PrivacyFederal — Canada (pending)In force Pending Royal Assent (expected 2026)

CPPA / Bill C-27

Consumer Privacy Protection Act (Bill C-27, Part 1)

Canada's GDPR-equivalent — the biggest privacy law reform in 20 years

Run CPPA / Bill C-27 assessment ← All frameworks

Overview

Bill C-27 will replace PIPEDA with the Consumer Privacy Protection Act — dramatically increasing penalties, adding algorithmic transparency rights, establishing an independent Privacy Tribunal, and introducing strict rules for AI-generated decisions. CPPA brings Canadian federal privacy law closer to GDPR standards while adding Canadian-specific provisions.

Authority

Office of the Privacy Commissioner of Canada + new Privacy Tribunal

Jurisdiction

Federal — Canada (pending)

Effective date

Pending Royal Assent (expected 2026)

Applicability

Who must comply with CPPA / Bill C-27?

All private-sector organizations currently subject to PIPEDA will be subject to CPPA upon Royal Assent. The transition period is expected to give organizations 1-2 years to comply. Organizations should prepare now — especially those using AI or engaging in automated decision-making.

Compliance scope

Your organization collects personal information

You operate in the applicable jurisdiction

Commercial activities are involved

You use or disclose personal data

Not sure if CPPA / Bill C-27 applies? Run a free assessment →

Requirements

Key obligations under CPPA / Bill C-27

Algorithmic Transparency

Individuals have the right to an explanation of any automated decision that affects them significantly — and to challenge it.

Withdrawal of Consent

Individuals can withdraw consent at any time. You must stop using their information and delete it, with limited exceptions.

Data Portability

Transfer personal information to another organization at the individual's request in a technology-neutral, interoperable format.

Disposal Obligation

Dispose of personal information once it is no longer needed for its original purpose — no indefinite retention.

De-identification

New rules for when de-identified data can be used and what constitutes adequate de-identification under CPPA.

Children's Privacy

Heightened protections for children's personal information — stricter consent and purpose limitation requirements.

Enforcement

Penalties & enforcement

Maximum penalty

$25M CAD or 5% of global revenue

Enforced by: New Personal Information and Data Protection Tribunal

Notable case

Penalties are 25× higher than current PIPEDA maximums — comparable to GDPR enforcement levels

How Canuckt keeps you penalty-free:

CPPA readiness assessment benchmarked against CPPA draft text so you're prepared before Royal Assent

Automated decision-making inventory and transparency notice generator for CPPA algorithmic rights

De-identification policy builder aligned with anticipated CPPA de-identification standards

Side-by-side PIPEDA → CPPA gap analysis showing exactly what you'll need to change

Frameworks that often overlap with CPPA / Bill C-27

Privacy

PIPEDA

Canada's federal private-sector privacy law

Privacy

Law 25

Quebec's sweeping privacy reform — Canada's strictest

AI & Digital

AIDA

Canada's first federal AI regulation law

Run a free CPPA / Bill C-27 gap assessment

Answer 47 questions, get a scored gap report, and see exactly what you need to do to comply with CPPA / Bill C-27 — in under 3 hours. Free forever.

Start free assessment

No credit card

Results in hours

Canadian data residency