Canada’s Bill C-36 targets privacy pricing hikes, but the key details still aren’t public

Canada moved Monday to overhaul its private-sector privacy rules, and the headline stake is unusually direct: Bill C-36, the Protecting Privacy and Consumer Data Act, would add restrictions on businesses that use personal data to charge individual consumers higher prices.

That means the government is not treating privacy as a purely “consent and deletion” story. It is explicitly linking how companies use personal data to a consumer outcome: paying more. Bill C-36 is designed to replace the Personal Information Protection and Electronic Documents Act, a law first enacted in 1998, and this replacement is the real reason executives should care. When a privacy framework gets rewritten, the cost of “getting it wrong” often shifts from interpretive ambiguity to enforceable obligations.

To understand why the “privacy pricing” angle is such a big deal, zoom out to how modern businesses monetize data. Companies collect personal data across websites, apps, loyalty programs, payments, and customer service interactions. Many then use that data to segment customers, forecast willingness to pay, and optimize pricing or offers. In practice, that can blur into charge-more outcomes that feel personalized but also raise obvious fairness and transparency questions.

Bill C-36 is aimed at that exact friction point, but the catch, for now, is that the details are still missing. The Next Web’s framing is blunt: the legislation was introduced, but the critical specifics have not been fully laid out publicly yet. For leaders, that uncertainty matters because privacy compliance is rarely a one-and-done project. It is a system that touches product design, data governance, marketing operations, pricing, legal review, and vendor contracts. If you do not yet know what the rule will actually require, you are stuck in a gray-zone period where teams must either wait, or take conservative steps that can slow growth.

Still, the structure of the change is clear enough to map second-order implications. Bill C-36 replaces the 1998 law known as the Personal Information Protection and Electronic Documents Act (PIPEDA). That matters because the old framework was written for a different era of data flows. Since 1998, data collection has expanded in both scale and complexity, and businesses now commonly integrate behavioral data into real-time decisions. Overhauling the law signals that Canada expects a modernized approach, and that the government is willing to change the boundaries around what companies can do with personal data.

Now add the specific restriction described in the story: limits on businesses that use personal data to charge individual consumers higher prices. Boards and executives should read this as more than a narrow ban. Even if the final implementation focuses on certain pricing practices, the underlying compliance question expands: what counts as using personal data to determine consumer-specific pricing, what counts as “higher prices” in the legal sense, and how will companies document and justify their systems?

If you are a CFO, this is also a budgeting issue. Compliance programs typically require tooling for data classification, audit trails for data use, process updates for consent and transparency, and legal review cycles for pricing and personalization features. If the law eventually forces additional controls around pricing decisions informed by personal data, organizations may need to restructure how pricing experimentation and consumer targeting are performed. If the government later clarifies a narrow definition, it could reduce scope. If it clarifies broadly, it could raise the compliance burden.

And if you are a product or growth leader, there is a strategic urgency here. The legislation is introduced Monday, but the details are still missing, so the industry will have an incentive to wait for final guidance. Waiting can be rational, but it can also leave you behind if the timeline for compliance is shorter than expected, or if enforcement priorities begin before the market feels ready. For boards in privacy-heavy sectors like retail, fintech, telecom, travel, or ad-supported platforms, Bill C-36 is a reminder that privacy regulation is moving from abstract principles toward concrete outcomes tied to money in consumer pockets.