Quebec Law 25 Explained: Key Compliance Steps for Businesses
Quebec Law 25 represents a complete overhaul of Quebec’s privacy regime, bringing it in line with global standards like the EU GDPR. In practical terms, this means stronger consent rules, expanded individual rights, and tougher duties on businesses. The law is enforced by Quebec’s privacy regulator, officially known as the Commission d’accès à l’information du Québec (Commission for Access to Information of Quebec). This body oversees compliance, manages complaints, and has the authority to investigate breaches and impose penalties. The key provisions of Quebec Law 25 were rolled out in phases over three years, with many requirements in effect by fall 2023. This guide breaks down Law 25 (sometimes informally called the Quebec data privacy law) in plain language and highlights what your organization must do to comply. We’ll cover the law’s scope, the main obligations (privacy officer, policies, PIAs, breach notifications, consent, etc.), the implementation timeline, comparisons with GDPR, and a handy compliance checklist.
Law 25 is Quebec’s new data privacy law for the private and public sectors. It was enacted as an Act to modernize legislative provisions regarding personal information. Introduced in the legislature as Projet de loi 64 (often referred to by its French short title, Loi 25), it was adopted on September 22, 2021. In short, Law 25 drastically updates and strengthens Quebec’s privacy rules. It was adopted in September 2021 and rolled out over a three-year transition period. The goal is to align Quebec’s rules with modern privacy standards.
Under Law 25, individuals in Quebec get enhanced rights and businesses face stricter obligations. For example, Law 25 introduces explicit consent requirements, clearer privacy notices, and new breach notification duties. It also creates a new enforcement regime (with the power to levy significant fines) and even grants citizens a private right of action against violators. It would be correct to say that Law 25 brings principles like privacy by design and data minimization into everyday practice. If you already know GDPR, you’ll recognize many similar concepts, but Law 25 is Quebec’s own version of a robust data protection law.
The law applies very broadly. Any organization, including businesses and non-profits, that collects, processes, uses, or discloses the personal information of Quebec residents must comply. This is true regardless of the organization’s size, revenue, or even location. Government bodies and purely federal operations have separate rules, but for most businesses, Law 25 will apply. (As a quick note, Law 25 is sometimes confused with Quebec’s Bill 25, but they are different: Bill 25 Quebec was unrelated provincial legislation.
Quebec Law 25 imposes a range of new tasks on covered organizations. In practice, this means you will need to update your privacy program in many ways. Below are the main compliance requirements you should address:
Law 25 requires each organization to have a dedicated person in charge of privacy. Technically, if you don’t explicitly appoint someone, the role defaults to your highest-ranking official (for example, the CEO). However, most companies choose to proactively appoint a privacy officer. This person, who can be an internal employee or an external consultant, oversees Law 25 compliance.
If the privacy officer isn’t the CEO, Law 25 requires the organization to publish that individual’s name, title, and contact information on its website. In short: make sure someone is responsible. Many businesses fulfill this requirement by hiring an outsourced DPO services provider or a dedicated privacy consultant to fill the role professionally.
Law 25 mandates that businesses publish a comprehensive privacy policy explaining how they handle personal data. This policy should include the policy’s purpose, scope, and the types of personal information collected and used.
It should also describe your security measures (for example, encryption and access controls) and third-party data sharing practices. Most importantly, the policy must be written in clear, simple language. You need to keep it current and make it easily accessible (for instance, prominently on your website). This means reviewing and updating your privacy policy whenever you introduce new data uses or technologies, and ensuring it reflects all of Law 25’s requirements (for example, including details on the Privacy Officer’s contact and on retention periods).
Privacy by design is baked into Law 25. The law requires any product or service offered to the public to use the highest privacy settings by default, so that no organization collect unnecessary personal data unless the user opts in. This “confidentiality by default” rule means you cannot have tracking or profiling features turned on by default in your apps, websites, or devices.
