Bill C-36: The New Canadian Privacy Law Every Website Owner Must Know

📌 Published: June 16, 2026 | Status: Bill C-36 at First Reading in the House of Commons (June 15, 2026) | Full Enforcement: Estimated 18+ months after Royal Assent

The Digital Landscape Just Changed in Canada

On June 15, 2026, Canada entered a new era of digital regulation. The federal government tabled Bill C-36 — the Protecting Privacy and Consumer Data Act (PPCDA) — the most significant overhaul of private-sector privacy law in over 25 years. If you own a website, run an online business, collect customer data, use analytics, or process payments online, this law directly affects you.

At siteweb247.com, we know Canadian businesses need clarity, not legal complexity. This guide breaks down exactly what Bill C-36 means, what's changing, and — most importantly — what you need to do right now to protect your business and your customers' privacy.

Image: Open-source privacy concept (Unsplash)

Why Now? Why Bill C-36?

Canada's current privacy law — PIPEDA — was written in 2000. Think about that. It predates the iPhone, social media, e-commerce at scale, artificial intelligence, and everything that defines the modern digital economy. When PIPEDA was written, nobody was tracking users across websites with pixel-based advertising, nobody was using machine learning to predict behavior, and children's personal data wasn't being harvested and resold as a commodity.

The digital world has transformed beyond recognition. The law simply hasn't kept pace.

"Canada's privacy law has not been significantly updated in over 25 years. It predates the iPhone, social media, and AI." — Honourable Evan Solomon, Minister of Artificial Intelligence and Digital Innovation, June 15, 2026

Bill C-36 is part of a broader digital governance initiative. It sits alongside the Safe Social Media Act (Bill C-34) as a cornerstone of Canada's National AI Strategy: "AI for All" — launched by Prime Minister Mark Carney on June 4, 2026 to position Canada as a global leader in responsible, human-centred artificial intelligence.

What Problem Is Bill C-36 Solving?

The old system had two critical failures:

Outdated rules. PIPEDA was silent on algorithmic pricing, surveillance-based pricing, deepfakes, children's privacy at scale, and AI-driven personalization — all practices that are routine today.
Toothless enforcement. The Privacy Commissioner could investigate complaints but couldn't issue binding orders or levy meaningful fines. The result was a framework that gave organizations little incentive to do better.

One practice stands out: surveillance pricing. This is when companies use your browsing history, location, demographic data, or purchase patterns to charge you a higher price for the same product or service than they would charge someone else. Travel booking sites do this. Insurance companies do this. It's already widespread — and it's been perfectly legal under PIPEDA.

Under Bill C-36, it will be banned outright.

Image: Policy and compliance framework (Unsplash)

The 9 Core Requirements: What the Law Actually Demands

Here are the nine foundational requirements that will apply to your business under the PPCDA. These aren't guidelines — they are legal obligations.

1. Privacy as a Fundamental Right

The PPCDA formally recognizes privacy as a fundamental right for all Canadians. This is a philosophical shift: from privacy as something businesses could accommodate when convenient, to privacy as something organizations are legally obligated to protect from the ground up.

2. Strict Standards for Children's Data

Any organization collecting data from minors must apply significantly stricter rules. Casual data collection from kids, light-touch consent, or bundling children's data into the same framework as adult data — none of it will be acceptable. This applies even if your website isn't specifically targeted at children but is accessible to them.

3. Meaningful Consent & Plain-Language Policies

Goodbye to 40-page legal documents buried in fine print. The PPCDA requires clear, informed, and specific consent explained in language your customers actually understand. Vague or boilerplate policies won't pass inspection.

4. Right to Deletion

Canadians will have the legal right to request deletion of their personal data. Your organization must have a documented, operational process to fulfil these requests within defined timeframes — not just a promise buried in a policy document.

5. Transparency in Automated Decision-Making

If your platform uses algorithms or AI to make significant decisions about individuals — whether it's credit scoring, content filtering, lead scoring, or dynamic pricing — you must disclose that this is happening and provide a meaningful explanation. Silence is non-compliance.

6. Ban on Surveillance Pricing

The law explicitly prohibits using personal data to charge different prices based on browsing behavior, location, or demographic profile. This common practice in e-commerce and travel booking will be illegal under the PPCDA.

7. Data Portability

Canadians will have the right to take their personal data with them when switching services — similar to Europe's GDPR. Organizations must support secure, standardized data transfers.

8. Cross-Border Data Transfer Safeguards

Before transferring personal data outside Canada, organizations must conduct documented privacy risk assessments and implement safeguards. This is critical if you use U.S. cloud services or international SaaS platforms — which most Canadian websites do.

