What Bill C-36 Means for the AI Tools Your Business Already Runs

Bill C-36, formally the Protecting Privacy and Consumer Data Act (PPCDA), is Canada's proposed replacement for PIPEDA, introduced June 15, 2026. If enacted, it requires organizations to conduct Privacy Impact Assessments before deploying AI tools that make automated decisions with significant effects on individuals, provide explanation rights for those decisions, and disclose AI use at the point of data collection. Administrative penalties would reach $10 million CAD or 3% of global revenue; criminal offence penalties would reach $25 million CAD or 5% of global revenue. Enforcement would shift from the OPC to a new Digital Safety and Data Protection Commission. The bill is currently in first reading.

Bill C-36 received first reading on June 15, 2026 (Parliament of Canada). It will not take effect until it completes the full legislative process and comes into force by Order in Council — a transition period whose length is unspecified, but typically runs 12-36 months from first reading for legislation of this scale (Lawson Lundell).

The reason to pay attention is not enforcement proximity. Enforcement is likely years away, and the bill itself is likely to be amended before it passes (Fasken). The reason is that the documentation habits C-36 would require — a record of what AI tools you run, what personal data they process, and what decisions they influence — are the same habits that satisfy the vendor qualification questions enterprise clients are already asking in procurement reviews today. The regulatory clock may not be running yet, but the commercial clock is.

What C-36 Would Require for AI Tools

Under PIPEDA, AI use is governed through implied consent and general accountability principles. Under C-36's PPCDA, obligations apply to what the bill calls Automated Decision Systems (ADS) — any AI tool that makes predictions, recommendations, or decisions about individuals with significant effects.

Three specific obligations attach to ADS:

A mandatory Privacy Impact Assessment must be completed before deploying any ADS whose predictions or decisions could significantly affect individuals (DLA Piper). The assessment documents what data the system processes, how predictions are generated, what safeguards exist, and who is accountable.

An explanation right exists for individuals subject to automated decisions. On request, the organization must explain the logic of the prediction, its inputs, and how a different outcome could have resulted (Parliament of Canada).

Consent requirements tighten around AI-processed personal data. Implied consent for AI use is narrowed; clear disclosure of AI use is required at the point of data collection, not buried in terms-of-service documents (MLT Aikins).

Which Workflows Actually Trigger This

Most Canadian SMBs read "Automated Decision Systems" and assume the category refers to enterprise technology — machine learning pipelines at banks or hospital diagnostic systems. C-36's definition is wider than that.

Any AI tool that scores, ranks, categorizes, or makes predictions about specific individuals triggers the PIA requirement under the proposed framework. In practice, that includes:

Lead scoring tools in CRM systems that rank prospects by conversion probability and route sales effort accordingly. A CRM configured with an AI scoring module is making automated predictions about which individuals receive follow-up and which do not.

Hiring tools with AI screening components — resume filters, candidate rankers, fit-prediction scores. Employment decisions are named explicitly in C-36 as a category of significant effect. The Stanford HAI study published May 2026 found that 26% of Black applicants submitted applications to positions where AI screening algorithms discriminated — a finding that puts AI-assisted hiring squarely in regulatory crosshairs, regardless of company size (Stanford HAI).

Customer service tools that triage inquiries by account value, churn risk, or complaint severity. Routing decisions that affect what a customer receives or how quickly they are served are predictions about individuals.

Email tools that prioritize or suppress outreach based on individual recipient behaviour signals. If the tool predicts who is likely to respond and routes sends accordingly, that is a prediction about a specific person.

The common thread: if an AI tool makes a prediction about a specific individual and that prediction affects what that individual receives, experiences, or is offered, it is within scope.

The Pressure That Is Already Here

Regulatory enforcement may be two or three years away. Enterprise vendor qualification is not.

A growing number of larger buyers — corporations, government agencies, regulated financial institutions — have begun adding AI governance sections to standard vendor questionnaires. Suppliers without documented AI policies are running into friction in procurement reviews before any legislation is enacted. IntelliSync, a Canadian AI governance consultancy, reported in 2026 that Canadian SMBs without documented AI governance are failing enterprise vendor AI questionnaires on first submission (IntelliSync) — though this figure comes from a firm with advisory services in AI governance and its methodology is not disclosed.

The OPC's enforcement record provides harder signal. The Office of the Privacy Commissioner received 3,044 AI-related complaints in 2025-26, a 109% increase over the prior year (OPC Annual Report 2025-26). These complaints are being filed under current PIPEDA — not under C-36, which does not yet exist as law. The enforcement trajectory is already moving in the direction C-36 would formalize.

For a professional services firm selling to enterprise clients, a failed vendor qualification review has direct revenue consequences. That consequence does not wait for royal assent.

Why "Wait and See" Is Also Reasonable

C-36 is not law. Fasken notes that "significant elements of the PPCDA, including data mobility frameworks, cross-border transfer requirements, and certification criteria, are likely to evolve as it proceeds" through Parliament (Fasken). Businesses that invest heavily in compliance infrastructure for a bill that passes in substantially different form — or that stalls in Parliament entirely — would be spending real money on a moving target.

Wait-and-see is defensible for businesses that do not sell to enterprise clients, do not process personal data as part of their core service, and do not use AI tools for individual-level predictions. Monitoring the bill through second reading and adjusting when the final text is clear is a rational approach.

One caveat applies: the documentation that satisfies C-36's proposed PIA requirement is the same documentation that satisfies PIPEDA's existing accountability principle and the OPC's current complaint process. The work is not wasted if C-36 changes. A record of what AI tools you run, what personal data they touch, and who is responsible for oversight serves you under current law, under the bill's proposed replacement, and in enterprise vendor reviews. It is not regulatory-specific documentation. It is the minimum viable audit trail for any business running AI tools on Canadian personal data today.