PIPEDA vs. Bill 25 vs. CPPA: A Plain-English Compliance Map for Canadian AI Teams

PIPEDA vs. Bill 25 vs. CPPA: A Plain-English Compliance Map for Canadian AI Teams
PIPEDA vs. Bill 25 vs. CPPA: A Plain-English Compliance Map for Canadian AI Teams

This is general information, not legal advice. For anything contract- or project-specific, talk to a privacy lawyer.

Ask five people on a Canadian compliance team which privacy law governs their AI project, and you'll get five different answers: PIPEDA, Bill 25, "the CPPA," sometimes GDPR because someone read it covers EU users too.

Some of that confusion is structural — Canada genuinely does run overlapping federal and provincial privacy regimes. But some of it is just bad timing. The law everyone calls "the CPPA" never actually made it onto the books. And as of three weeks ago, its replacement has a new name, a new enforcement model, and a new bill number.

Here's where things actually stand in July 2026, and what it means if you're building or deploying AI in Canada right now.

PIPEDA is old, but it's still the law

The Personal Information Protection and Electronic Documents Act has governed private-sector data handling federally since 2000, and — this is the part that trips people up — it's still the operative federal law today. Twenty-six years old, still running.

PIPEDA is principles-based rather than prescriptive: ten fair information principles (consent, limiting collection, accuracy, safeguards, and so on) instead of a detailed rulebook. It applies everywhere in Canada except provinces with their own "substantially similar" private-sector law — currently Quebec, British Columbia, and Alberta.

The part that matters most for AI teams: PIPEDA doesn't require Canadian data residency. You can process data across borders as long as the receiving party provides comparable protection and your organization stays accountable for what happens to it afterward.

Enforcement, though, is soft. The Privacy Commissioner can investigate and publish findings and recommendations, but has no power to issue binding orders or levy fines. That gap — a regulator with a bark but no bite — is the exact thing federal reform has been trying to fix since 2020, through three separate bills now.

If your product has users outside Quebec, BC, or Alberta, PIPEDA is your governing framework, full stop.

Quebec's Law 25 is stricter than anything else in force

Quebec's Act to modernize legislative provisions as regards the protection of personal information — Law 25, formerly Bill 64 — rolled out in three phases between September 2022 and September 2024. It's currently the toughest privacy regime in Canada, arguably tougher in places than GDPR.

Where PIPEDA leans on implied consent, Law 25 requires clear, opt-in consent for sensitive information. It also requires:

  • Privacy impact assessments before launching any project involving systematic processing of personal information — AI systems included
  • Privacy impact assessments before transferring personal information outside Quebec
  • Data portability rights for individuals
  • The right to an explanation when an automated system makes a decision affecting someone — directly relevant to any AI feature that scores, ranks, or predicts something about a person

The penalties aren't symbolic. Quebec's regulator, the CAI, can levy administrative monetary penalties up to $10 million or 2% of worldwide turnover, and penal fines up to $25 million or 4%, whichever is greater in each case.

For any AI product with a national user base, Law 25 is the de facto floor. It's stricter than PIPEDA in almost every dimension, and if you're building to satisfy Quebec, you're building to satisfy the rest of the country too.

The CPPA never happened. Here's what replaced it — twice.

Most compliance write-ups from before mid-2026 are already out of date on this point, so it's worth being precise.

The Consumer Privacy Protection Act was Part 1 of Bill C-27, introduced in 2022 to modernize PIPEDA along GDPR-influenced lines: stronger consent standards, real fining and order-making power, a new tribunal for appeals. It made it through committee review — then Parliament was prorogued in January 2025, which killed every bill still on the order paper, CPPA included.

A snap federal election that April pushed reform further down the list. For most of 2025, there was no federal reform bill in progress at all. Just PIPEDA, unchanged, and a government promising something "soon."

That changed on June 15, 2026, when Minister of Artificial Intelligence and Digital Innovation Evan Solomon tabled Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA) — the third attempt at this reform in six years.

It keeps most of the old CPPA's substance: similar consent standards, an "appropriate purpose" test, comparable penalty structure. But two things are genuinely different this time:

  • No standalone AI regulation. The AI-specific rules that helped sink the earlier bill are gone. Automated decision-making gets addressed within the privacy framework instead of a separate AI statute.
  • A new regulator, not a new tribunal. Enforcement moves to a newly created Digital Safety and Data Protection Commission of Canada, which also absorbs enforcement duties from the separate Digital Safety Act. The Office of the Privacy Commissioner would be left with authority only over the public sector — a real reduction in its role that's already drawing criticism from privacy advocates.

On penalties, there are two tiers: administrative monetary penalties up to $10 million or 3% of global revenue, and fines up to $25 million or 5% of global revenue for the most serious offences — whichever figure is greater in each case.

Bill C-36 is currently at first reading. Parliament rose for summer recess on June 18, 2026, and is scheduled to resume September 21, with Second Reading expected in the fall. It won't come into force until the Digital Safety and Data Protection Commission itself is stood up under a separate bill, Bill C-34 — so this is a multi-step process, not a switch that flips. Worth tracking, but not yet something to build a compliance program around.

What this means if you're shipping an AI product today

Until C-36 actually passes and the new Commission exists, the real compliance baseline is:

  • PIPEDA, federally
  • Law 25, if there's any realistic chance a Quebec resident touches your product — which describes almost any product with national reach

Building to that combined baseline now does double duty. It covers what's legally required today, and because C-36 borrows heavily from the same CPPA-era concepts, it'll likely satisfy most of what the new law eventually requires too.

Both regimes converge hardest on one question: cross-border data transfer. PIPEDA's "comparable protection" standard and Law 25's consent-and-PIA requirement for out-of-province transfers are both a lot easier to satisfy when the data and the processing never leave Canadian jurisdiction in the first place.

That's the practical case for sovereign compute and storage — it doesn't replace legal review, but it removes an entire category of cross-border questions before they ever show up in a privacy impact assessment, regardless of how the federal reform timeline plays out.

Learn more at