The #1 question owners ask about AI isn't "what can it do?" — it's "what happens to my customer data?" Fair question. 88% of Canadians are concerned about their personal information being used to train AI, and 41% have already walked away from a business after a privacy breach. Here is exactly how we handle it — and the six questions you should ask any AI vendor, including us.
All advice vetted by a human — always. Legal advice vetted by your lawyer — always.
Chatbots answer questions, agents do work — and neither one reads a single customer record until we've mapped your data, checked consent, and scored the vendor. The AI sees less than a new hire on day one.
On every tool we deploy — business and enterprise tiers only — not training on your data is the contractual default, published on the vendor's own legal pages. We give you the links. Free consumer tools don't make that promise, which is why your business data never goes in them.
Canada-resident AI exists today — stacks where your data is stored and processed here, including a Toronto-built option backed by federal sovereign-compute funding. We'll tell you honestly which tools qualify, which only store here, and which have no Canadian story at all.
Air Canada was held liable when its chatbot misrepresented a refund policy — the tribunal rejected the argument that the chatbot was "a separate legal entity." Your AI's words are your words. That's why nothing reaches your customers unchecked, ever.
Current to June 11, 2026 — we re-verify these claims against primary sources before every engagement.
Canada's federal privacy law covers your customer data. Re-using data for a new purpose — like feeding an AI tool — needs consent or careful design; you stay accountable for data you hand to any vendor; and knowingly hiding a serious breach is a federal offence with fines up to $100,000. In May 2026, Canada's privacy regulators ruled ChatGPT's original training violated this law — tool choice and contract terms are not paperwork, they're the defence.
Ontario's health privacy regulator issued Canada's first-ever privacy fines in 2025 — against a small clinic ($7,500 to the clinic, $5,000 to the physician), and can fine up to $500,000 without going to court. It has also published exactly how to deploy AI scribes properly (January 2026). The roadmap exists; we build to it. Pasting patient notes into free ChatGPT is not on it.
Since January 1, 2026, employers with 25+ Ontario employees must disclose AI use in screening on every public job posting — even when a recruiting firm runs the AI. And any tool that monitors staff belongs in your written electronic-monitoring policy before it's switched on. We wire both into every build.
Canada's anti-spam law is the most actively enforced law in this space — penalties run to $10 million per violation and regulators fine main-street businesses continuously, from realtors to home-services firms. Any outreach agent we build checks consent before every send, honours unsubscribes automatically, and logs everything. "The AI sent it" is not a defence — so we design like it.
Most AI consultants are selling yesterday's law. Here is the current state of play, tracked weekly:
| Development | Status (June 11, 2026) | What it means for you |
|---|---|---|
| "AI for All" — Canada's national AI strategy | Launched by the Prime Minister in Toronto, June 4, 2026 | Ottawa commits to modernized privacy legislation, deepfake and "surveillance pricing" protections, and a push to lift small-business AI adoption from ~12% to 60% by 2034 — adoption help is coming, and so are rules. |
| A new federal privacy bill | Publicly promised and reported imminent — expected before Parliament's summer recess | Reported to carry fines up to $25M or 5% of global revenue — CPPA-scale teeth replacing today's modest PIPEDA penalties. Build to PIPEDA now and you're already ahead when it lands. |
| Bill C-34 — Safe Social Media Act | Introduced June 10, 2026 — yesterday, as of this page's date | The first federal bill to directly regulate AI chatbots, plus a new Digital Safety Commission. Aimed at platforms — but it signals where chatbot accountability is heading for everyone. |
| Bill C-16 — deepfake protections | At report stage in the House | Criminalizes non-consensual sexualized deepfakes; part of a sectoral approach replacing the dead AIDA bill. |
| Bill C-22 — Lawful Access Act | In committee clause-by-clause now; government pushing for passage by June 19, 2026 | Not an AI bill — and often confused with the coming privacy bill, which it isn't. It's the surveillance side of the ledger: telecom providers could be required to retain communications metadata for up to a year, and some encrypted services (Signal, major VPNs) have warned they would exit Canada rather than comply. If your business depends on encrypted tools, this is the one to watch this month. |
| PIPEDA data-mobility amendment (Bill C-15) | Royal assent March 26, 2026; awaiting regulations | A new right for individuals to move their data between organizations — the open-banking enabler. Quietly, PIPEDA is already changing. |
2025: a physician ran 146 searches in a shared hospital records system to find parents of newborn boys; his clinic contacted 91 families to sell a paid procedure. $5,000 + $7,500 in penalties — the first ever issued by a Canadian privacy commissioner, and they landed on a small business.
Weeks after Samsung allowed ChatGPT at work in 2023, engineers leaked confidential data into it three times in twenty days — including secret source code. Samsung banned the tools within a month. The fix isn't trust — it's an approved-tools list, business accounts, and an hour of training.
Air Canada's chatbot misrepresented the bereavement-fare policy. The airline argued the bot was "a separate legal entity responsible for its own actions." The tribunal disagreed and made them pay. Small award — permanent lesson: your AI's words are your words.
Take this list to every vendor. Anyone who can't answer all six in plain English hasn't earned your customer list. We answer them in writing, in the proposal.
Seven steps, on every engagement — and Ontario's DMAP grant can cover up to half of the adoption plan that includes this work:
Start with the free 6-minute Snapshot Ask a privacy question
Your Snapshot answers are read by a human — David — and are never used to train AI.
Not if it's set up properly. On business and enterprise tiers — ChatGPT Business/Enterprise, Microsoft 365 Copilot, Google Workspace Gemini, Claude for Work, and the major APIs — not training on your data is the contractual default, stated on each vendor's own legal pages. Free consumer tools are different: several use your chats for training by default. That's why we deploy business tiers only and give you the links to the written commitments.
No. As of June 2026, Canada-resident options exist where data is stored and processed in Canada: Microsoft Azure's Canadian regions, Google's Montreal region, AWS's Canadian region, and Cohere — a Toronto company with federally backed Canadian data centres. Some popular tools store data in Canada but still process it abroad (Microsoft 365 Copilot's in-Canada processing arrives in 2027), and we'll tell you honestly which is which. Canadian regulators don't prohibit US-based cloud tools — they require contracts and transparency, which we set up — but for genuinely sensitive data like patient files, we use the Canada-resident tier.
Pasting identifiable patient notes into free consumer ChatGPT is not defensible under Ontario's health privacy law (PHIPA) — the regulator has already treated an unapproved AI notetaker in a health setting as a reportable breach, and it issued Canada's first privacy fines against a small clinic in 2025. But compliant AI in clinics is absolutely achievable: Ontario's privacy regulator published dedicated AI-scribe guidance in January 2026, and we build to it — written vendor agreements, health-grade tools with no-training commitments, patient notice, and a breach plan.
Since January 1, 2026, Ontario employers with 25 or more employees must include a statement in every publicly advertised job posting disclosing whether they use artificial intelligence to screen, assess or select applicants — and the duty applies even when a third-party recruiter runs the AI. Postings must be kept for three years. It's part of the Employment Standards Act job-posting package that also requires pay ranges and vacancy statements.
As of June 11, 2026: the federal government launched its national AI strategy 'AI for All' on June 4, 2026, committing to modernized privacy legislation with protections against deepfakes and surveillance pricing; a new federal privacy bill with penalties reported up to $25M or 5% of global revenue is expected imminently; Bill C-34 (introduced June 10, 2026) would regulate AI chatbots and create a Digital Safety Commission; and Bill C-16 on deepfakes is advancing. The old AIDA bill died in January 2025 and will not be revived. We track all of this weekly so our clients are ready before the rules land.
