Skip to main content
News Analysis

Bill C-36 Protecting Privacy and Consumer Data Act: Right to Delete Your Data, Deepfake Removal, $25M Fines — What It Means for Canadians, Parents, and Businesses

Ottawa tabled Bill C-36 on June 15, 2026, replacing PIPEDA with a new Protecting Privacy and Consumer Data Act. Practical guidance on the new right to delete, deepfake takedown rights, children's data protections, surveillance-pricing limits, and the $25M penalty regime — what to do today as a consumer, parent, or business owner.

By Refdesk Team

Bill C-36 Protecting Privacy and Consumer Data Act: Right to Delete Your Data, Deepfake Removal, $25M Fines — What It Means for Canadians, Parents, and Businesses

What This Means for You

A federal privacy law has not been meaningfully updated in 25 years. PIPEDA, the statute that has governed how Canadian businesses collect, use, and share your personal information since 2000, predates the smartphone, social media, generative AI, and the kind of granular behavioural pricing that now decides what you pay for a flight at 11:42 a.m. on a Wednesday. Bill C-36 — the Protecting Privacy and Consumer Data Act — is Ottawa's third attempt in six years to replace it. Based on our reading of the bill text and the parallel bills C-34 (Safe Social Media Act) and C-33 (AI and Data Act), the practical changes that matter for ordinary Canadians cluster around four levers: deletion, deepfakes, children, and surveillance pricing. Here is what to do this week, this month, and over the 18-to-30-month implementation runway.

If You Are a Canadian Consumer (Anyone With a Phone or Email Address):

Immediate action this month:

  • Inventory your "data footprint." Open your password manager and count the number of distinct online accounts you hold. Most working-age Canadians have between 100 and 250. The new right to disposal (the bill's term for deletion) lets you request permanent erasure or anonymization of your personal information at any organization, subject to a narrow set of exceptions. To exercise that right effectively in 2027 when the law takes effect, you need to know where your data lives now.
  • Identify your top-10 highest-exposure accounts. These are typically: your primary email, your phone carrier, your bank, your three most-used loyalty programs (Aeroplan, PC Optimum, Scene+), your insurance company, your top two streaming services, and the social platform you use most. Most data breaches in 2025-2026 originated in this cluster.
  • Document any deepfake or synthetic media using your likeness. A new right to request takedown of deepfake images, audio, or video on commercial platforms is one of C-36's most novel provisions, per CBC News. If you have ever discovered a synthetic image of yourself online, save the URL, a screenshot, and the date you first saw it. Under the new framework, you will be able to send a structured takedown request to the platform with the new Digital Safety and Data Protection Commission as your escalation route.

What to prepare:

  • A deletion-request template. When C-36 takes effect (anticipated 12-18 months after Royal Assent, based on the implementation timelines in Bill C-11 and Bill C-27 transition rules), you will need to write structured requests that cite the section, identify the data, and set a response deadline. We recommend drafting your template now while the act is still in committee, then revising once the final form is known.
  • An understanding of the exceptions. A company can refuse your deletion request if (a) the data is required for an ongoing legal proceeding, (b) deletion would create undue burden, (c) there is a conflicting retention obligation under another law (CRA tax records are the most common), or (d) the data is required for ongoing contract performance. Knowing these exceptions in advance means knowing when to push back.
  • A surveillance-pricing journal. If you suspect you have been quoted a higher price than other shoppers based on your data profile (a phenomenon now formally called "surveillance pricing" in the bill), start logging instances now: same product, two browsers/devices, two prices, screenshots, timestamps. The new act gives the government a path to address surveillance pricing through regulations.

Resources:

  • Office of the Privacy Commissioner of Canada (current complaints process, valid until C-36 transition): www.priv.gc.ca
  • Have I Been Pwned (free data-breach lookup): haveibeenpwned.com
  • Bill C-36 first reading text: parl.ca

Example scenario: A 42-year-old project manager in Calgary received an alert in April 2026 that her email was found in a breach affecting a discount retailer she shopped at twice in 2019. Under PIPEDA today, her only recourse is a complaint to the Privacy Commissioner, which has limited enforcement teeth — the OPC can investigate and publish findings but cannot issue fines directly. Under Bill C-36, she will be able to (1) request permanent deletion of her account and underlying transaction history, (2) demand confirmation in writing within a regulated timeframe, and (3) escalate to the new Digital Safety and Data Protection Commission, which can impose administrative monetary penalties of up to $25 million or 5% of global revenue (per the Hicks Morley analysis and Canada.ca backgrounder). The cumulative effect is that the cost of ignoring an individual deletion request becomes material to a corporation for the first time in Canadian history.

