Bill C-27, also known as the Consumer Privacy Protection Act (CPPA), is a proposed federal Canadian law that, once passed, will replace Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and establish a new, more rigorous private-sector privacy framework. It introduces enhanced individual rights over personal data, stricter consent requirements, substantial new fines (up to 5% of global revenue or CAD $25 million, whichever is higher), and a new enforcement regime under the Office of the Privacy Commissioner of Canada (OPC), including the power to issue administrative monetary penalties.
What Is Bill C-27, the Consumer Privacy Protection Act (CPPA)?
Bill C-27, formally titled the Digital Charter Implementation Act, 2022, is a comprehensive legislative package that would overhaul Canada’s federal private-sector privacy law. Its primary component is the Consumer Privacy Protection Act (CPPA), which is designed to replace PIPEDA’s Part 1 with a modernized framework that more closely resembles the European Union’s General Data Protection Regulation (GDPR) and the U.S. state laws such as the California Consumer Privacy Act (CCPA/CPRA). While Bill C-27 has not yet received Royal Assent, it has passed the House of Commons and is currently before the Senate, with broad industry expectation that it will become law in some form.
The Bill creates three new statutes: the CPPA (privacy), the Personal Information and Data Protection Tribunal Act (Tribunal), and the Artificial Intelligence and Data Act (AIDA). For Canadian organizations currently subject to PIPEDA, the shift to the CPPA represents the most significant regulatory change in a generation, demanding immediate preparation rather than a wait-and-see approach.
Key Takeaway: Bill C-27 (CPPA) is Canada’s answer to GDPR — stronger individual rights, higher fines (5% of global revenue), mandatory private right of action, and new rules for automated decision-making. Preparation is essential now, before final passage.
What Changes Does the CPPA Introduce Compared to PIPEDA?
The CPPA retains many of PIPEDA’s ten fair information principles but elevates them with more prescriptive requirements, tougher enforcement, and new individual rights. Key changes include:
- Stronger Consent: The CPPA requires “valid consent” — meaning organizations must ensure individuals understand what they are consenting to. It prohibits conditioning the provision of a service on consent to collect data not necessary for the service.
- New Individual Rights: The CPPA introduces a right to data portability, a right to withdraw consent, a right to request deletion, and a new right to explain automated decision-making that significantly affects an individual.
- Private Right of Action: Individuals and the Tribunal can seek compensation for damages, including from violations of the CPPA. This is a major shift from PIPEDA, which provided no private right of action for breach of privacy.
- Administrative Monetary Penalties: The OPC can levy fines up to the greater of CAD $25 million or 5% of the organization’s global gross revenue for the most serious violations (e.g., knowingly violating consent or data protection requirements).
- Data Protection Officers: The CPPA mandates that organizations designate a person responsible for compliance (a Data Protection Officer or Privacy Officer) and have a written privacy management program.
- Algorithmic Transparency: Organizations using automated decision systems must be transparent about how they work and the factors that influence decisions.
- Data Breach Notification: The CPPA expands the breach notification requirements, with a 30-day notification window to the OPC and affected individuals for breaches posing a real risk of significant harm.
Who Must Comply with the CPPA?
The CPPA applies to every organization that collects, uses, or discloses personal information in the course of commercial activities in Canada. This includes private-sector businesses, non-profit organizations, and federal works, undertakings, and businesses. There is no exemption based on revenue or number of employees — every organization that handles the personal information of individuals in Canada must comply. Organizations subject to provincial privacy legislation that is deemed “substantially similar” (such as Quebec’s Law 25, British Columbia’s PIPA, and Alberta’s PIPA) may be exempt from the CPPA with respect to intra-provincial activities, but the CPPA will apply to inter-provincial and international data transfers.
Is Your Privacy Program Ready for Bill C-27?
The CPPA’s expanded requirements demand more than a policy refresh — they require a documented privacy management program, consent workflows, and breach response plans. CyberSilo’s Compliance Standards Automation helps Canadian organizations map obligations, build controls, and demonstrate readiness long before the law takes effect.
What Are the Penalties for Non-Compliance with the CPPA?
The CPPA establishes a two-tier penalty system. For the most serious offences, such as knowingly violating a consent requirement or failing to implement technical safeguards, the OPC can issue an administrative monetary penalty (AMP) of up to the greater of CAD $25 million or 5% of the organization’s global gross revenue. For less serious violations, the maximum penalty is CAD $10 million or 3% of global gross revenue. Additionally, the new Tribunal can order organizations to take corrective measures, compensate affected individuals, and pay compliance costs. The addition of a private right of action means that individuals and groups can also sue for damages in Federal Court, including for breach of privacy, which increases litigation risk significantly.
When Will Bill C-27 Become Law?
Bill C-27 was introduced in the House of Commons on June 16, 2022. It passed third reading in the House on April 24, 2024, and is currently at the second reading stage in the Senate. The legislative process includes committee review and further readings. While there is no fixed date for passage, it is widely anticipated that the Bill, or a substantially similar version, will receive Royal Assent in 2024 or early 2025. Following Royal Assent, the CPPA will come into force on a date set by Order in Council, likely within 12 to 24 months, allowing organizations a transition period. Per the latest parliamentary calendar, you should plan for compliance obligations to take effect as early as 2026.
