Updated
In one paragraph
Yes — the Personal Information Protection and Electronic Documents Act (PIPEDA) is still in force across Canada in 2026. Bill C-27, which would replace PIPEDA’s private-sector provisions with the Consumer Privacy Protection Act (CPPA), has not yet passed Parliament. PIPEDA’s 10 Fair Information Principles, breach-reporting obligations, and Privacy Commissioner enforcement remain the law. This matrix shows each PIPEDA principle, the corresponding CPPA proposal in Bill C-27, what changes for Canadian SMBs if Bill C-27 passes, and the concrete readiness steps you can take now without waiting on Parliament.
📚 New here? Start with PIPEDA Compliance: The Complete Guide for the plain-language overview, then use this matrix to audit your controls.
Is PIPEDA still in force in 2026?
Yes. As of 2026, PIPEDA — the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) — remains Canada’s federal private-sector privacy law. The proposed replacement, the Consumer Privacy Protection Act (CPPA) contained in Bill C-27 (Digital Charter Implementation Act, 2022), has not received Royal Assent. Until it does, PIPEDA continues to govern the collection, use, and disclosure of personal information in the course of commercial activity in federally regulated industries and in provinces without substantially-similar legislation.
The provinces with substantially-similar private-sector laws (and therefore PIPEDA exempt for non-federally-regulated business) are Quebec (Law 25), Alberta (PIPA), and British Columbia (BC PIPA). All other provinces fall under PIPEDA for commercial activity.
The 10 PIPEDA Fair Information Principles
PIPEDA’s substantive obligations are codified in Schedule 1 as the Fair Information Principles, drawn from the CSA Model Code:
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
The PIPEDA-to-CPPA Transition Matrix
This matrix shows, for each PIPEDA principle: the corresponding CPPA proposal in Bill C-27, what materially changes for Canadian SMBs, and the readiness action you can take today.
| # | PIPEDA principle | CPPA (Bill C-27) equivalent | What changes | SMB readiness action |
|---|---|---|---|---|
| 1 | Accountability | s.7-9: privacy management program required | Written program with documented policies, training, complaint process | Designate privacy officer; document program now |
| 2 | Identifying purposes | s.12-14: identify and limit purposes | Stricter “appropriate purposes” test added (s.12(2)) | Review what you collect; document a business reason for each field |
| 3 | Consent | s.15-19: more granular consent rules | Express consent for sensitive data; “business activity” exception expanded | Audit current consent flows; flag sensitive-data collection |
| 4 | Limiting collection | s.12: limited to purposes | Largely similar; data minimization codified | Inventory data fields; remove anything without a clear purpose |
| 5 | Limiting use, disclosure, retention | s.20-22, s.53: retention + disposal | New right to disposal/erasure (s.55); retention schedule required | Build retention schedule; document deletion processes |
| 6 | Accuracy | s.34-35: accuracy maintained | Stricter individual right to correction | Add correction-request workflow to support process |
| 7 | Safeguards | s.57: technical, organizational, physical | Codified — “proportionate to sensitivity” | Adopt CIS Controls v8.1 IG1 baseline (Implementation Group 1) |
| 8 | Openness | s.62: privacy management policy public | Mandatory plain-language public privacy policy | Rewrite privacy policy in plain language; post publicly |
| 9 | Individual access | s.63-71: access + portability rights | NEW data-portability right + algorithmic explanation | Map data exports; document any algorithmic decisions |
| 10 | Challenging compliance | s.77+: PCT tribunal + AMPs | Administrative Monetary Penalties up to 3% of gross revenue or $10M | Strengthen incident-response + breach-reporting workflow now |
What materially changes for SMBs if Bill C-27 passes
The CPPA’s most significant practical changes for Canadian small and mid-sized businesses are:
- Mandatory privacy management program with documented policies, employee training, and a designated privacy officer. PIPEDA implies this; the CPPA requires it (s.9).
- New right to disposal — individuals can request that their personal information be disposed of (s.55). PIPEDA has no equivalent.
- Data portability — under defined data-mobility frameworks, individuals can ask that their information be transferred to another organization (s.72). New under CPPA.
- Algorithmic transparency — when an automated decision system is used to make a “prediction, recommendation, or decision about an individual” with significant impact, on request the individual must receive an explanation (s.63(3)).
- Significantly higher penalties — Administrative Monetary Penalties of up to 3% of gross global revenue or $10M (s.94), plus potential fines of up to 5% of revenue or $25M for offences (s.128).
- New Personal Information and Data Protection Tribunal — a specialized tribunal to review Privacy Commissioner orders (s.95+). PIPEDA has no equivalent.
- Codified breach-reporting — already exists under PIPEDA s.10.1 since 2018; CPPA largely carries forward.
Bill C-27 status (as of 2026)
Bill C-27 (the Digital Charter Implementation Act, 2022) was introduced in June 2022. It bundles three Acts: the CPPA, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA). The bill has been at Second Reading and Committee stages through multiple parliamentary sessions. As of 2026, it has not received Royal Assent.
Practical implication: PIPEDA remains the federal private-sector privacy law in Canada. Any SMB making compliance decisions in 2026 should align to PIPEDA today and plan for CPPA-equivalent capabilities (privacy management program, retention/disposal, portability, algorithmic transparency) within a 12–18 month implementation horizon once Bill C-27 advances.
The SMB readiness checklist
You can take the following steps under PIPEDA today; they will substantially position you for CPPA if and when Bill C-27 passes:
- Designate a privacy officer in writing. Update your employee handbook.
- Inventory the personal information your business collects. For each field, document the purpose.
- Rewrite your public privacy policy in plain language. Post it on your website.
- Build a written retention and disposal schedule. Map it to your IT systems.
- Add a workflow for: access requests, correction requests, deletion requests, and complaints.
- Adopt a security baseline. We recommend CIS Controls v8.1 Implementation Group 1 (IG1) as the floor for SMBs.
- Document any automated decisioning. If your CRM, hiring tool, or pricing engine makes recommendations about individuals, write down the inputs and the logic.
- Test your breach-reporting workflow. Run a tabletop exercise once per year.
- Train every employee annually on privacy basics. Track completion.
- Review vendor contracts. Confirm each is bound to PIPEDA-equivalent or stronger obligations.
About this matrix
This matrix is maintained by Mike Pearlstein, CISSP, Founder and CEO of Fusion Computing Limited. Mike has guided Canadian SMBs through privacy-program design under PIPEDA since 2012. Fusion Computing is a Microsoft Solutions Partner (Security, Modern Work, Infrastructure) and a CompTIA Managed Services Trustmark holder. We update this matrix whenever Bill C-27 status changes materially; the date below reflects the most recent review.
If you’d like a PDF version or want help mapping your business to this matrix, book a 30-minute consult.