If You Are a Parent of a Canadian Child Under 18:

Immediate action this week:

  • Audit which platforms hold your child's data. Educational apps used by schools (Google Classroom, Seesaw, Microsoft 365 for Education), entertainment services (Roblox, Minecraft, YouTube Kids, Netflix child profiles), and social platforms used by teens (Instagram, TikTok, Snapchat, Discord) are the primary collectors. Bill C-36 designates children's data as "sensitive personal information by default," meaning the standard of consent and the threshold for permissible processing rises sharply.
  • Have the deletion conversation with your child. Once C-36 is in force, a parent or guardian will be able to request deletion of a child's personal information from a commercial service in most circumstances. Your 14-year-old, however, is also a stakeholder in their digital footprint. A family conversation about what to keep (a long-running Roblox account with build history they care about) and what to delete (a dormant TikTok with embarrassing 2023 posts) is worth having now.
  • Note the interaction with Bill C-34, the Safe Social Media Act. Bill C-34 is the under-16 social-media access bill we covered in a previous post. Bills C-36 and C-34 are designed to work together: C-34 limits which platforms minors can use; C-36 governs what those platforms can do with whatever data they do collect. Both are administered by the same new Commission.

What to prepare:

  • A list of all the apps and platforms your child has installed in the last 36 months, including those they no longer use.
  • A simple table of what consent you gave at signup (if you can remember). Many parents signed up children before COPPA-style age-gating was standard.

Example scenario: A 38-year-old engineer in Mississauga has two children, ages 9 and 14. The 9-year-old has a Roblox account, a Khan Academy Kids account from age 5, a YouTube Kids profile, and a profile on a defunct learning app her school used in 2023. The 14-year-old has Instagram, Snapchat, Discord, a Spotify account, and a TikTok account he set up in 2024 despite the platform's 13+ age rule. Under C-36, the parent can in 2027 request deletion of (a) the defunct learning-app data, (b) the YouTube Kids profile, (c) the Snapchat account if both child and parent agree, and (d) the inadvertently-created TikTok the 14-year-old made before he was technically allowed. The combined effect is a dramatic narrowing of the child's "data shadow" before they enter adulthood.

If You Are a Small or Medium-Sized Business Owner in Canada:

Immediate action this quarter:

  • Assess whether you are a "data-processing organization" under the new bill. The thresholds in C-36 are not yet finalized in regulations, but the bill captures any commercial entity that collects, uses, or discloses personal information in the course of commercial activity — which is essentially every Canadian business that has customers, employees, suppliers, or a website with a contact form.
  • Begin a data-mapping exercise. Identify (1) what personal information you hold, (2) where it lives (CRM, accounting software, email lists, paper files, employees' personal phones), (3) how long you have held each category, and (4) what your legal basis for retention is. This exercise is the foundation of every privacy-compliance program; the new $25 million penalty ceiling makes it a board-level concern for the first time for medium-sized firms.
  • Review your privacy policy. If your policy still says "we may share your information with third-party partners for marketing purposes" without specifying which partners, what categories of data, and what opt-outs are available, it will not survive the new transparency requirements. Plan a rewrite for Q4 2026.
  • Budget for compliance. Based on benchmarks from the EU's GDPR implementation, Canadian Bar Association projections, and our analysis of similar mid-cap U.S. state laws (Colorado, Virginia, California), expect $5,000–$25,000 in one-time implementation costs for a typical 10-to-50-employee Canadian business: external counsel review, data-mapping software, employee training, and policy/notice redrafting. Larger firms with cross-border operations should budget 5-10x more.

