CanucktAI
Research report

The State of Canadian AI Compliance 2026

A founder’s field report on where Canadian AI regulation actually stands in 2026 — the law that died, the laws still standing, the foreign rules already reaching in, and the widening gap between how fast Canadian businesses adopt AI and how slowly they govern it.

By Vivek Chakravarthy · 2026-07-12

Key findings

  • 1Canada has no in-force AI-specific law. Bill C-27 — which carried the proposed Artificial Intelligence and Data Act (AIDA) — died on the Order Paper when Parliament was prorogued on January 6, 2025, and the government has confirmed AIDA will not return in its old form.
  • 2The rules that actually bind Canadian businesses today are the ones that already existed: PIPEDA federally, Quebec’s Law 25 (fully in force since September 22, 2024, with penalties up to $25M or 4% of worldwide turnover), plus BC and Alberta PIPA, PHIPA and CASL.
  • 3Canadian AI adoption roughly tripled in two years — from 6.1% of businesses in Q2 2024 to 12.2% in Q2 2025 to 19.2% by 2026 (Statistics Canada) — while formal AI governance lagged far behind, opening a measurable governance gap.
  • 4The EU AI Act is already extraterritorial: any Canadian company whose AI output is used in the EU can be caught, with fines up to €35M or 7% of global turnover for prohibited practices — live since February 2025.
  • 5Enforcement has arrived through the privacy door, not an AI statute. The landmark 2026 joint investigation into OpenAI’s ChatGPT (OPC plus Quebec, BC and Alberta regulators) found unlawful data collection under existing privacy law — proof that "no AI law" does not mean "no AI liability".
  • 6Shadow AI is the quiet compliance crisis: independent surveys put internal data leakage through generative AI near half of organizations, while a minority of employees are even aware of a company AI policy.
  • 7The organizations pulling ahead are treating AI governance as an operational discipline — inventory, accountability, risk assessment, monitoring — anchored to voluntary frameworks like ISO/IEC 42001 and the NIST AI RMF, well before any Canadian law forces them to.

Executive summary: the big picture in 2026

Here is the single most important fact about Canadian AI compliance in 2026, and it surprises almost everyone I say it to: Canada does not have an AI law. Not one that is in force. The bill that was supposed to give us one is dead.

For three years the conversation was dominated by Bill C-27 and its centrepiece, the Artificial Intelligence and Data Act (AIDA). Businesses waited. Consultants sold readiness assessments for a statute that had not passed. And then, on January 6, 2025, Parliament was prorogued, the Prime Minister announced his resignation, and every bill on the Order Paper — C-27 included — simply died. AIDA, the proposed federal privacy overhaul, and a new tribunal all went with it. In June 2025, the minister responsible confirmed what most of us already assumed: AIDA is not coming back as drafted.

So if you run a Canadian business using AI, the honest answer to "what AI law must I follow?" is: none, specifically. But that is the trap. The absence of an *AI-specific* statute has been widely misread as an absence of obligation, and that reading is expensive. The laws that already govern data — the Personal Information Protection and Electronic Documents Act (PIPEDA) federally, Quebec’s Law 25, British Columbia and Alberta’s private-sector privacy laws, Ontario’s health-privacy law PHIPA, and Canada’s anti-spam law CASL — apply to AI systems in full. They were written for data, and AI is a data machine. You do not need an AI law to be liable for what your AI does with personal information, and 2026 gave us the clearest proof yet of that.

Meanwhile, the ground shifted underneath everyone. Three forces now define the real compliance picture:

  • Foreign law reaching in. The EU AI Act came into force in August 2024 and its extraterritorial provisions mean Canadian exporters can be bound regardless of the state of Canadian law. Prohibited-practice fines — up to €35 million or 7% of worldwide turnover — have been enforceable since February 2025.
  • Adoption outrunning governance. Statistics Canada data shows business AI use roughly tripled between 2024 and 2026. Very little of that adoption came with a corresponding governance program. That delta is the story of 2026.
  • Enforcement through the privacy door. Regulators did not wait for an AI act. They used the privacy laws they already had. The joint investigation into OpenAI’s ChatGPT, resolved in 2026, is the template for how AI accountability will be enforced in Canada for the next several years.

