CanCertify logoCanCertify
Back to Blog
Privacy Law

Quebec Law 25: What Every Business Needs to Know

CanCertify TeamFeb 3, 20268 min read

Quebec's Act to modernize legislative provisions as regards the protection of personal information, commonly known as Law 25 (formerly Bill 64), represents the most significant privacy law reform in Canadian history. Phased in over three years starting September 2022, Law 25 has been fully in force since September 2024 — and it is substantially stricter than PIPEDA. If your business has even a single customer, employee, or data subject in Quebec, compliance is not optional.

How Law 25 Differs from PIPEDA

While PIPEDA relies primarily on complaint-driven enforcement, Law 25 introduces proactive obligations and serious financial penalties. Key differences include:

  • Administrative monetary penalties (AMPs) of up to $10 million or 2% of worldwide turnover — whichever is greater. PIPEDA currently lacks comparable penalty provisions.
  • Mandatory privacy impact assessments (PIAs) for any project involving the acquisition, development, or redesign of an information system or electronic service that handles personal information.
  • Mandatory designation of a privacy officer. Under Law 25, organizations must designate the person with the highest authority as the default privacy officer, or formally delegate this role.
  • Consent requirements are stricter. Consent must be obtained separately for each purpose, must be given in clear and simple language, and cannot be bundled into general terms and conditions.

Who Must Comply

Law 25 applies to any organization that collects, holds, uses, or communicates personal information in Quebec — regardless of where the organization is headquartered. This means a Toronto-based SaaS company with Quebec customers must comply with Law 25 for those individuals' data. The law covers the private sector (through amendments to the Act respecting the protection of personal information in the private sector) and the public sector alike.

Core Compliance Requirements

The full force provisions that took effect in September 2024 include:

  1. Privacy governance policies. You must establish and publish policies and practices governing the protection of personal information, and make them available on your website in clear language.
  2. Transparency about automated decision-making. If you use automated systems to make decisions about individuals, you must inform them that such technology is being used and provide a mechanism for them to understand and contest the decision.
  3. Right to data portability. Individuals have the right to request their personal information in a structured, commonly used format, enabling them to transfer it to another organization.
  4. Right to de-indexing. Individuals can request that you cease disseminating their personal information or that hyperlinks attached to their name be de-indexed, when the dissemination contravenes the law or a court order.
  5. Cross-border transfer assessments. Before transferring personal information outside Quebec, you must conduct a privacy impact assessment evaluating whether the destination jurisdiction offers adequate protection.

Practical Steps for Compliance

If your organization is still catching up with Law 25, here is a prioritized action plan:

  • Appoint or formally delegate a privacy officer and publish their title and contact information on your website.
  • Conduct a comprehensive data mapping exercise for all personal information that touches Quebec residents.
  • Review and update your consent mechanisms. Each distinct purpose for data use needs its own clear, separate consent.
  • Draft and publish your privacy governance policies in both English and French.
  • Implement a process for handling data portability and de-indexing requests within the prescribed timelines.
  • Assess all cross-border data transfers and document your findings in formal privacy impact assessments.

Enforcement Reality

The Commission d'acces a l'information du Quebec (CAI) is the enforcement body and has been actively investigating complaints since the law took full effect. The CAI has the power to conduct inspections without prior notice, issue orders, and impose substantial fines. Early enforcement actions have focused on organizations that failed to appoint a privacy officer or publish adequate policies — the low-hanging fruit of non-compliance.

Key Takeaways

  • Law 25 is the strictest privacy law in Canada and applies to any organization that handles personal information of Quebec residents.
  • Penalties of up to $10 million or 2% of worldwide turnover make non-compliance a serious business risk.
  • Privacy impact assessments, a designated privacy officer, and separate purpose-specific consent are all mandatory.
  • New rights including data portability and de-indexing go beyond what PIPEDA requires.
  • Start by mapping your Quebec data footprint and appointing a privacy officer — the CAI is enforcing these first.

Start your compliance journey

CanCertify helps Canadian businesses navigate certifications, permits, and regulatory requirements with AI-powered guidance and automated workflows.

Get Started Free

Related Articles

Privacy Law

The Complete PIPEDA Compliance Guide for Canadian Businesses (2026)

Everything you need to know about Canada's federal privacy law — from the 10 fair information principles to practical implementation steps. Updated for 2026.

12 min readFeb 5, 2026
Privacy Law

Data Breach Notification Requirements in Canada (2026)

What to do when a data breach happens. Mandatory notification timelines, who to contact, and how to protect your business.

8 min readJan 6, 2026
Certifications

How to Get CyberSecure Canada Certified in 6 Weeks

Step-by-step guide to achieving CyberSecure Canada certification — the government's cybersecurity standard for small and medium businesses.

10 min readJan 28, 2026