Resources:

Example scenario: A 12-person Toronto e-commerce business sells outdoor gear nationally with about 18,000 customer records (name, email, address, purchase history) in Shopify, mailing-list data in Klaviyo, and employee data in QuickBooks. Their current privacy practice is "we don't sell your data," published as a single paragraph on the website. Under C-36, they will need: (1) a comprehensive privacy notice meeting the new transparency requirements, (2) a designated privacy officer (can be the CEO at this size), (3) a deletion-request handling process with a target response time (we recommend internally targeting 30 days), (4) a documented risk assessment for any AI tools they use (e.g., a chatbot that processes customer questions), and (5) breach-notification procedures aligned to the new mandatory reporting thresholds. Total external cost: roughly $8,000-$12,000 in legal and software setup, plus 60-80 internal hours.

For All Canadians:

  • The bill is at first reading. It will go through committee in fall 2026 and is expected to receive Royal Assent in 2027 at the earliest. Coming into force will be staggered, with the new Digital Safety and Data Protection Commission expected to be operational 12-18 months after Royal Assent.
  • The Canadian Civil Liberties Association has publicly criticized the bill as containing "broad exceptions for corporate data exploitation" while doing little to address AI harms. The bill will likely be amended in committee; the version that becomes law will not be identical to today's draft.

The News: What Happened

According to the CTV News and Canadian Press coverage from June 15, 2026, Innovation, Science and Industry Minister Evan Solomon tabled Bill C-36, the Protecting Privacy and Consumer Data Act, in the House of Commons. The bill received first reading the same day.

The Globe and Mail reports the legislation would replace the Personal Information Protection and Electronic Documents Act (PIPEDA), originally enacted in 2000. According to the Government of Canada backgrounder on canada.ca, the new act recognizes privacy as a fundamental right and creates a new Digital Safety and Data Protection Commission with the power to impose administrative monetary penalties of up to $25 million or 5% of an organization's gross global revenue, whichever is greater.

According to CBC News, the bill introduces a right to request deletion of personal information, including the removal of synthetic media — deepfakes — on commercial platforms. The IAPP reports that children's personal information is designated as sensitive by default, raising the consent and processing threshold for organizations that handle data from individuals under 18.

The Next Web reports that Bill C-36 gives the federal government a path to address "surveillance pricing" — the practice of personalizing prices to consumers based on their data profiles — through subsequent regulations. According to BetaKit, the new Commission will hold a dual mandate covering both online safety (administered jointly with Bill C-34, the Safe Social Media Act) and data privacy.

This is the third major attempt to update PIPEDA. According to the Hicks Morley legal analysis, prior bills C-11 (2020) and C-27 (2022) did not become law before Parliament was prorogued or dissolved.

Analysis: Why This Matters

Based on our analysis of the bill text and the broader legislative package, three structural shifts deserve closer attention than the headline penalty figure.

First, the creation of a single, well-resourced Digital Safety and Data Protection Commission is a significant institutional change. The current Office of the Privacy Commissioner can investigate and make non-binding findings, but the OPC has long lacked direct fining power. Concentrating online-safety and privacy enforcement in one new commission with $25 million ceilings creates an entity whose actions will materially affect quarterly earnings for affected companies. This is the single biggest behavioural change-driver in the bill.

Historical Context:

PIPEDA was designed for a world of static, low-volume data exchanges: customer names, addresses, and purchase histories sitting in a transactional database. It was not designed for inferred data (the model's guess about your political views based on your browsing), behavioural data (the timing and location of every interaction), or synthetic data (a deepfake assembled from publicly scraped images). C-36 begins to address all three, though imperfectly.

The bill's deepfake-takedown provision is among the first of its kind in any G7 country to be tied to existing privacy infrastructure. The EU's AI Act addresses some of this through risk-tiering; the U.S. has a patchwork of state laws (Tennessee's ELVIS Act, Texas, California). Canada's approach — graft it onto the privacy regime — is a meaningful policy choice because it means individual citizens, not regulators, drive enforcement.