Law 25 introduces a formal requirement to perform Privacy Impact Assessments (PIAs) in certain situations. A PIA is a process for analyzing how a project or system affects individual privacy and how to mitigate risks. Under Law 25, you must conduct a PIA when you undertake activities like acquiring, developing, or overhauling a system that handles personal data. It’s definitely required if personal data will be transferred outside Quebec, if you implement high-risk technologies (AI, biometrics, etc.), or when you use data for new purposes. During a PIA, you document things like the sensitivity of the data, how it will be used, and what safeguards will be applied.
Law 25 tightens the rules on data breach reporting. If your organization suffers a security incident involving personal data that creates a “risk of serious injury” to individuals, you must notify Quebec’s privacy regulator (the Commission d’accès à l’information) and the affected individuals as soon as possible.
Quebec has always been a consent-based jurisdiction, but Law 25 raises the bar. From now on, consent must be informed, specific, and explicit for each purpose of data use. You can’t bury a broad consent statement in fine print. The request for consent must stand out on its own.
Sensitive personal information requires an explicit opt-in. For example, if you collect health or biometric data, you must ask for clear permission in distinct steps. Moreover, parental consent is now required before collecting data from minors under 14.
Law 25 grants Quebec residents a suite of data rights similar to those in GDPR. Effective September 2023, individuals gained the right to be informed, access their personal information, request corrections, and ask for data to be erased. They can also withdraw consent or restrict the processing of their data. A new right to data portability comes into force in September 2024, allowing people to obtain a copy of their data in a common format. In practice, your organization must have processes to handle these requests quickly (by law, typically within 30 days) and completely.
Law 25 specifically addresses automated decisions and profiling. If your business makes decisions about individuals using automated processing alone, you must inform the affected people that an automated system was used. Likewise, if your apps or services use technologies that identify, track, or profile users, you need to disclose this and explain how users can disable those functions.
Law 25 was designed with a transition period to give businesses time to adapt. The compliance timeline (often referred to by stages) looks roughly like this:
If your company already complies with the GDPR, you’ll find many familiar elements in Law 25. Both laws emphasize privacy by design, broad data subject rights, accountability, and strict consent standards. Penalties are similarly steep. Quebec Law 25 allows fines up to 4% of global turnover (or CA$25 million), just like the GDPR’s maximum.
There are also key differences. For example, GDPR requires a Data Protection Officer for many organizations, whereas Law 25 makes the Privacy Officer role optional (defaulting to senior management if left vacant). Law 25 uniquely grants individuals a private right of action, meaning Quebecers can sue companies over privacy breaches (a remedy not available under GDPR). The age of consent differs too: Law 25 sets it at 14 years, while GDPR generally uses 16. And because Law 25 is provincial, it has some specific context (for instance, it works alongside Quebec’s Charter of the French Language, requiring French policies for Quebec residents).
If you use the same staff, tools, and processes for GDPR compliance, you’ll have a head start. But you may need to adjust some details. (For example, you might want to document the differences as part of your GDPR compliance services if you serve both the EU and Quebec markets.) Overall, think of Law 25 as “GDPR-lite” tailored to Quebec – many core principles align, but with a Quebec twist.
Non-compliance with Law 25 carries serious consequences. Quebec’s privacy regulator can impose administrative fines ranging up to CA$25 million or 4% of worldwide revenue, whichever is greater. Even individuals within a company can be personally fined (from $5,000 up to $50,000 CAD) for violating obligations. Beyond fines, remember that citizens can take civil action: an individual who suffers harm from a privacy breach can sue the organization for damages (with a minimum claim of $1,000).
To help organize your efforts, here’s a quick checklist of essential Law 25 compliance steps:
This checklist isn’t exhaustive, but it covers the core Quebec Law 25 requirements. Use it as a starting point for your compliance project plan.
Adapting to Law 25 can be a complex process. Seeking the help of experts can significantly improve your process and, at the same time, save you from potential fines. DPO consulting is one of the top players in the industry, helping companies with privacy-related regulations. We provide outsourced DPO services, privacy training, and guidance on policy updates. We also offer specialized GDPR compliance services if you operate internationally.