How Does the CPPA Relate to Other Canadian Privacy Laws?
The CPPA will not replace provincial privacy laws such as Quebec’s Law 25, British Columbia’s PIPA, or Alberta’s PIPA. Instead, it will apply to federal works, undertakings, and businesses, and to inter-provincial and international data transfers. Organizations that operate in multiple provinces or across borders will need to comply with both the CPPA and applicable provincial laws. The OPC will continue to enforce the CPPA, while provincial privacy commissioners (e.g., the Commission d’accès à l’information du Québec) enforce their own laws. The CPPA also interacts with the Artificial Intelligence and Data Act (AIDA), also part of Bill C-27, which imposes new obligations on “high-impact” AI systems. For a deeper understanding of how these frameworks overlap, see our Bill C-27 (CPPA and AIDA) readiness guide.
How to Prepare for the CPPA: A Step-by-Step Guide
Preparation now, before the CPPA becomes law, is critical. Organizations that wait risk scrambling to implement new consent mechanisms, data mapping, and breach response plans under pressure. The following steps mirror the phases of a Canada cybersecurity compliance readiness program.
Conduct a Data Inventory and Mapping Exercise
Identify all personal information your organization collects, uses, discloses, and stores. Map the lifecycle of each data element: collection purpose, legal basis (consent, legitimate interest, etc.), storage location, retention period, third-party sharing, and disposal. This inventory is the foundation for your privacy management program and for responding to individual rights requests.
Review and Update Consent Mechanisms
Ensure your consent requests are specific, clear, and separate from terms of service. Remove any practices that condition service on consent to collect data not necessary for the service. Implement mechanisms for granular consent (opt-in, opt-out for different processing purposes) and for individuals to withdraw consent easily.
Implement a Privacy Management Program
The CPPA requires a documented program that includes policies, procedures, training, and monitoring. Designate a Data Protection Officer (DPO) or equivalent. Develop a written privacy policy, a breach response plan, a data retention schedule, and a process for handling individual rights requests (access, correction, deletion, portability, withdrawal of consent).
Prepare for the Private Right of Action
Review your entire data handling lifecycle through a litigation lens. Document all data processing activities, consent records, and breach response actions. Maintain an audit trail of compliance decisions. Ensure your cyber insurance policy covers regulatory fines and litigation arising from privacy breaches.
Strengthen Breach Notification Capabilities
Develop a 30-day breach notification protocol that integrates with your SOC or incident response team. Implement tools to detect, assess, and report breaches that pose a “real risk of significant harm” to the OPC and affected individuals. Test your response plan through tabletop exercises.
Automate Your Bill C-27 Readiness
CyberSilo’s Compliance Standards Automation maps your controls to the CPPA’s requirements, automates evidence collection, and provides a continuous compliance posture. Start your readiness assessment today.
Frequently Asked Questions About Bill C-27 (CPPA)
What Is the Difference Between PIPEDA and the CPPA?
PIPEDA is Canada’s current federal private-sector privacy law. The CPPA would replace Part 1 of PIPEDA and introduce stronger individual rights (portability, deletion, algorithmic transparency), a private right of action, higher fines (up to 5% of global revenue or CAD $25 million), mandatory privacy management programs, and a new enforcement tribunal. PIPEDA has no private right of action and lower maximum penalties (CAD $100,000 per violation).
Does the CPPA Apply to My Small Business?
Yes. The CPPA applies to every organization that collects, uses, or discloses personal information in the course of commercial activities in Canada, regardless of size. There is no small business exemption. However, the OPC has indicated it will take a proportionate approach to enforcement based on an organization’s resources and the nature of its data processing.
What Is the Artificial Intelligence and Data Act (AIDA)?
AIDA is a companion statute within Bill C-27 that would regulate “high-impact” artificial intelligence systems. It requires organizations to assess and mitigate risks of bias, harm, and discrimination from AI systems that affect Canadians. AIDA is overseen by the Minister of Innovation, Science and Industry and the Artificial Intelligence and Data Commissioner. It interacts with the CPPA where AI systems use personal information.
How Do I Report a Data Breach Under the CPPA?
The CPPA requires organizations to report a data breach to the OPC and notify affected individuals if the breach poses a “real risk of significant harm” to the individual. This includes risks of bodily harm, humiliation, reputation damage, identity theft, or financial loss. The notification must occur “as soon as feasible” and within 30 days of the breach being detected. Organizations must also keep records of all breaches for a specified period.
Our Conclusion & Recommendation
Bill C-27 (CPPA) is not a question of if but when. Canadian organizations that act now — by conducting data inventories, updating consent mechanisms, implementing privacy management programs, and automating compliance — will gain a significant competitive and risk-management advantage. The CPPA represents a fundamental shift from a principles-based to a rules-based enforcement model, with real financial and legal consequences for non-compliance. Waiting for the law to pass is no longer a viable strategy.
CyberSilo’s Compliance Standards Automation platform is purpose-built to help Canadian organizations operationalize their CPPA readiness. We map your controls to the CPPA’s obligations, automate evidence collection for consent, breach notification, and individual rights requests, and provide a continuously updated compliance posture. Explore how automated compliance can de-risk your transition to the CPPA.
Ready to Prepare for Bill C-27?
Contact our team for a compliance assessment tailored to your organization’s data footprint and risk profile.