What Happens Next:

  • Fall 2026: Bill C-36 goes to committee. Expect substantial amendments based on submissions from the Canadian Civil Liberties Association, the Privacy Commissioner, the Canadian Marketing Association, the Canadian Bankers Association, and large platform operators.
  • Winter 2026-2027: Second reading, report stage, third reading. The Liberal minority government will need NDP and/or Bloc support; both parties have indicated general support for stronger privacy protections.
  • Spring-Summer 2027: Anticipated Royal Assent.
  • 2027-2029: Regulations drafted by ISED. The substantive content of those regulations — including the surveillance-pricing prohibitions, the technical standards for deletion, and the size-thresholds for which businesses qualify for simplified compliance — will determine the practical impact more than the bill text itself.

Your Action Plan

Immediate (This Week):

  • Inventory the 10 most data-sensitive accounts you hold (banking, primary email, phone carrier, top loyalty programs)
  • Read the Bill C-36 first-reading text (it's 200+ pages but the consumer-facing sections are the first 40)
  • If you are a parent, list the platforms holding your child's data

Short-term (This Month):

  • Draft a personal "deletion-request template" you can adapt when the law takes effect
  • Document any deepfake or synthetic media involving you that you have previously discovered (URL, screenshot, date)
  • If you own a business, begin a data-mapping exercise: what data, where, how long, what legal basis

Long-term (This Year):

  • Monitor the committee stage in fall 2026; submit comments via the House of Commons Standing Committee on Industry and Technology process if a particular provision affects you
  • Subscribe to the Office of the Privacy Commissioner's newsletter for compliance guidance updates
  • If you operate a business with cross-border data flows, engage privacy counsel to scope compliance before Royal Assent

Other Perspectives

Government's Position:

According to the Government of Canada backgrounder, Minister Evan Solomon described the legislation as "recognizing privacy as a fundamental right" and as essential to building consumer trust in the digital economy. The government's framing emphasizes children's protection, surveillance-pricing curbs, and harmonization with international standards (notably the EU's GDPR and the UK's Data Protection Act).

Civil Liberties Critique:

The Canadian Civil Liberties Association issued a press release stating that the bill "proposes empty privacy protections" and contains "broad exceptions for corporate data exploitation." The CCLA particularly criticizes the bill for failing to meaningfully address AI-related harms, leaving that largely to a separate piece of legislation (Bill C-33, the AI and Data Act).

Industry Response:

Per BetaKit, the technology sector has expressed mixed reactions. Smaller Canadian technology firms have raised concerns about compliance costs, while larger platforms have signaled cautious support for harmonized federal rules over a patchwork of provincial regimes (Quebec's Law 25 is already in force).

Privacy Practitioners:

According to IAPP's analysis, the bill represents "the most significant overhaul of private-sector privacy law in Canada in a generation" but cautions that the practical impact depends almost entirely on the regulations that follow Royal Assent.

Note: Including multiple perspectives doesn't imply all views are equally valid, but ensures readers can make informed judgments.

Corrections Policy

We strive for accuracy. If you find an error in this analysis, please email us at [email protected]. We will promptly investigate and correct any factual inaccuracies.

Updates:

  • No corrections to date (as of 2026-06-19)

Sources

  • CBC News, "New privacy bill would give Canadians right to request companies delete AI deepfakes" — cbc.ca
  • The Globe and Mail, "Ottawa tables privacy bill aimed at boosting protections for children, increasing data-use transparency" — theglobeandmail.com
  • CTV News, "Ottawa introduces privacy bill covering children's data, right to request deletion" — ctvnews.ca
  • Government of Canada, "Government of Canada tables new legislation to protect children's data" — canada.ca
  • Hicks Morley, "Canada Tables Bill C-36, the Protecting Privacy and Consumer Data Act" — hicksmorley.com
  • IAPP, "Canada's Bill C-36 introduces privacy reforms, enforcement changes" — iapp.org
  • Canadian Civil Liberties Association, "Bill C-36 proposes empty privacy protections" — ccla.org
  • BetaKit, "With update to Canada's privacy laws, feds are building a 'super-regulator'" — betakit.com
  • The Next Web, "Canada proposes privacy overhaul that would curb surveillance pricing" — thenextweb.com
  • Parliament of Canada, Bill C-36 first reading text — parl.ca