Canada's federal private-sector privacy law is changing. Bill C-27, which includes the Consumer Privacy Protection Act (CPPA), has been working its way through Parliament — and while the exact timeline for royal assent and coming-into-force remains uncertain, the direction is clear. When CPPA takes effect, it will replace PIPEDA with a significantly more demanding privacy regime.
Organizations that assume their current PIPEDA compliance posture will carry them through the transition are taking a risk they may not fully appreciate. The CPPA introduces new obligations, expands individual rights, creates a new private right of action, and significantly increases penalties. Preparation is not optional — it is a matter of when, not whether.
Important note on timing
What CPPA is — and why it matters more than PIPEDA
PIPEDA, Canada's current federal private-sector privacy law, was enacted in 2000. It was designed for a world of paper files and early-stage e-commerce — a world that no longer exists. Twenty-five years of digital transformation, data-driven business models, and cross-border data flows have made significant portions of it inadequate for the risks organizations and individuals actually face.
CPPA is Canada's attempt to modernize its privacy framework — drawing heavily on GDPR principles while adapting them to the Canadian context. The result is a law that is materially more demanding than PIPEDA in several key areas.
The key differences between PIPEDA and CPPA
| Area | PIPEDA (current) | CPPA (proposed) |
|---|---|---|
| Consent | Meaningful consent — can be express or implied depending on sensitivity | Strengthened consent requirements; new rules for valid consent; limits on bundling consent |
| Individual rights | Access and correction rights | Access, correction, portability, and the right to disposal (deletion) |
| Penalties | Up to $100,000 for serious violations | Up to 3% of global revenue or $10M for general violations; up to 5% or $25M for serious violations |
| Private right of action | No private right of action — OPC findings not directly enforceable | Private right of action for individuals following an OPC finding |
| Algorithmic transparency | Not addressed | New obligations for automated decision systems with significant impacts |
| De-identification | Limited guidance | More specific requirements around de-identification standards and obligations |
| Children's privacy | Addressed under general consent principles | Specific heightened protections for minors |
What will not change — and why that matters
Before focusing entirely on what is new, it is worth acknowledging what CPPA preserves from PIPEDA. The foundational privacy principles — accountability, identifying purposes, limiting collection, limiting use and disclosure, accuracy, safeguards, openness, individual access, and challenging compliance — remain at the core of the new law.
This means that organizations with mature PIPEDA compliance programs are not starting from zero. The work done to establish privacy governance, document data flows, implement consent mechanisms, and respond to access requests will remain relevant under CPPA. The gap is in the new and strengthened obligations — and that gap is significant.
What organizations need to do now
The organizations that will be best positioned when CPPA comes into force are those that begin preparation now — not those that wait for royal assent and then scramble to comply. Here is a practical framework for that preparation.
Assess your current PIPEDA compliance posture honestly
Many organizations have significant gaps in their current PIPEDA compliance that they have not addressed because enforcement has been limited. CPPA's penalties change that calculus entirely. Start by knowing where you actually stand.
Complete or update your data inventory and mapping
You cannot comply with consent, portability, or disposal requirements if you do not know where your personal information lives, how it flows, and who has access to it. Data mapping is the foundation — without it, everything else is guesswork.
Review and update your consent framework
CPPA's consent requirements are more demanding than PIPEDA's. Review how you currently obtain, record, and manage consent — particularly for sensitive information, marketing, and data sharing with third parties. Bundled consents are specifically targeted by the new law.
Build or improve your individual rights response capability
The new right to data portability and right to disposal (beyond PIPEDA's access and correction rights) require operational capability you may not currently have. Build the processes and systems to respond within CPPA's timelines before the law takes effect.
Review your automated decision-making systems
CPPA introduces transparency obligations for automated decision systems that significantly affect individuals. If your organization uses algorithmic tools for credit decisions, hiring, fraud detection, or similar purposes, you need to understand and document how those systems work and their impacts.
Strengthen your third-party privacy assessment program
CPPA maintains the accountability principle — you are responsible for personal information transferred to third parties. If you do not currently have a structured process for assessing vendors and suppliers who handle personal information on your behalf, CPPA is the right forcing function to build one.
Update your breach response plan
CPPA maintains PIPEDA's mandatory breach notification requirements but raises the stakes significantly with its penalty regime. If you experience a reportable breach after CPPA comes into force, the OPC investigation that follows will scrutinize your privacy program holistically — not just the breach itself.
Special considerations for regulated industries
Organizations in financial services, insurance, and government face a more complex privacy landscape than general commercial organizations — and the CPPA transition adds another layer.
Financial services. Organizations already subject to FSRA or OSFI oversight are managing privacy obligations in the context of broader cybersecurity and data governance requirements. CPPA preparation should be integrated with existing security and compliance programs — not treated as a separate initiative. Privacy and security share data flows, controls, and governance structures; managing them separately creates gaps and duplication.
Insurance. Insurers handle particularly sensitive personal information — health data, financial data, claims history. The heightened consent requirements and potential private right of action under CPPA create significant exposure for organizations that have not kept their privacy programs current with their data practices.
Government and public sector. Federal and provincial public sector organizations are not subject to PIPEDA or CPPA — they fall under FIPPA (Ontario) or equivalent provincial legislation. However, organizations that interact with both public and private sector contexts, or that are considering cloud adoption and vendor relationships, need to understand how CPPA affects their suppliers and contractors.
The CPPA case for Privacy by Design
One of the most important — and often overlooked — aspects of CPPA is its explicit recognition of privacy-by-design as a compliance approach. Organizations that build privacy controls into their systems and processes from the design phase, rather than bolting them on after the fact, are better positioned under the new law.
This is not just a compliance argument. Privacy controls designed into systems are more effective, less expensive to maintain, and less likely to fail in ways that create breach exposure. The organizations that will handle CPPA most smoothly are those that treat privacy as an architectural and design discipline — not a compliance exercise run by the legal team at the end of a project.
The privacy-by-design advantage under CPPA
- Consent mechanisms designed into systems are more reliable and auditable than retrofit solutions
- Data minimization built into data models reduces the scope of consent, portability, and disposal obligations
- Privacy Impact Assessments conducted at design time are more effective than post-hoc compliance reviews
- Automated decision systems with documented privacy controls are better positioned for CPPA's transparency requirements
- Third-party privacy requirements built into procurement processes are consistently applied — not dependent on ad-hoc legal review
The bottom line
CPPA represents a fundamental shift in Canada's privacy landscape — from a law that was largely a statement of principles with limited enforcement teeth, to a law with GDPR-scale penalties, a private right of action, and an expanded set of individual rights.
The organizations that will be best positioned are those that treat CPPA preparation as a program — not a project. A program that starts now, builds on existing PIPEDA compliance work, fills the specific gaps that CPPA creates, and integrates privacy into architecture and design rather than treating it as a compliance overlay.
If your organization has not yet started this work, the right time to begin is now — before the enforcement clock starts.
This article reflects Sarakinov Consulting's advisory perspective on the CPPA transition. It is not legal advice. Organizations should obtain qualified legal counsel on their specific obligations under applicable privacy legislation. Goni Sarakinov holds CIPM and CIPT certifications from the International Association of Privacy Professionals.
Continue reading