For the past few years, "does Canada have an AI law?" had a simple answer: not yet, but one is coming. That law was the Artificial Intelligence and Data Act (AIDA), part of Bill C-27. Then Parliament was prorogued in January 2025 and the bill died on the order paper. AIDA never became law, and it is not coming back in that form.
That does not mean Canadian businesses are off the hook. It means the rules are arriving through a different door. Here is where things stand in mid-2026, in plain language, and what a small business using AI should actually do about it.
This is general information, not legal advice. For your specific situation, talk to a lawyer or privacy professional.
What AIDA was, and how it died
AIDA was Canada’s first attempt at a comprehensive federal AI law. It targeted "high-impact" AI systems: the final draft listed seven classes, including AI used in hiring and employment decisions, in deciding who gets access to services, in biometric identification, in health care, and in law enforcement. Businesses deploying those systems would have faced obligations around risk assessment, mitigation, transparency, and human oversight, with fines reaching $25 million or 5% of global revenue for the most serious offences.
It never got there. The criticism came from every direction at once. Industry argued the definitions were vague and the real rules were all deferred to future regulations nobody had seen. Civil-society groups argued it was too weak, exempted government and national-security uses, and placed the proposed AI and Data Commissioner inside the industry ministry instead of making it independent. After years in committee, the bill was still unfinished when Parliament was prorogued in January 2025. Bill C-27 died with the session, and the new government chose not to revive it.
What is replacing it
Instead of resurrecting AIDA, Ottawa changed approach:
- A Minister of AI. In May 2025, Canada appointed Evan Solomon as its first Minister of Artificial Intelligence and Digital Innovation.
- A national AI strategy. An AI Strategy Task Force ran a national consultation with more than 11,000 participants, and the federal budget made AI a central pillar of economic strategy, including investments in sovereign compute.
- A successor law. Minister Solomon has said new AI legislation is coming, and that it will not be a repeat of AIDA but its own regulatory initiative. The signal so far points to something lighter on broad obligations and heavier on adoption, with safeguards focused where AI decisions genuinely affect people.
For an SMB, the takeaway is simple: the era of waiting for one big federal AI law is over. What you get instead is a patchwork that is already in force.
No AI law does not mean no rules
If your business uses AI today, you are already regulated. The rules just come from laws that do not have "AI" in their name:
| If you use AI to... | The rules that already apply |
|---|---|
| Handle customer data (emails, CRM, documents) | Federal privacy law (PIPEDA) and provincial laws like Quebec's Law 25 |
| Make decisions about people (screening, credit, pricing) | Law 25's automated-decision provisions, human-rights and anti-discrimination law |
| Generate public-facing content | Consumer-protection and advertising rules; you own what your AI publishes |
| Operate in a regulated sector (finance, health, insurance) | Sector regulators' AI guidance, such as OSFI's for financial institutions |
Province by province: who is regulating what
The provinces are not waiting for Ottawa either. Where your customers are determines which rules you answer to:
| Province | Where things stand |
|---|---|
| Quebec | Law 25 is the strictest privacy regime in the country and already regulates automated decisions about individuals (see our full guide to AI and Law 25) |
| Ontario | Legislated AI use in the public sector (Enhancing Digital Security and Trust Act, 2024); in January 2026, regulators published joint AI governance principles |
| British Columbia | Published a generative AI policy and a Digital Code of Practice for the public sector |
| Alberta | The Privacy Commissioner formally recommended dedicated AI legislation in August 2025 |
| Saskatchewan | Released generative AI guidelines for the public sector |
Ontario’s January 2026 guidance, published jointly by its privacy commissioner and human rights commission, distills where all of this is heading. Its six principles: AI systems must be valid and reliable, safe, privacy-protective, human rights affirming, transparent, and accountable. Those six expectations are a reliable preview of what the federal law will ask of you.
The federal rules that already exist
Two federal instruments matter today, even without a law:
- The voluntary Code of Conduct on generative AI. Launched in September 2023, it commits signatories (including Cohere, BlackBerry, OpenText, and Telus) to six things: accountability, safety, fairness and equity, transparency, human oversight, and validity and robustness. It is voluntary, but it is the clearest statement of what Ottawa considers responsible AI, and aligning with it now is the cheapest way to be ready for whatever the successor law requires.
- The Directive on Automated Decision-Making. It binds only federal institutions, which must run an algorithmic impact assessment before deploying any system that automates decisions about people. Here is why an SMB should care: if you sell to the federal government and your product or service uses AI to make or support decisions, your buyer inherits those obligations and will pass the questions down to you. Being able to answer them is quietly becoming a procurement advantage.
How Canada compares to the EU and the US
If you sell beyond Canada, the contrast matters:
- The EU has the strictest regime in the world. The EU AI Act is in force and phasing in through 2027, with risk-based obligations and fines reaching 7% of global revenue. It applies to any business whose AI output is used in the EU, Canadian companies included.
- The US has no federal AI law and is pulling in the other direction: a June 2026 congressional draft proposes pausing state laws on how AI models are built for three years in favour of a single national framework, while states would keep the power to regulate how AI is used.
- Canada is landing in the middle: adoption-first, with safeguards concentrated where AI decisions affect people, and existing privacy law doing the heavy lifting until the successor arrives.
The practical consequence: if you comply with Law 25 and follow the voluntary code’s six commitments, you are most of the way to whatever Canada legislates, and well positioned for EU-facing work.
What an SMB should do now
You do not need a compliance department. You need a short list of habits that cost little now and save a lot when the successor law lands:
- Inventory your AI. List every tool your team uses, what data goes into it, and what decisions it touches. Most businesses cannot answer this today, and it is the first question any regulator will ask.
- Minimize what you share. Send AI tools the minimum personal information the task needs. This is already a Law 25 and PIPEDA expectation, not a future one.
- Keep a human on consequential decisions. If AI screens, ranks, approves, or rejects people, make sure a human reviews the outcome and you can explain it.
- Vet your vendors. Know where each AI provider processes data, whether your data trains their models, and what their security posture is.
- Say what you do. State in your privacy policy that you use AI, for what, and whether any decisions are automated.
Every framework on the table, federal or provincial, converges on these same points. Doing them now means the next law is an update, not an emergency.
Not sure where you stand? Our free AI compliance checker walks you through 15 questions and gives you a readiness score and a prioritized action list in five minutes.
How the right platform helps
A patchwork of rules is hardest to follow when your AI usage is itself a patchwork: a dozen subscriptions, each with its own data practices, and no record of who used what. A single platform shrinks the problem:
- Your conversations and content are never used to train AI models (see Security and privacy), which answers the vendor question for every model you use through Crewdle.
- Crewdle Admin gives you roles, permissions, and a live view of usage, so your AI inventory is a dashboard, not an archaeology project.
- Agents log what they do, so when a rule asks "can you explain what your AI did?", the answer is yes.
None of this replaces legal advice, but it turns the hard part of compliance, knowing and controlling what your AI actually does, into something you can see on one screen.
The takeaway
AIDA's death was not deregulation. Canada traded one big future law for a set of rules that already apply, with a successor law on the way that will reward businesses that kept their AI use deliberate and documented. Start the inventory, trim the data you share, keep humans on the decisions that matter, and pick tools that can show their work.
Start for free and see how Crewdle keeps your AI use visible and under control.
Ask about this article 