Our experts can help you build or review your data breach response plan, conduct or validate PIAs, craft user-friendly consent forms, and generally ensure you’re ticking off every requirement. Our DPO consultants can take charge of managing privacy requests and regulatory filings, freeing up your team. Don’t wait until the last minute; getting professional assistance now can give you confidence that your organization fully meets all of Quebec’s Law 25 requirements.
Law 25 (the official name of Quebec’s new private-sector privacy law) was introduced as Bill 64 before it became law. It’s not the same as Bill 25 Quebec (a different law). If you do business in Quebec or handle the personal data of Quebec residents, you must comply with Law 25, regardless of where your company is based.
Law 25 took effect in stages. Key elements (like breach notification and appointing a Privacy Officer) began in September 2022, most new rules kicked in Sept 2023, and the final provisions (like data portability) arrived Sept 2024.
You must designate someone as the Privacy Officer. The law is flexible: you can appoint any qualified person or outsource the function. If you don’t, it automatically falls on the top executive (CEO/MD). Regardless, Law 25 requires that person’s identity and contact info be made public. Many companies opt for outsourced DPO services to meet this need smoothly.
Non-compliance can be costly. Regulatory fines can reach up to CA$25 million or 4% of global sales. Individuals in the company can face fines, too. Quebecers may also sue for damages if their privacy rights are violated. Having a proper breach response plan and consent handling process is the best way to avoid these penalties.
Law 25 shares many concepts with GDPR (rights, consent, privacy by design), but has unique features. Notably, the Privacy Officer role is optional (defaulting to senior management), and Quebec law adds a private right of action for citizens. The age of consent is 14 under Law 25. Also, Law 25 is provincial, so it works alongside Canada’s federal PIPEDA and Quebec’s language rules. If you already offer GDPR compliance services, applying similar practices to Law 25 is a good start, with adjustments for these local differences.
Investing in GDPR compliance efforts can weigh heavily on large corporations as well as smaller to medium-sized enterprises (SMEs). Turning to an external resource or support can relieve the burden of an internal audit on businesses across the board and alleviate the strain on company finances, technological capabilities, and expertise.
External auditors and expert partners like DPO Consulting are well-positioned to help organizations effectively tackle the complex nature of GDPR audits. These trained professionals act as an extension of your team, helping to streamline audit processes, identify areas of improvement, implement necessary changes, and secure compliance with GDPR.
Entrusting the right partner provides the advantage of impartiality and adherence to industry standards and unlocks a wealth of resources such as industry-specific insights, resulting in unbiased assessments and compliance success. Working with DPO Consulting translates to valuable time saved and takes away the burden from in-house staff, while considerably reducing company costs.
GDPR and Compliance
Outsourced DPO & Representation
Training & Support
To give you 100% control over the design, together with Webflow project, you also get the Figma file. After the purchase, simply send us an email to and we will e happy to forward you the Figma file.
Yes, we know... it's easy to say it, but that's the fact. We did put a lot of thought into the template. Trend Trail was designed by an award-winning designer. Layouts you will find in our template are custom made to fit the industry after carefully made research.
We used our best practices to make sure your new website loads fast. All of the images are compressed to have as little size as possible. Whenever possible we used vector formats - the format made for the web.
Grained is optimized to offer a frictionless experience on every screen. No matter how you combine our sections, they will look good on desktop, tablet, and phone.
Both complex and simple animations are an inseparable element of modern website. We created our animations in a way that can be easily reused, even by Webflow beginners.
Our template is modular, meaning you can combine different sections as well as single elements, like buttons, images, etc. with each other without losing on consistency of the design. Long story short, different elements will always look good together.
On top of being modular, Grained was created using the best Webflow techniques, like: global Color Swatches, reusable classes, symbols and more.
Grained includes a blog, carrers and projects collections that are made on the powerful Webflow CMS. This will let you add new content extremely easily.
Grained Template comes with eCommerce set up, so you can start selling your services straight away.
To give you 100% control over the design, together with Webflow project, you also get the Figma file.
.svg)