This report is my attempt, as someone who builds AI-governance and privacy software for a living, to describe the terrain honestly. It is a synthesis of public regulatory sources and published data — not a proprietary survey, and I am transparent about that in the methodology section. Its one original contribution is a practical maturity model, the AI Compliance Readiness framework, that lets you place your own organization on a five-level scale and see the next rung. If you take one thing from the pages that follow, take this: govern for the law that is coming and the foreign law already here, not the Canadian law that isn’t.

The Canadian regulatory landscape: what actually binds you

Let us clear away the fog and list the laws that are genuinely in force in Canada in 2026. None of them is an AI statute. All of them apply to AI.

PIPEDA — still the federal baseline

The Personal Information Protection and Electronic Documents Act remains Canada’s federal private-sector privacy law. It governs the collection, use, and disclosure of personal information in the course of commercial activity across most of the country. Its planned replacement — the Consumer Privacy Protection Act (CPPA), bundled into Bill C-27 alongside AIDA — died with the rest of C-27 at prorogation. So the twenty-year-old, principles-based, consent-centred PIPEDA is still what you answer to federally. Its ten fair-information principles — accountability, consent, limiting collection, accuracy, safeguards, openness, individual access — map directly onto the risks that AI creates: over-collection of training data, opaque automated decisions, inaccurate outputs about real people. PIPEDA does not mention AI once. It does not have to.

Quebec Law 25 — the toughest game in the country

Quebec’s Law 25 (formerly Bill 64) is the most demanding privacy regime in Canada and, functionally, the closest thing we have to a GDPR-grade law. It rolled out in three annual phases and reached full force on September 22, 2024, when the right to data portability took effect. Law 25 requires a designated privacy officer, mandatory confidentiality-incident reporting to the Commission d’accès à l’information (CAI), privacy impact assessments for systems handling personal information, privacy by default, and — crucially for AI — transparency and rights around automated decision-making. If a decision about someone is made exclusively by automated processing, they have the right to be informed and to have it reviewed.

The penalties are what make Law 25 impossible to ignore. The CAI can levy administrative monetary penalties of up to $10 million or 2% of worldwide turnover, and penal fines can reach $25 million or 4% of worldwide turnover, whichever is greater. Those are GDPR-scale numbers, and they apply to any enterprise carrying on business in Quebec — not just Quebec-headquartered ones.

The provincial and sectoral layer

Beyond the federal and Quebec regimes, several other laws bind depending on where and how you operate:

  • British Columbia PIPA and Alberta PIPA — substantially-similar private-sector privacy laws that displace PIPEDA for organizations operating wholly within those provinces. Both figured directly in the 2026 ChatGPT investigation.
  • PHIPA (Ontario) and equivalent provincial health-privacy laws — govern personal health information, which sharply raises the stakes for any AI touching clinical or patient data.
  • CASL — Canada’s Anti-Spam Legislation governs commercial electronic messages and has real teeth. AI-generated or AI-personalized outbound messaging does not escape it.

Who must comply

If you…Then you are bound by…
Handle personal data in commercial activity anywhere in CanadaPIPEDA (or the substantially-similar provincial law)
Carry on an enterprise in QuebecLaw 25 — regardless of where you are headquartered
Operate wholly within BC or AlbertaBC PIPA / Alberta PIPA
Touch personal health information in OntarioPHIPA
Send commercial electronic messages to CanadiansCASL
Make automated decisions about individualsLaw 25 ADM rules; PIPEDA accountability + accuracy
Sell or deploy AI whose output reaches the EUEU AI Act (see next section)

The pattern is clear. There is no single door marked "AI compliance" in Canada. There are five or six doors marked "privacy", "health data", "anti-spam", and "automated decisions", and your AI has to walk through all of them.

The AI rules already reaching Canada

If Canada has no AI law, why are serious Canadian companies building AI governance programs right now? Because the rules that will shape their obligations already exist — they just were not written in Ottawa.