9. Serious Penalties for Non-Compliance

The new Digital Safety and Data Protection Commission can issue fines of up to $10 million or 3% of global revenue (whichever is greater) for standard violations, and up to $25 million or 5% of global revenue for the most serious offences. These are GDPR-scale consequences — and they're coming to Canada.

Image: Compliance requirements and legal framework (Unsplash)

Who Will Enforce This? The New Digital Safety and Data Protection Commission

Today, the Office of the Privacy Commissioner of Canada (OPC) handles private-sector privacy enforcement. Under Bill C-36, that responsibility shifts to a brand new federal body: the Digital Safety and Data Protection Commission (DSDPC).

This is a significant change. The new Commission will be:

More powerful. It can issue binding orders, conduct investigations, hold formal hearings, and impose financial penalties — things the current Privacy Commissioner cannot do.
Broader in scope. The Commission was initially established under Bill C-34 (the Safe Social Media Act) but Bill C-36 expands its mandate to include full private-sector privacy enforcement.
Deliberately independent. The Commission consists of five members appointed by the Governor in Council and has dedicated resources to investigate complaints, audit organizations, and pursue enforcement.

Government officials have indicated the Commission may take up to 18 months to be fully established after Royal Assent. During this transition period, the current Privacy Commissioner and PIPEDA will remain in effect. But the direction is clear: Canada is serious about enforcing privacy law.

Key Fact: The new DSDPC is being positioned as Canada's "digital super-regulator" — overseeing both online content safety (under Bill C-34) and data privacy (under Bill C-36). This signals that Ottawa is serious about enforcement, not just legislation.

What This Means for Your Website: A Practical Breakdown

If you run a Canadian website or online business, here are the six most important action areas you need to address right now.

🔒 1. Your Privacy Policy Must Be Completely Rewritten

Your existing privacy policy — especially if it was generated by a free online tool or copy-pasted from another site — almost certainly will not meet the new standard. The PPCDA requires:

Plain language that customers actually understand (not legal jargon)
Specific descriptions of what data you collect and why
Clear explanations of how data will be used and shared
Transparent disclosure if automated decision-making or AI is involved
Explicit data retention and deletion policies

We strongly recommend working with both a qualified privacy lawyer and your web development team to create a policy that is both compliant and genuinely readable by your customers.

👶 2. If Your Website Reaches Children, Act Now

Any website accessible to minors — even if it isn't specifically marketed to kids — must implement higher data protection standards. This includes:

Stricter consent flows (parental consent for users under 13 or 16, depending on province)
No behavioural tracking of children
Clearly defined data retention limits
Age-gating controls if applicable

E-commerce sites, educational platforms, community websites, and any service where a child might create an account are especially affected. Don't assume this only applies to children's apps or games.

✅ 3. Cookie Banners and Consent Need a Complete Overhaul

Passive consent is dead. Pre-checked boxes, auto-scrolled acceptance, or vague "by using this site you agree" notices will not be legally valid. Your cookie consent system must be:

Explicit: Users must actively choose to accept cookies, not have them enabled by default
Granular: Users should be able to consent to different types of cookies separately (analytics, advertising, functional, etc.)
Revocable: Users can withdraw consent at any time with one click

This requires a proper Consent Management Platform (CMP) — not just a basic banner. Your web development team needs to implement this before the law takes effect.

🗑️ 4. Build a Data Deletion Workflow

When a customer asks you to delete their personal information, you need a documented, operational process to do it. This spans:

Your customer database and CRM
Email marketing lists
E-commerce platforms and order history
Analytics and tracking tools
Every third-party tool that stores customer data

Most websites weren't built with data management in mind. This is likely a significant gap that requires both technical and organizational work.

🌐 5. Audit Every Third-Party Tool You Use

Google Analytics, Facebook Pixel, HubSpot, Mailchimp, Shopify, Stripe, Typeform — if a tool collects Canadian user data, it needs to be reviewed against the new standard.

Transferring data to U.S. or international servers now requires a documented privacy risk assessment. Your web developer needs to:

Inventory all third-party tools and integrations
Assess each one's privacy practices and data location
Document the business justification for each tool
Implement appropriate safeguards if data goes international

This is not optional — it's a core compliance requirement.

🤖 6. Disclose Automated Decision-Making and Personalization

If your website uses AI-powered product recommendations, dynamic pricing, lead scoring, content personalization, or any algorithmic decision-making, you must disclose this clearly — not buried in fine print. Users have the right to know when an algorithm is deciding something about them.

Image: Development and compliance planning (Unsplash)

When Does Bill C-36 Take Effect?

This is important: Bill C-36 was introduced at first reading on June 15, 2026. Before it becomes law, it must pass:

Second reading and debate in the House of Commons
Committee review (clause-by-clause)
Third reading vote in the House of Commons
All three readings in the Senate
Royal Assent

Parliament typically rises for summer recess shortly after the bill's introduction, so significant advancement is unlikely before fall 2026. After Royal Assent, there will be a phased transition period — potentially 18 months — before full enforcement under the new Commission begins.

