Artificial intelligence is fast becoming a priority for Canadian retailers, but the enthusiasm around new technologies is colliding with serious challenges around data privacy, governance, and regulatory compliance. In the absence of comprehensive legislation in Canada and the United States, experts warn that companies need to proceed carefully if they are to protect consumer trust and safeguard their long-term operations.
Vancouver-based privacy consultant and lawyer Ritchie Po, who advises organizations on ethical AI and technology practices, says that CEOs are increasingly pushing their teams to adopt AI solutions, sometimes at the expense of due diligence. “There is pressure from the top to implement AI into systems quickly, but that can mean the due diligence may be overlooked,” he said. “Without proper preparation, you risk building systems that will not stand the test of time.”
Retailers in North America face a fragmented and incomplete policy and regulatory environment. Unlike Europe, which passed the EU AI Act in 2024, there is no equivalent comprehensive framework in Canada, and only two American states, Colorado and Utah, have enacted AI-specific regulations. California’s Bot Disclosure Law addresses only a narrow slice of the issue.
Canada’s own attempt at comprehensive legislation collapsed with the failure of Bill C-27, leaving the country without a formal AI Act. Instead, businesses must turn to voluntary guidelines such as the Digital Governance Council of Canada’s ethical AI usage standard, which provides a framework but no enforceable requirements.
“This is the wild west in terms of governance,” Po said. “There are some helpful resources, but without clear laws, much of the responsibility falls on retailers themselves.”
Privacy Laws as a Foundation
Despite the regulatory gaps, Po emphasizes that privacy laws still form the bedrock of AI compliance. “At its core, AI is about personal information—how you collect it, use it, disclose it, and store it,” he said. That means organizations must ensure they have consent, avoid “scope creep” in data usage, retain only the necessary data, and anonymize personal information where necessary.
Canada’s PIPEDA legislation governs the federal private sector, while Quebec’s Law 25 aligns more closely with Europe’s General Data Protection Regulation (GDPR). Meanwhile, American retailers contend with the California Consumer Privacy Act (CCPA) and a growing patchwork of state-level privacy laws that have strikingly similar requirements.
For global retailers, the picture is even more complex. Markets such as Japan, Indonesia, Australia, and the Philippines have comprehensive frameworks, with South Korea leading in future-proofing requirements. Big data companies like Samsung and LG are subject to additional data protection obligations due to the sheer scale of personal data they handle.
Due Diligence Before AI Adoption
Po stresses that retailers need to carry out a full due diligence cycle before deploying AI systems. This includes a thorough review of how personal data is processed, a clear understanding of consent and revocation, and the implementation of a privacy management program.
“Before you introduce AI, you should already have a privacy impact assessment for high-risk systems, cyber liability insurance, and a strategy that embeds Privacy by Design principles,” he explained. Cross-border compliance is also key, since customers in different jurisdictions may have additional privacy rights that companies must respect.
Retailers often overlook the contractual dimension of AI adoption, according to Po. “It’s not enough to sign up for a free version of an AI tool,” he said. “You need robust service agreements that ensure the vendor has a data privacy protection and organizational IT security measures in place, and complies with applicable laws and security best practices.”
Such agreements should cover everything from how data is stored to how an organization responds meaningfully in the event of a breach. Without them, retailers risk liability for lapses that occur within third-party systems.
Building AI Governance Into Retail Experiences
Po recommends that retailers develop both internal and external policies to guide AI use. Internally, ethical AI usage policies should govern how employees handle personal data in AI systems. Externally, companies may need to expand their privacy policies or introduce standalone AI policies for customers.
The consumer experience is also part of the equation. “When you integrate AI into your retail journey, customers need to understand what they are agreeing to,” Po said. “If AI enhances their experience while still protecting their privacy, you strengthen brand loyalty. But if you erode their trust by misusing their data or not having strong security and incident response, you could lose them permanently.”
The Evolving Commerce Landscape
These issues come into sharp focus as AI begins to play a more direct role in retail transactions. OpenAI’s new “Instant Checkout” feature, developed in partnership with Etsy and Shopify, allows U.S. users to purchase products directly within ChatGPT. Built on the Agentic Commerce Protocol and powered by Stripe, the feature removes friction from the retail process by keeping consumers inside the chat interface.
The move signals a broader shift toward conversational commerce, where shopping takes place within AI-driven interactions rather than through search engines or dedicated e-commerce platforms. Stocks for Shopify and Etsy surged after the announcement, reflecting investor confidence in this new channel.
For retailers, however, the integration of AI into customer-facing transactions raises the stakes for privacy and compliance. “If AI is directly processing purchases, the need for strong governance is even more urgent,” Po said. “Retailers must ensure that these systems meet privacy obligations across multiple jurisdictions. Without implementing cross-border legislative compliance, you’ll never expand into new markets with stringent privacy requirements and laws.”
The Business Case for Privacy-Respecting AI
Po’s ultimate message for retailers is clear: privacy and innovation are not at odds. “If you build out robust AI functionalities that respect privacy, you can build consumer trust and loyalty,” he said. “In a competitive marketplace, that can be the deciding factor.”
He argues that privacy-first AI can even enhance the customer experience. By creating secure, transparent, and ethical systems, retailers can position themselves as leaders in a landscape that remains uncertain but full of opportunity.
“In this economy, consumers want to know that their data is safe,” Po said. “If you can give them that assurance, you’re not just protecting yourself legally—you’re investing in long-term customer relationships. That’s how you create a legacy clientele.”