The EU AI Act is extraterritorial, and it is live

The EU AI Act (Regulation (EU) 2024/1689) entered into force on August 1, 2024 and phases in over three years. Its reach does not stop at Europe’s borders. Like the GDPR before it, the Act applies to providers and deployers outside the EU when the output of their AI system is used within the EU. A Halifax software company whose model scores loan applications for a European client, a Montreal SaaS vendor whose AI feature is used by EU customers — both can be caught.

The timeline every Canadian exporter should have on the wall:

  • February 2, 2025 — prohibited AI practices (social scoring, certain biometric categorization, manipulative systems) became enforceable. These carry the top fine tier: up to €35 million or 7% of worldwide annual turnover.
  • August 2, 2025 — obligations for general-purpose AI (GPAI) models took effect, along with governance and penalty machinery.
  • August 2, 2026 — the big one: obligations for high-risk AI systems under Annex III begin to apply (employment, credit, essential services, and more).
  • August 2, 2027 — remaining high-risk categories and legacy GPAI models must be in compliance.

For a Canadian company, the practical takeaway is that the EU AI Act may be your binding AI regulation long before any domestic one exists. Our EU AI Act guide breaks the obligations down by role and risk tier.

AIDA’s limbo, and the voluntary bridge

With AIDA dead, the federal government’s only live AI-governance instrument is soft law: the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems, launched by ISED in September 2023. It commits signatories — more than two dozen organizations including Canadian and global firms — to principles of accountability, safety, fairness and equity, transparency, human oversight, and validity and robustness. It was explicitly designed as a bridge to AIDA. The bridge now leads to nowhere in particular, but the principles remain a credible statement of the federal government’s expectations, and signing on is a visible good-faith signal.

The standards filling the vacuum

Where hard law is absent, standards do the work. Two matter most:

  • ISO/IEC 42001:2023 — the world’s first AI management system standard, published in December 2023. It is to AI what ISO 27001 is to information security: a certifiable, auditable management-system framework covering AI policy, roles, risk and impact assessment, lifecycle controls, and continual improvement. Because it is independently certifiable, it is quickly becoming the currency of AI trust in procurement. Our ISO 42001 guide walks through what implementation actually involves.
  • NIST AI Risk Management Framework (AI RMF 1.0)released by the U.S. National Institute of Standards and Technology in January 2023, organized around four functions: Govern, Map, Measure, and Manage. Its July 2024 Generative AI Profile (NIST AI 600-1) adds twelve generative-AI-specific risk categories. It is voluntary and free, and it pairs naturally with ISO 42001 — NIST for the risk vocabulary, ISO for the management system.

The strategic reading is straightforward. A Canadian organization that builds its AI governance on ISO 42001 and the NIST AI RMF today is not gambling on which Canadian law eventually passes. Those frameworks already anticipate the substance of the EU AI Act and of any plausible successor to AIDA. You are building to the standard, not to the statute, and the standard is portable.

The governance gap: adopting faster than we can govern

This is the section I care about most, because it is where the real risk in Canada lives in 2026. It is not a gap between our law and Europe’s. It is the gap between how fast Canadian businesses are adopting AI and how slowly they are governing it.

Adoption is accelerating — fast

Statistics Canada has been asking Canadian businesses the same question since 2024: did you use AI to produce goods or deliver services in the past twelve months? The trend line is steep:

Tripling in two years is a genuine transformation of how Canadian firms operate. And that number understates real usage, because it captures *organizational* adoption, not the far larger volume of employees using AI tools on their own initiative.

Governance is not keeping pace

Here is the asymmetry. Adoption is an executive decision that can happen in a quarter. Governance — an AI inventory, a use policy, risk assessments, human-oversight rules, monitoring — is an operational program that takes many quarters to stand up. So the two curves diverge, and the space between them is where incidents happen.