But here's the critical part: The compliance work you need to do — updated privacy policies, upgraded consent systems, data deletion workflows, third-party audits — all take significant time and resources to implement correctly. Businesses that begin planning and acting today will be far better positioned than those who wait until Royal Assent. Proactive compliance also builds customer trust and signals that you take privacy seriously — a real competitive advantage.

Frequently Asked Questions

Q: Does Bill C-36 apply to small businesses?

A: Yes. The PPCDA applies to every organization collecting personal information in commercial activities — regardless of size. Small businesses aren't exempt, but the Commission is required to consider their needs and resources when applying standards.

Q: My website is hosted in the U.S. — does Canadian law still apply?

A: Yes. If you're collecting data from Canadians, Canadian privacy law applies to you regardless of where your servers are located. Moreover, transferring Canadian data to international servers requires a documented privacy risk assessment under the PPCDA.

Q: How is Bill C-36 different from Europe's GDPR?

A: Both laws share similar philosophy — privacy as a fundamental right, meaningful consent, right to deletion, data portability. However, the PPCDA is tailored to Canada's context and is specifically designed to work with the new National AI Strategy. Notably, the PPCDA explicitly addresses surveillance pricing — something the GDPR does not.

Q: My privacy policy is from 2018. Will it pass inspection?

A: Almost certainly not. The PPCDA requires plain-language explanations, specific and granular consent descriptions, transparency about automated decision-making, and clear data retention and deletion policies. A thorough audit is strongly recommended in partnership with a privacy lawyer.

Q: When should I start making changes?

A: Now. Even though Royal Assent hasn't happened yet, the compliance work takes meaningful time. Businesses that start planning and implementing today will be far better positioned — and will have documented good-faith compliance efforts if regulators ever audit them.

Image: Business compliance and digital responsibility (Unsplash)

How Site Web 24/7 Can Help You Navigate Bill C-36

At siteweb247.com, we specialize in building websites that are not just visually compelling and conversion-focused, but also technically sound, future-ready, and built with privacy compliance as a foundational principle — not an afterthought.

Our team helps Canadian businesses with the full technical side of PPCDA compliance:

Privacy policy integration and architecture
Consent Management Platform (CMP) implementation
GDPR/PPCDA-ready data handling frameworks
Third-party tool audits and risk assessments
Data deletion workflow design
Comprehensive website compliance reviews

We understand how data flows through your forms, analytics, e-commerce platform, CRM, and integrations. We can identify exactly where your gaps are and what needs to change.

Important disclaimer: siteweb247.com is a web design and development agency, not a law firm. For legal interpretation of the PPCDA or specific legal obligations, you need a qualified Canadian privacy lawyer. But for everything that lives in your codebase, CMS, cookie banner, CRM integration, and website architecture, we're your technical partner.

Ready to get your website PPCDA-ready before the law takes effect? Contact the Site Web 24/7 team today for a free compliance review of your current website. We'll identify your gaps and build a clear roadmap forward — so you're prepared, not panicked, when the Digital Safety and Data Protection Commission starts enforcing.

The Bottom Line: Privacy Is Now Your Competitive Advantage

Bill C-36 isn't a threat to Canadian businesses — it's an opportunity. The organizations that get ahead of this legislation will:

Build deeper trust with their customers
Create more transparent and honest digital experiences
Avoid costly compliance failures and regulatory penalties
Stand apart in an increasingly crowded online marketplace

Privacy-first web design is not a niche or a trend — it's the direction the entire industry is heading. Canada is now formally joining the global movement toward stronger, more meaningful digital rights. The businesses that lead on this will be remembered as trustworthy. The ones that lag behind will face both legal risk and reputational consequences.

The rules of the digital economy are being rewritten right now — and your website is at the centre of it. Whether you're a Montreal boutique, a Toronto e-commerce brand, a Vancouver service firm, or a business anywhere across Canada, the PPCDA will affect how you operate online.

Site Web 24/7 is here to help you navigate every step of this transition with confidence, clarity, and the technical expertise to get it right. The future of the web belongs to businesses that earn — and deserve — their customers' trust. Let's build that together.

📌 Article Update Notice: This article reflects the status of Bill C-36 as of June 16, 2026 — the day following its introduction at first reading in the House of Commons. We will update this guide as the bill advances through Parliament, receives committee amendments, and progresses toward Royal Assent. Bookmark this page and check back regularly for updates.

Site Web 24/7 | Professional Web Design & Digital Strategy for Canadian Businesses

This article is published for informational purposes only and does not constitute legal advice. For guidance on your specific legal obligations under Bill C-36 or the PPCDA, please consult a qualified Canadian privacy lawyer.