Bill C-27 (CPPA) Readiness: What Canadian SMBs Should Do Now

Bill C-27, the Digital Charter Implementation Act, is the most significant Canadian privacy reform in 25 years. If passed in something close to its current form, it replaces PIPEDA with the Consumer Privacy Protection Act (CPPA), introduces the Personal Information and Data Protection Tribunal, and brings AI systems under the Artificial Intelligence and Data Act (AIDA).

For Canadian SMBs, the question is not whether to wait for the legislation to settle. It is what to do now so that the inevitable transition (whether under C-27, a successor bill, or provincial reforms like Quebec's Law 25) is a documentation exercise rather than a fire drill. This piece covers the structure of the bill, what changes for SMBs, and the readiness actions that pay off regardless of which version eventually becomes law.

What Bill C-27 Is

Bill C-27 is a federal omnibus bill introduced in 2022 with three components:

1. The Consumer Privacy Protection Act (CPPA), replacing PIPEDA
2. The Personal Information and Data Protection Tribunal Act, creating an administrative tribunal with the power to impose fines
3. The Artificial Intelligence and Data Act (AIDA), creating the first federal framework for "high-impact" AI systems

As of mid-2026, the bill has moved through committee but has not yet received Royal Assent in its final form. The political timeline is uncertain. The substantive direction, however, is well-aligned with Quebec Law 25, GDPR, and US state laws like the California Privacy Rights Act, so the readiness work converges regardless of which bill eventually crystallizes.

The Consumer Privacy Protection Act

The CPPA tightens PIPEDA on several fronts. The headline changes that matter most for SMBs:

• Express consent requirements expand. CPPA distinguishes "express" and "implied" consent more explicitly and pushes sensitive categories toward express consent only.
• Algorithmic transparency. Where an organization uses an automated decision system to make predictions, recommendations, or decisions about an individual that could have a significant impact, it must inform the individual on request and explain the system.
• Right to disposal (deletion). Individuals can request that personal information be disposed of, with narrow exceptions for legal or business retention obligations.
• Right to portability. Personal information must be transferable in a structured, commonly used technical format, similar to GDPR Article 20 and Law 25.
• Data mobility framework. The CPPA creates a regulatory framework for industry-specific data mobility schemes (banking, telecom).
• Privacy management programs. Organizations must implement and document a privacy management program proportionate to the volume and sensitivity of the information they hold.

Most of these are evolutionary, not revolutionary. PIPEDA already implies many of them. The CPPA makes them explicit and enforceable.

The AIDA Component

The Artificial Intelligence and Data Act introduces obligations on organizations that design, develop, or make available "high-impact" AI systems. The definition of high-impact has shifted across committee versions, but the direction is consistent: AI systems used in decisions that could materially affect an individual's rights, safety, employment, services, or financial standing.

For SMBs, the most likely AIDA exposure points:

• Hiring or HR systems that screen or rank candidates
• Lending or credit decisioning
• Healthcare triage or diagnostic support
• Algorithmic content moderation at scale
• Surveillance or biometric systems

Most Canadian SMBs are not building AI systems. They are buying them from vendors. The practical AIDA effect for SMBs is therefore vendor due diligence: confirming that SaaS tools you use in regulated decisions meet the AIDA standard their providers are responsible for.

Tribunal, Penalties, and Enforcement

The Tribunal is the structural shift that gives CPPA enforcement teeth. Under PIPEDA, the Office of the Privacy Commissioner can investigate and make findings but cannot impose fines directly. Under the proposed CPPA, the OPC investigates and recommends, and the Tribunal can impose administrative monetary penalties up to CAD 10 million or 3 percent of global revenue, with penal offences up to CAD 25 million or 5 percent.

That penalty ceiling matches Quebec Law 25 and approaches GDPR. The practical implication: privacy compliance moves from "we will probably be fine" to "this has the same financial risk profile as a tax audit."

How It Compares to PIPEDA

For SMBs already operating a solid PIPEDA program, CPPA is mostly additive. The principle structure is similar. The differences are in scope, documentation, and enforcement weight.

• Privacy program documentation becomes mandatory, where under PIPEDA it is a best practice.
• Automated decision systems trigger explicit notice and explanation obligations.
• Disposal rights become enforceable, where PIPEDA implies them.
• Enforcement weight shifts from non-binding findings to tribunal penalties.

For a side-by-side of how Canadian privacy law compares to GDPR for businesses with EU exposure, see our piece on PIPEDA vs GDPR. For the PIPEDA baseline that the CPPA builds on, see our PIPEDA compliance checklist.

What Changes for SMBs

The practical changes most likely to affect Canadian SMBs:

• A documented privacy management program is no longer optional. Even a small business needs a written program proportionate to the personal information it handles.
• Vendor due diligence becomes formal. If you rely on third parties to handle personal information (and you do), CPPA expects you to verify their practices, not just trust their marketing.
• Consent forms get audited. The line between express and implied consent matters when the regulator can fine you.
• Data inventory becomes evidence. "We do not really know what data we have" stops being an acceptable answer to a regulator question.
• AI use in decisions gets disclosure. If a SaaS tool you use ranks, scores, or flags individuals, you may need to disclose it on request.

Readiness Actions That Pay Off Regardless

The smart play for Canadian SMBs is to invest in actions that pay off under PIPEDA today, under CPPA tomorrow, under Quebec Law 25 already, and under SOC 2 if your customers ask. The convergence list:

1. Designate a real privacy officer with documented responsibilities and visible contact information.
2. Build a data inventory covering categories, locations, retention, and cross-border flows.
3. Audit and refactor consent flows to separate marketing from terms acceptance, use clear language, and document specific purposes.
4. Document a written privacy management program covering policies, training, breach response, and access/correction processes.
5. Inventory vendors handling personal information and confirm Data Processing Addendums or equivalent contractual safeguards are in place.
6. Identify automated decision systems in use and document what they decide, what data they use, and how a person can appeal.
7. Build a retention schedule and align technical systems so they dispose at the horizon, not just promise to.
8. Test the breach response process with one tabletop per year covering both PIPEDA and Law 25 notification paths.

Every item on this list reduces PIPEDA exposure today, prepares for CPPA, satisfies Law 25, supports SOC 2 readiness, and improves your cyber insurance position. None of them are speculative work. They are good privacy hygiene that pays off regardless of legislative outcome.

For the SOC 2 angle specifically, see our SOC 2 readiness guide. For retention specifically, see our piece on records retention basics.

Timeline Expectations

Predicting Canadian federal legislation is a fool's errand. What we can say with confidence:

• The substantive direction (stronger consent, tribunal enforcement, AI oversight) is bipartisan and unlikely to reverse.
• Quebec Law 25 is already in force and provides a practical preview of the federal direction.
• SOC 2, insurance, and customer due-diligence cycles already pull SMBs toward the same controls.
• Waiting for the bill to crystallize before starting compliance work is more expensive than starting now.

Run our free PIPEDA self-assessment for a no-email-gate scoring of where you stand today. The same controls form the floor for CPPA and the starting point for Law 25 alignment. For the broader Canadian compliance picture, see our compliance guide for Ontario businesses and our IT consulting service page.