The clearest evidence of the gap is the shadow AI phenomenon: employees using generative AI tools that their employer has not sanctioned, often pasting confidential or personal information into consumer chatbots. The published numbers vary by methodology, but every credible source points the same direction. Cisco’s 2025 research found that nearly half of organizations reported internal data leaking out through generative AI — data that left through employee prompts, not a breach. Other 2025 workforce surveys found a large majority of knowledge workers using AI at work while only a small minority were aware of any official company policy governing it. Gartner reported that most cybersecurity leaders suspect or have evidence of prohibited public GenAI use inside their organizations.

I want to be careful here, because this report’s integrity depends on it: these are third-party surveys with varying samples, not a Canuckt census. But the qualitative signal is unambiguous and it matches what I see in the field every week. Most Canadian organizations do not know what AI is being used inside their own walls. You cannot govern, redact, or risk-assess what you cannot see.

Why the gap is a compliance problem, not just an IT problem

Every one of those unsanctioned prompts is a potential PIPEDA or Law 25 event. Paste a customer’s personal information into a consumer AI tool and you have arguably disclosed personal data to a third party without valid consent, without a safeguard, and without a record. In a Law 25 jurisdiction, that is exactly the kind of confidentiality incident the CAI expects you to log and, if it carries a risk of serious injury, report.

This is the operational heart of AI governance, and it is why the two products I build exist. Valdra is what an organization uses to close the governance side of the gap — to inventory its AI systems, run the impact assessments, assign accountability, and evidence compliance against PIPEDA, Law 25, and the EU AI Act in one place. Shielk closes the data side — detecting and redacting personal information before it ever reaches a model, so that the shadow-AI prompt that would have leaked a customer’s file simply cannot. Neither is a silver bullet. Together they describe the two disciplines the governance gap actually requires: see and control your AI, and control the data that flows into it. The AI governance guide covers the program-level view.

The Canuckt AI Compliance Readiness framework

Everything above describes the terrain. This section is the map I actually use with organizations. It is the one genuinely original thing in this report: a five-level maturity model for placing your organization on a scale from "AI is happening to us" to "AI is governed and provable." I call it the AI Compliance Readiness framework. It is deliberately vendor-neutral — you can climb it with any tools, or none.

The framework assesses five dimensions, because AI governance fails unevenly — a company can have a beautiful policy and zero visibility into shadow AI:

  1. Visibility — do you know what AI systems and tools are in use, including the unsanctioned ones?
  2. Accountability — is there a named owner, a policy, and a decision path?
  3. Risk assessment — do you assess AI systems for privacy, bias, and safety before and during use?
  4. Data control — do you control what personal information flows into AI systems?
  5. Assurance — can you prove all of the above to a regulator, an auditor, or a customer?

The five levels

LevelNameVisibilityAccountabilityRisk assessmentData controlAssurance
1Ad-hocUnknown; shadow AI everywhereNo owner, no policyNoneNone; anything can be pasted anywhereCould not answer a regulator
2AwareLeadership knows AI is used; no inventoryAI use policy drafted; owner informalOccasional, reactiveGuidance issued, not enforcedSome documentation, incomplete
3ManagedCentral AI inventory exists and is maintainedNamed accountable owner; approved policyStandard assessment for new AI usesTechnical controls (e.g. PII redaction) on key flowsCan produce records on request
4GovernedContinuous discovery incl. shadow AICross-functional governance function; clear RACIRisk + impact assessments tied to lifecycleEnforced controls across the org; monitoringEvidence maintained continuously, mapped to law
5AssuredFull, real-time visibilityGovernance embedded in operations and board oversightIndependent validation; metrics and reviewData controls verified and testedThird-party certified (e.g. ISO/IEC 42001); audit-ready

How to use it

Most Canadian organizations I meet in 2026 sit at Level 1 or 2. They have adopted AI (the last section proved that), but visibility and assurance lag. The single highest-value move for a Level 1 organization is not writing a policy — it is achieving visibility. You cannot govern what you cannot see, and shadow AI is almost always worse than leadership believes.

The jump from Level 2 to Level 3 is where real compliance risk drops, because Level 3 is the first level at which you could survive a regulator’s "show me" request — the exact request the ChatGPT and Clearview cases turned on. Level 3 is a reasonable, defensible target for most small and mid-sized Canadian businesses in 2026.

