36)

Protecting Privacy and Consumer Data Act

CPPA (BILL C-27)

Consumer Privacy Protection Act

PIPEDA

Personal Information Protection and Electronic Documents Act

An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts

His Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows:

An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts

Preamble

Whereas there is a need to modernize Canada’s legislative framework so that it is suited to the digital age;

Whereas the protection of the privacy interests of individuals with respect to their personal information is essential to individual autonomy and dignity and to the full enjoyment of fundamental rights and freedoms in Canada;

Whereas Parliament recognizes the importance of the privacy and data protection principles contained in various international instruments;

Whereas trust in the digital and data-driven economy is key to ensuring its growth and fostering a more inclusive and prosperous Canada;

Whereas Canada is a trading nation and trade and commerce rely on the analysis, circulation and exchange of personal information and data across borders and geographical boundaries;

Whereas the design, development and deployment of artificial intelligence systems across provincial and international borders should be consistent with national and international standards to protect individuals from potential harm;

Whereas organizations of all sizes operate in the digital and data-driven economy and an agile regulatory framework is necessary to facilitate compliance with rules by, and promote innovation within, those organizations;

Whereas individuals expect a regulatory framework that ensures transparency and accountability with respect to how organizations handle their personal information and that is backed by meaningful enforcement;

Whereas the modernization of national standards for privacy protection to align them with international standards ensures a level playing field for organizations across Canada and assists them in maintaining their competitive position;

Whereas a modern regulatory framework governing the protection of personal information should promote the collection responsible, use and disclosure of such information by organizations for purposes that are in the public interest;

Whereas Parliament recognizes that artificial intelligence systems and other emerging technologies should uphold Canadian norms and values in line 15 with the principles of international human rights law;

And whereas this Act aims to support the Government of Canada’s efforts to foster an environment in which Canadians can seize the benefits of the digital and data-driven economy and to establish a regulatory framework that supports and protects Canadian norms and values, including the right to privacy;

Now, therefore, Her Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows:

Short Title

Short title

1 This Act may be cited as the Digital Charter Implementation Act, 2022.

An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act

Her Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows:

Short title

1 This Act may be cited as the Personal Information Protection and Electronic Documents Act.

PART 1

Protecting Privacy and Consumer Data Act

Enactment of Act

1 The Protecting Privacy and Consumer Data Act, whose text is as follows and whose

PART 1

Consumer Privacy Protection Act

Enactment of Act

Enactment

PART 1

Protection of Personal Information in the Private Sector

schedule is set out in the schedule to this Act, is enacted:

An Act to support and promote digital commerce by protecting personal information that is collected, used or disclosed in the course of commercial activities

2 The Consumer Privacy Protection Act, whose text is as follows and whose schedule is set out in the schedule to this Act, is enacted:

An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in the course of commercial activities

  

Short Title

Short title

1 This Act may be cited as the Protecting Privacy and Consumer Data Act.

    

Interpretation

Definitions

2 (1) The following definitions apply in this Act.

alternative format, with respect to personal information, means a format that allows an individual with a sensory disability to read or listen to the personal information. (support de substitution)

anonymize means to irreversibly and permanently modify personal information to ensure that there is no reasonably foreseeable risk in the circumstances that an individual can be identified from the information, whether directly or indirectly, by any means. (anonymiser)

automated decision system means any technology that assists or replaces the judgment of human decision-makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep

Interpretation

Definitions

2 (1) The following definitions apply in this Act.

alternative format, with respect to personal information, means a format that allows an individual with a sensory disability to read or listen to the personal information. (support de substitution)

anonymize means to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means. (anonymiser)

automated decision system means any technology that assists or replaces the judgment of human decision makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep

Interpretation

Definitions

2 (1) The definitions in this subsection apply in this Part. alternative format, with respect to personal information, means a format that allows a person with a sensory disability to read or listen to the personal information. (support de substitution)

breach of security safeguards means the loss of, unau-thorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards. (atteinte aux mesures de sécurité)

business contact information means any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or

Read the original article on GowlingWLG.com

To read this article in full, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Antoine Guilmain
Antoine Guilmain
Photo of Wendy Wagner
Wendy Wagner
Photo of Nawal Sassi
Nawal Sassi
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More