The laws governing privacy in Canada are undergoing rapid change, particularly for organizations that collect and use the personal information of their clients and customers. These changes have largely been driven by public policy considerations, but also reflect international developments such as the General Data Protection Regulation (GDPR). This recap summarizes the laws that were discussed during the webinar and provides resources for keeping your business in compliance with these new regulations.





  • Bill C-27 (Previously Bill C-11): Digital Charter Implementation Act, was meant to repeal parts of PIPEDA and replace then with
    –  CPPA: Canada Consumer Privacy Protection Act, meant to modernize and provide stricter regulations and enforcement over personal Information
  • Quebec’s Bill 64 : An Act to modernize legislative provisions as regards the protection of personal information
  • CCPA: California Consumer Privacy Act- A state statute that enhances privacy rights and consumer protection for California residents
  • GDPR: General Data Protection Regulations- Data protection and privacy law in the European Union and European Economic Area.

Quebec’s Bill- 64

►On September 2021, Quebec adopted Bill 64: An Act to modernize legislation regarding the protection of personal information. This bill introduced significant changes to the provisions governing the use and protection of personal information under various laws. A three-year phased implementation of the bill will begin on September 22, 2022. To stay up to date with the three-year plan for Bill 64, IAB Canada has created an infographic that breaks down how Bill 64 will go into effect the next three years. Link.

►Bill 64 requires organizations to configure individuals’ privacy settings for products or services to offer the highest level of confidentiality and privacy. This includes appointing a privacy officer, mandatory breach reporting, and giving individuals the opportunity to expressly opt for such features in accordance with their preferences. Under the new legislation, organizations that do not comply with this requirement can be fined $10 million or 5% of global revenue, whichever is greater.

►To stay up to date on Bill 64, you can access it here

Canada’s Bill C-27

►On June 16, 2022, the Canadian Parliament tabled Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, as well as amendments to other Acts.

►Bill C-27 would modernize Canada’s approach to private sector data protection and introduce new rules related to artificial intelligence (“AI”). The bill would establish three new statutes:

    • – The Consumer Privacy Protection Act (“CPPA”), which would repeal and replace the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and align it with the General Data Protection Regulation in Europe.
    • – The Personal Information and Data Protection Tribunal Act, which would allow organizations and individuals to seek review of decisions made by the Privacy Commissioner.
    • – The Artificial Intelligence and Data Act, which would regulate the development and deployment of AI in the Canadian marketplace.

►To stay up to date on Bill C-27, you can access it here

►The CMA has published a detailed overview of Bill C-27.



►Google will not be supporting 3rd party cookies in late 2023 which means greater reliance on first party data

►Under PIPEDA, organizations are required to explain why they collect personal information.

►Once the intended use of the data has been completed, organizations must dispose of the data. Whenever they are used for statistical purposes, they should be rendered anonymous.

Notable Notes

►As opposed to each province establishing their own privacy laws, one federal regulation would make it easier for companies to stay compliant.

► Technological legislation should not be prescriptive, as they tend to be outdated quickly. Instead, legislation should be technology-neutral, so it can adapt to new technologies as they emerge.

►It is important to have a system set of principles and framework in privacy to maintain your company/industry’s reputation.

►Your consumer relationship should be as ethical as the way you would want your own data to be used.


Key Takeaways

►Sara’s Key Takeaways

  • Stay up to date with new legislation or else your reputation could suffer.
  • Social Media ( Twitter) is a great platform to voice out your concern to your local MP’s for new change in legislation.
  • Make informed decisions regarding data collection by putting on your “consumer hat” in order to build your relationship with consumers.


►Jill’s Key Takeaways

  • “Don’t wait to be told what to do” – Don’t wait for new legislation to impose your business practices; take action now.
  • Explore your first party data and get that prepared for when cookies go away.
  • Technology best practices frameworks are already available to you, and you can use them to improve your business practices.


►Joanne’s Key Takeaways

  • Transparency creates trust with the end user and creates a positive relationship between you and your customers.
  • “Putting the value exchange” – When you are collecting data, it is important to make the value exchange clear. This means that you want your end users to know what they will get in return for giving you their information.



►Businesses can stay in compliance with the new privacy laws by taking courses offered by both the IAB Canada and the CMA.

►Privacy-First Essentials for Digital Advertising Professionals – IAB CANADA

► CASL and Privacy 101 for Marketers – CMA




Resources from the CMA

The CMA has many privacy-related guides and tools. Most of them can be found here, including their Privacy Compliance Guide and Transparency for Consumers Guide, and numerous blogs. The privacy law comparison chart, for those who are CMA members is also on this page.

If people are interested in keeping up with legislative developments, they should visit our Privacy Law Reform page.

Our report on the GDPR is available here: Privacy Law Pitfalls: Lessons Learned from the European Union.

Resources from the IAB

Global Privacy Project including TCF Canada

Quebec Privacy Legislation Resource Centre – includes guidance and webinar recording

Consent Management Platforms Resource Centre

Moving Towards Cookie Independence Resource Centre



And Register for their newsletter here