Level 4 (Governed) is where I would put any organization touching regulated data — health, finance, children, or anyone exporting AI output into the EU’s high-risk categories before the August 2026 deadline. Level 5 (Assured) — with independent ISO/IEC 42001 certification — is currently a competitive differentiator; within a few years, for enterprise and government procurement, I expect it to become table stakes.

Pick your five scores honestly today. Your lowest dimension is your real risk, not your average. Governance is only as strong as the door you left unlocked.

Predictions: what’s coming in 2026–2027

Forecasting regulation is a good way to be wrong in public, so I will be specific and own it. Here is where I think Canadian AI compliance is heading over the next eighteen months.

1. Federal AI legislation returns — narrower, slower, and different

AIDA is not coming back as drafted; the government has said so. But the pressure to regulate has not gone away, and Canada does not want to be the only G7 country without an AI framework while the EU AI Act rolls out. My expectation: a narrower, more targeted federal instrument — possibly focused on high-impact or general-purpose systems, possibly folded into a revived privacy-reform package rather than a standalone AI act. Do not expect it in force before 2027. Do expect consultation drafts sooner. The organizations that built to ISO 42001 in the meantime will find the transition trivial.

2. Law 25 enforcement intensifies

The CAI now has a fully-in-force law, real penalty powers, and a mandatory incident register that quietly documents every organization’s failures. Expect the volume and visibility of Law 25 enforcement to climb through 2026–2027, with automated decision-making and inadequate consent as prime targets. Quebec will remain the most consequential AI-compliance jurisdiction in Canada, and its decisions will shape national practice.

3. The EU AI Act’s high-risk deadline forces Canadian hands

August 2, 2026 is a hard date: high-risk AI obligations under Annex III begin to apply. Canadian companies selling into Europe — or supplying AI features to European customers — will spend the back half of 2026 discovering whether their systems are "high-risk" under EU classification and scrambling to meet requirements they cannot ignore. This foreign deadline will do more to drive Canadian AI governance investment than any domestic policy.

4. Procurement becomes the real regulator

This is my highest-confidence prediction. Long before any Canadian AI law binds you, your customers will. Enterprise and public-sector buyers are already adding AI-governance and privacy questions to their vendor assessments, and ISO/IEC 42001 certification is starting to appear in RFPs. Procurement moves faster than legislation and it has a harder edge: fail the questionnaire and you lose the deal today. For most Canadian vendors, the buyer’s security-and-AI questionnaire will be the compliance deadline that actually matters.

5. Shadow AI moves from tolerated to unacceptable

As the enforcement pattern from the ChatGPT case sinks in, boards will stop treating shadow AI as an IT annoyance and start treating it as a disclosed-liability problem. Expect a wave of organizations moving from Level 1–2 to Level 3 on the readiness framework — driven less by regulators and more by their own risk committees finally asking "what data are our employees pasting into these tools?"

The through-line of all five predictions is the same: the forcing function for Canadian AI governance in 2026–2027 is not a Canadian AI law. It is Quebec, Brussels, and your own customers. Build for them.

Methodology and sources

I want to be completely transparent about what this report is and is not, because a citation-magnet asset that overstates its own authority is worthless.

What this report is. It is an analysis and synthesis of public, citable sources, written from the perspective of someone who builds AI-governance and privacy software for Canadian businesses. Every quantitative claim in it is drawn from a named public source — government statistics, regulator publications, official legal texts, or clearly-attributed third-party research — and linked inline. The categories of source I relied on are:

  • Primary legal and regulatory texts — EUR-Lex for the EU AI Act, ISED for AIDA and the Voluntary Code, ISO for the 42001 standard, NIST for the AI RMF.
  • Regulator publications — the Office of the Privacy Commissioner of Canada (annual report, investigation findings), and the joint federal-provincial ChatGPT investigation.
  • Official statistics — Statistics Canada’s business AI-adoption series.
  • Legal analysis from established Canadian firms tracking Bill C-27, Law 25, and the EU AI Act.
  • Third-party industry research on AI adoption and shadow AI, cited with attribution and appropriate caution about sample and method.

