Preparing for new privacy legislation in Canada: Part One

How Canadian companies should respond to the new Consumer Privacy Protection Act (Bill C-27)

Neil Saddington, Privacy Program Director, OneTrust
April 20, 2023

Crowd of people crossing a city crosswalk

I remember this headline well, and you may too: Back in 2017, the Economist published “The world’s most valuable resource is no longer oil, but data. While that article focused on antitrust issues surrounding internet giants like Meta, Amazon, and Alphabet, many believed that the gist of the piece was right: Data was increasingly becoming the key resource for the digital world. But gathering and managing data is getting more challenging. Consumers are pushing back, worried about privacy and demanding more control about how their personal information is collected and used. And governments around the world are responding, including a significant new piece of legislation in Canada: Bill C-27.

Canada has had a federal privacy law for more than two decades – the Personal Information Protection and Electronic Documents Act (PIPEDA) dates back to 2000 – but it is attempting to  considerably up the stakes for a second time with Bill C-27 which currently includes three main pillars: 

  • The Consumer Privacy Protection Act (CPPA), designed to ensure consumers have a greater degree of privacy and control over their personal information.

  • The Data Protection Tribunal Act, which creates a new enforcement organization for the CPPA – and will have the authority to levy large penalties for noncompliance.

  • The Artificial Intelligence Act creates new requirements for algorithmic transparency and automated decision-making in response to these emerging, AI-based uses of personal information.


The new legislation was introduced in 2022 and is currently under debate and tentatively expected to be enacted this year, pending further review in committee. This comes on the heels of changes to the private sector privacy act in Quebec, and reviews of the private sector privacy laws in Alberta and British Columbia. 


Canada is part of a worldwide shift to strengthening privacy and trust

The new law would effectively replace PIPEDA and demand a new level of compliance rigor by Canadian companies and companies doing business in Canada. Bill C-27 also puts Canada squarely in the mainstream in terms of contemporary data privacy, which began in 2016 with the landmark  General Data Protection Regulation (GDPR) in the European Union - considered by some to be the most rigorous privacy and security law in the world. Other statutes have followed, including regulations like the California Privacy Rights Act (CPRA), which added new privacy protections to the California Consumer Privacy Act (CCPA).

Where PIPEIDA was based on principles and guidance, Canada’s new legislation is based on more explicit and much more stringent requirements for the collection, use, and disclosure of personal information. Under Bill C-27, companies that collect personal information from Canadian consumers must be aware of several key provisions:

  • Collection, use, and disclosure of personal information generally requires explicit consent. You must tell consumers why you want the data and how it will be used, and the language used to generate consent must be clear and unambiguous.

  • Automated collection of email addresses and other information is much more restricted.

  • Data minimization will be the law of the land. Companies will be required to limit the data they collect to the absolute minimum amount required to do what they need to do.

  • Consumers will have new rights to ensure their ability to correct their personal information, to withdraw their consent to using it, and to ensure their data is deleted. 

  • Consumers also have the right to data portability – to transfer information to a new organization (for example, when switching to a new service provider).


Perhaps even more significantly, Bill C-27 would substantially amend the existing enforcement framework through the Data Protection Tribunal Act. The Tribunal would be empowered to issue substantial fines for administrative noncompliance: up to 3% of your worldwide annual revenue or CAN$10 million. Furthermore, failures to report a data breach and other more serious infractions you could lead to fines of up to 5% of global revenues or CAN$25 million. Plus, affected individuals can sue for damages privately. 

The third pillar of the Bill C-27, the Artificial Intelligence and Data Act, mandates “increased transparency” for algorithms and AI systems. In other words, you must be prepared to justify how your AI system delivered a recommendation or decision based on a user’s personal data. 


What to do now

Consumers and governments are right to be concerned about privacy and data protection, and their expectations and legal frameworks about these issues will continue to evolve. I believe that Economist headline about data as “the new oil” was essentially right, but today, building trust with the suppliers of data – consumers – has become more important than ever. 

Of course, it’s possible – perhaps even likely – that the CPPA and related components of Bill C-27 will evolve as the Canadian Parliament continues to debate the legislation. Nonetheless, now is an excellent time for companies doing business in Canada to look at the implications of this more stringent approach to privacy and the collection, use and disclosure of personal information – and not just because it would be expensive not do so. A key part of your motivation should be the desire to win the long-term trust of your consumers, and we believe that a strong focus and respect for privacy and privacy protection is the way to win that trust. 


How OneTrust can help

Companies doing business in Canada can leverage OneTrust to comply with Bill C-27. Our Consent & Preference Management, Privacy Rights Automation, and Digital Policy Management solutions, along with our DataGuidance Research, help companies worldwide to manage the collection, protection, and transferability of personal information. 

To see how OneTrust can help you navigate Bill C-27, request a free trial today.

You may also like


Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more


Privacy Management

Saudi Arabia's PDPL latest amendments: Are you ready?

Join OneTrust and Deloitte Middle East as we cover the latest changes to Saudia Arabia's Personal Data Protection Law (PDPL) and what it means for organizations in the KSA region.

May 30, 2023

Learn more


Privacy Management

GDPR turns 5: Celebrating data protection

Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance. 

May 25, 2023

Learn more