Quebec’s Law 25, officially the Act to modernize legislative provisions as regards the protection of personal information, has transformed the province’s privacy landscape. Adopted in September 2021 and deployed in three phases (September 2022, September 2023, and September 2024), it has significantly strengthened the obligations of businesses that collect personal information from Quebec residents. Stricter than the federal PIPEDA on many points, Law 25 aligns Quebec with the highest international standards in data protection. This guide covers the essential obligations that every business operating in Quebec must understand.
Scope and Applicability
Law 25 amends two existing statutes: the Act respecting the protection of personal information in the private sector and the Act respecting access to documents held by public bodies. It applies to any business that collects, holds, uses, or discloses personal information of Quebec residents, whether or not the business is established in Quebec.
Extraterritorial reach. A business based in Toronto, New York, or Paris that offers products or services to Quebec consumers or collects their data is subject to Law 25. This extraterritorial reach aligns Quebec’s law closely with the European GDPR.
Interaction with PIPEDA. For intra-provincial commercial activities in Quebec, Law 25 replaces PIPEDA (Canada’s federal privacy law). However, PIPEDA continues to apply to interprovincial and international activities. Businesses operating both in Quebec and other provinces must comply with both regulatory frameworks. For a comprehensive understanding of federal obligations, read our complete PIPEDA guide.
Mandatory Privacy Officer
Since September 2022, every business subject to Law 25 must designate a person responsible for the protection of personal information (PRPI). By default, this responsibility falls on the person with the highest authority in the organization (CEO, president).
Delegation. The function may be delegated in writing to an employee or a third party. The identity and contact details of the PRPI must be published on the business’s website.
Role. The PRPI oversees the organization’s compliance, approves personal information protection practices, serves as the point of contact for complaints and access requests, and ensures legal obligations are met. This role is comparable to the DPO (Data Protection Officer) under the European GDPR.
Enhanced Consent Requirements
Law 25 has significantly strengthened consent requirements compared to the previous regime.
Manifest, free, and informed consent. Consent must be given for specific purposes and requested separately for each purpose. Forms that bundle multiple purposes into a single checkbox are no longer compliant.
Separate consent for each purpose. If you collect information to process an order AND to send marketing newsletters, you must obtain two separate consents. Consent for the transaction does not constitute consent for marketing.
Consent for minors. For children under 14, consent must be given by the person with parental authority. For those aged 14 to 17, the minor’s own consent is sufficient, but it must meet the clarity and specificity requirements.
Prohibition on consent as a condition of service. You may not refuse a service or impose discriminatory conditions on a person who declines to consent to the collection of information not necessary for providing the service.
Privacy Policy and Transparency
Law 25 imposes precise requirements for privacy policies.
Mandatory content. Your policy must include:
- Contact details of the person responsible for personal information protection
- Types of personal information collected
- Purposes of collection
- Means of collection
- Rights of data subjects and how to exercise them
- Information about transfers of personal information outside Quebec
- Retention and destruction policies and practices
Accessibility. The policy must be written in clear, simple language and published on the business’s website. The Commission d’acces a l’information du Quebec (CAI) has emphasized that overly long policies written in legal jargon do not satisfy the clarity requirement.
Notice at time of collection. Beyond the general policy, you must provide a specific notice at the time of collection indicating the intended purposes, the means used, the person’s rights, and, where applicable, transfers outside Quebec.
Privacy Impact Assessments (PIAs)
Since September 2023, a privacy impact assessment (PIA) is mandatory before:
- Any project to acquire, develop, or redesign an information system involving personal information
- Any disclosure of personal information outside Quebec
The PIA must analyze privacy risks and propose mitigation measures. It does not need to be published but must be documented and available to the CAI on request.
Individual Rights
Law 25 grants individuals several fundamental rights:
Right of access. Any person may request access to the personal information you hold about them. You must respond within 30 days.
Right to rectification. Individuals can request the correction of inaccurate or incomplete information.
Right to de-indexation (right to be forgotten). When the dissemination of personal information contravenes the law or a court order, the individual may demand cessation of dissemination, de-indexation by a search engine, or removal of the link providing access to the information.
Right to portability. Since September 2024, individuals may request communication of their personal information in a structured, commonly used technological format, or its transfer to another organization.
Right to withdraw consent. Any person may withdraw consent at any time. The withdrawal takes effect going forward without affecting the legality of prior processing.
Mandatory Breach Reporting
Law 25 requires mandatory reporting of confidentiality incidents (unauthorized access to, use of, or disclosure of personal information, or loss of personal information).
To the CAI. You must report any incident presenting a risk of serious harm to affected individuals to the Commission d’acces a l’information du Quebec.
To affected individuals. Notification must be prompt and include a description of the incident, the information involved, the steps the individual can take for protection, and the contact details of someone in your organization.
Incident register. You must maintain a register of all confidentiality incidents, even those that do not present a risk of serious harm. This register must be retained for at least five years.
Penalties and Enforcement
Law 25 introduced significant administrative monetary penalties (AMPs) and penal sanctions:
Administrative monetary penalties. The CAI can impose AMPs of up to CAD 10 million or 2% of worldwide turnover for the preceding fiscal year, whichever is greater. These penalties are imposed directly by the CAI without going through the courts.
Penal sanctions. Penal offences can result in fines of CAD 15,000 to CAD 25 million or 4% of worldwide turnover. These amounts align Law 25 with the penalty scale of the European GDPR.
Private right of action. Individuals can bring civil proceedings for damages resulting from a violation of Law 25. The court may award punitive damages of at least CAD 1,000 when the infringement is intentional or results from gross fault.
Transfers Outside Quebec
Law 25 strictly regulates transfers of personal information outside Quebec. Before any transfer, you must:
- Conduct a privacy impact assessment
- Ensure the destination jurisdiction offers adequately equivalent protection
- Enter into a contractual agreement governing the transfer
- Publish information about the transfer in your privacy policy
This approach is comparable to the Standard Contractual Clauses (SCCs) mechanism under the GDPR. For a detailed comparison with the European framework, see our article on PIPEDA vs GDPR.
Four Approaches to Law 25 Compliance
Hiring a specialized lawyer
Cost: CAD 5,000 to 15,000 for a comprehensive compliance program. Timeline: 4 to 8 weeks.
For businesses with complex data flows or international transfers, a Quebec privacy lawyer remains the most thorough option.
Using a generic AI tool
Apparent cost: $0. Real cost: the Law 25-specific gaps it will not cover.
Generic AI tools are not aware of Law 25’s specific requirements (PRPI, PIAs, portability, de-indexation) and produce policies that may satisfy PIPEDA but not Quebec law.
Copying a free template
Cost: $0. Risk: high.
Free templates are generally drafted for PIPEDA or the GDPR, not for Law 25. They omit Quebec-specific requirements.
Using a specialized legal document generator
Cost: $19.90 to $49.90. Timeline: under 10 minutes.
A specialized generator that integrates Law 25 requirements produces privacy policies adapted to the Quebec framework, including mandatory PRPI mentions, portability rights, and de-indexation provisions.
Conclusion
Verify your Law 25 compliance with our free compliance scanner which covers Canadian regulations.
Law 25 has placed Quebec at the forefront of personal information protection in North America. With penalties reaching CAD 25 million or 4% of global turnover, the consequences of non-compliance are potentially devastating. Designating a PRPI, updating your privacy policy, conducting PIAs, and establishing incident reporting procedures are no longer optional — they are legal obligations. Every day without compliance is a day of unnecessary exposure to regulatory risk.