What this report is not. It is not a primary survey. I did not survey a panel of Canadian businesses, and you will not find a single "we surveyed N companies and found X%" claim in these pages, because I did not do that and I will not invent it. Where I describe the shadow-AI phenomenon or the governance gap, I either cite a named external study or describe the trend qualitatively based on public data and direct field experience — and I say which.

The original contribution of this report is the synthesis itself — pulling the regulatory, adoption, and enforcement threads into one coherent 2026 picture — and the AI Compliance Readiness framework, a five-level maturity model I authored to give organizations a practical way to place themselves and find their next step. The framework is my professional model, not an empirical finding; use it as a lens, not a law.

A note on timing. The Canadian AI-policy environment is unusually fluid in 2026 — a dead bill, a promised-but-undrafted replacement, foreign deadlines landing in sequence. Facts stated here reflect the position as of July 2026 and the sources below. Where the ground moves, the sources will move first; start there.

If you want to go deeper on any single thread, the linked guides on the Canuckt learn hub — on AI governance, the EU AI Act, and ISO/IEC 42001 — unpack the practical detail this report only had room to summarize.

Frequently asked questions

Does Canada have an AI law in 2026?

No. Canada has no AI-specific law in force in 2026. The proposed Artificial Intelligence and Data Act (AIDA) was part of Bill C-27, which died when Parliament was prorogued on January 6, 2025, and the government has confirmed AIDA will not return in its original form. However, existing laws — PIPEDA, Quebec’s Law 25, BC and Alberta PIPA, PHIPA, and CASL — apply to AI systems in full, so "no AI law" does not mean "no AI compliance obligations."

If there is no Canadian AI law, can my business still be penalized for how it uses AI?

Yes. Enforcement in Canada arrives through existing privacy law, not an AI statute. The 2026 joint investigation into OpenAI’s ChatGPT by the federal Privacy Commissioner and the Quebec, BC, and Alberta regulators found unlawful collection of personal information using nothing but existing privacy laws. Quebec’s Law 25 alone carries penalties up to $25 million or 4% of worldwide turnover. The risk is real and current.

Does the EU AI Act apply to Canadian companies?

It can. The EU AI Act (Regulation (EU) 2024/1689) is extraterritorial: it applies to providers and deployers outside the EU when the output of their AI system is used within the EU. Prohibited-practice fines up to €35 million or 7% of worldwide turnover have been enforceable since February 2025, and high-risk system obligations begin applying on August 2, 2026. Canadian exporters and SaaS vendors serving EU customers should assess their exposure now.

What should a Canadian business do first to govern its AI use?

Achieve visibility. Before writing a policy, find out what AI tools and systems are actually in use across your organization — including the unsanctioned "shadow AI" employees adopt on their own. You cannot govern, risk-assess, or protect data you cannot see. On the AI Compliance Readiness framework in this report, that moves you off Level 1 (Ad-hoc) and is the foundation for everything above it.

Are ISO/IEC 42001 and the NIST AI RMF worth adopting if they are voluntary?

Yes, and increasingly so. Because Canada lacks a binding AI law, standards are filling the vacuum. ISO/IEC 42001:2023 is the world’s first certifiable AI management system standard, and NIST’s AI Risk Management Framework provides a widely-used risk vocabulary. Building on them means you are ready for the EU AI Act and any future Canadian law without betting on a specific statute — and ISO 42001 certification is starting to appear in enterprise and government procurement, where it functions as a de facto requirement.

Our own compliance

We run our own compliance programme inside Valdra — the product we sell. Our SOC 2, ISO 27001 and ISO 42001 programmes are actively in progress; we do not claim certifications we do not yet hold.

Valdra compliance badge — click to verify
  • PIPEDA
  • Law 25 (Quebec)
  • CASL
  • Data hosted in Canada 🇨🇦
  • AI governance
View our Trust Centre

Self-declared, not audited by a third party. Click the badge to verify it is genuine and see what it covers.

The State of Canadian AI Compliance 2026 | Canuckt | Canuckt AI