CPPA is coming for your privacy policy. And that’s a good thing.
How Canada’s next privacy law will test your story, not just your systems.
Most Canadian companies treat their privacy policy like a fire extinguisher.
Required. Dusty. Hidden in a corner.
Canada is working on a new private‑sector privacy law, often called the Consumer Privacy Protection Act (CPPA), to replace PIPEDA. A successor bill is expected in 2026, and because of how long passage and implementation take, new obligations likely will not fully bite before 2027. That sounds distant. It isn’t.
This is not a legal post. It is a leadership post. I work with leaders who already know their reputation lives or dies on how they show up in the moments that matter, including when someone hands over their data. CPPA is one of those moments.
What CPPA really is, in human terms
You do not need to read every clause. In real life, CPPA is about three things:
Giving people more control and clarity over how their data is used.
Forcing organizations to be honest and specific about their data practices.
Backing it up with real enforcement when they are not.
Canada has not done a major reset of private‑sector privacy rules in about 20 years. In that time, you added cloud tools, platforms, and AI. Your privacy policy probably did not evolve with them. This new law asks a blunt question: “Does what you say about data match what you actually do?”
That is a story problem.
The gap between story and reality
On paper, privacy rules all sound the same. The real risk is the gap between the story in your policy and the reality in your systems.
Most policies today:
Started as a template, maybe even lifted from a competitor
Were lightly touched by legal, today maybe an LLM
Got buried in the footer.
Meanwhile, your data now moves through CRMs, marketing stacks, support platforms, and vendors you barely remember signing with.
That gap is where trust leaks out. It is the moment a customer realizes, “What you told me and what you did are not the same.” In an environment already thick with misinformation and outrage, that gap invites a narrative you do not control.
CPPA turns that gap into a bright red flag.
From legal checkbox to public promise
Done well, your privacy policy becomes more than a compliance document. It becomes a public promise about how you treat people’s data.
That promise should:
Explain, in plain language, what you collect and why.
Show that your tools and workflows match those words.
Make a reasonable person feel comfortable hitting “Submit.”
This is the same work we do with leaders on any reputational issue: align what you say with what you actually do, then say it clearly and consistently. The difference here is that CPPA will make that alignment visible.
“you don’t need to be everywhere, but you absolutely can’t be nowhere”
Where “privacy by design” fits
Long before CPPA, Ontario’s Ann Cavoukian developed a framework called “privacy by design.” The idea: privacy should be built into systems from the start, not bolted on later to satisfy a law.
Privacy by design says:
Be proactive, not reactive.
Make privacy the default, not an obscure settings page.
Embed privacy into your technology, processes, and culture, not just into your legal copy.
It is now referenced globally and woven into major regimes like Europe’s GDPR. Organizations that adopt it see privacy as a competitive advantage. People reward that: surveys show large majorities will walk away from companies that share their data in ways they did not agree to.
What good practice looks like
The organizations that get this right tend to:
Map their critical data journeys (a lead form, a customer portal, a support ticket) and document what is collected, where it goes, and who touches it.
Involve product, IT, legal, marketing, and operations instead of isolating privacy in a legal silo.
Rewrite privacy copy in normal language, so a non‑lawyer can read it and feel respected.
Treat every form field as a trust decision: “Do we really need this, and can we explain why?”
Behind the scenes, there is usually a guided process: someone who understands both systems and audience trust leads structured conversations, asks uncomfortable questions, and turns technical reality into human‑readable promises. That is privacy by design in practice.
It is also the same pattern we use at Sociallogical in other contexts: clarify the outcome, surface the reality, and build a narrative people can believe.
Why now, not “when the law passes”
Some leaders plan to wait for a date. Three problems with that:
Change takes time. Mapping data, updating consent flows, and aligning your story with your stack is not a two‑week scramble.
Trust is already shifting. Customers and partners watch how you talk about data now, not in 2027.
The bar is moving without you. Regulators, platforms, and peers are already tightening expectations.
By the time CPPA is in force, the organizations that started early will use their privacy story as a strategic asset. The rest will be reacting to someone else’s narrative.
So here is the real question CPPA puts in front of leaders:
Is your privacy policy written mostly to protect you, or to be honest with the people who trust you with their information?
