Law 25 Compliance & Privacy Checklist for Businesses

Quebec's Loi 25, commonly known as Law 25 or Bill 64, is one of the most demanding privacy frameworks in North America. The failure to comply can cost you penalties reaching $25 million CAD or 4% of your worldwide turnover.

At DPO Consulting, we have helped organizations across Canada and internationally understand their obligations, close compliance gaps, and build privacy programs that hold up to regulatory scrutiny.
Talk to a Law 25 compliance expert
TRUSTED BY
Determine necessity

Law 25 Compliance Support for Organizations Operating In or Targeting Quebec

Law 25 applies to any organization, public or private, based in Quebec or not, that handles the personal information of Quebec residents. That broad scope means thousands of Canadian and international businesses must meet its requirements, including mandatory appointment of a Privacy Officer, robust consent mechanisms, documented Privacy Impact Assessments (PIAs), and enforceable data subject rights.

DPO Consulting delivers structured, practical law 25 privacy compliance programs built for organizations at every stage of their compliance journey.
Our services

Expert Law 25 Compliance Services for Businesses

It’s important that the individual or organization you assign as your UK representative has extensive experience and familiarity with UK GDPR regulation to avoid any regulatory shortfalls.
Talk to a Law 25 compliance expert

Law 25 Compliance Assessments and Gap Analysis

Our certified privacy consultants conduct thorough assessments of your current data practices against the full requirements of Law 25, including data inventory, consent frameworks, governance structures, vendor contracts, and breach response protocols. The output is a clear, prioritized gap report that tells you exactly where you stand and what needs to change.

Outsourced Privacy Officer and Governance Support

Law 25 requires every organization to designate a person responsible for personal information protection. Our Outsourced Privacy Officer service gives you qualified expertise on demand, such as policy development, regulatory liaison, and ongoing oversight,  without the cost of a permanent hire.

Consent Management and Privacy Controls

From cookie banners and preference centres to privacy notices and tracking controls, we help you implement consent management solutions that meet Quebec's strict bill 64 law 25 standards while remaining practical for your users and your business.

Privacy Impact Assessments and Risk Management

Law 25 mandates a Privacy Impact Assessment in Québec (EFVP) before collecting personal information or transferring it outside Quebec. Our consultants guide you through each EFVP, identifying risks and producing regulator-ready documentation.

Law 25 Training and Internal Enablement

We deliver role-specific training for executives, HR, IT, and customer-facing teams, equipping your people to handle personal information correctly and respond to incidents with confidence.
Smiling businesswoman standing with arms crossed in modern office, three colleagues talking in background.

Why Law 25 Compliance Matters for Your Organization

A lack of GDPR compliance opens the door to several potential organizational risks. Our goal is to prevent them.
Talk to a Law 25 compliance expert

Financial Penalties

The CAI can impose penalties of up to $25 million CAD or 4% of worldwide turnover for serious violations. This is active enforcement, not a future risk. Organizations without documented compliance programs are already exposed.

Data Breaches

Law 25 requires prompt notification to the CAI and affected individuals following any incident posing a serious risk of harm. Without a tested response plan, a single breach compounds your legal, financial, and regulatory exposure significantly.

Reputational Damage

Enterprise clients, procurement teams, and consumers are scrutinizing how organizations handle personal data. Non-compliance doesn't just attract fines, it costs contracts and erodes trust that takes years to rebuild. Read Quebec Law 25 Explained to understand the full commercial stakes.

We help you turn your GDPR compliance into a competitive asset.

Our consultants guarantee successful GDPR compliance in 60 days with a customized action plan based on the unique needs of your organization.

Customized strategies for your organization.

We cater to what your organization needs, and focus on delivering the highest impact.

A partner that adapts to your needs.

No matter your situation we find a way to ensure you’re GDPR-compliant.

Constantly up to date.

Always on top of new rules and regulations to ensure you stay ahead of the curve.

Complete trust and transparency.

You’ll have total insight into what we’re doing every step of the way.
Smiling middle-aged woman wearing glasses and an orange dress, holding a tablet in a modern office setting.
Why choose DPO Consulting?

Why Choose DPO Consulting for Law 25 Compliance

DPO Consulting specializes in the protection of personal data and UK GDPR compliance law. Our services are tailor-made to ensure you’re GDPR compliant no matter where you operate from.
Talk to a Law 25 compliance expert
Businessman in a blue shirt and tie giving a presentation in front of a whiteboard to four seated colleagues.
Proven experience with Quebec privacy law.
Our consultants have deep, hands-on experience with Law 25 and its evolution from Bill 64 through full implementation. We understand both the letter of the law and how the CAI interprets and enforces it in practice.
Tailored compliance programs.
There is no one-size-fits-all approach to law 25 privacy compliance. We design every program around your sector, your size, your existing controls, and your risk profile, giving you a solution that is proportionate, achievable, and defensible.
End-to-end privacy coverage.
From initial assessment through policy development, technical controls, staff training, EFVP delivery, and ongoing monitoring, DPO Consulting covers every dimension of your compliance obligations under one relationship. No coordination gaps. No blind spots.
Long-term compliance partnership.
Privacy law does not stand still. CAI guidance evolves, enforcement priorities shift, and your business changes. Our retained compliance partnerships ensure your program stays current, your team stays informed, and your exposure stays managed, year over year.
We make fantastic long-term partners.

As your designated GDPR compliance partner, we’re here to grow as you do and support your organizational needs accordingly.

READ STORIES FROM OUR EXISTING PARTNERS
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer

Providing data compliance for
100+ leading organizations.

Get in touch with one of our Law 25 compliance consultants.

Contact our Law 25 compliance expert today to schedule a confidential consultation and find out exactly what your organization needs to achieve and maintain full compliance.

Contactez nous directement sur notre adresse email
contact@dpo-consulting.com

The data collected on this form are intended for DPO Consulting. They are used to process your request. They are also used for sending you our newsletter if you have consented to it by checking the box below. Mandatory data are indicated on the form by an asterisk. In accordance with the EU Regulation 2016/679 of 27 April 2016 on the protection of personal data and the amended Law "Informatique et Libertés" of 6 January 1978, you have the right to the access, rectification, deletion, portability as well as limitation and opposition to the processing of your personal data. You can exercise that right by sending an email to the following address: dpo@dpo-consulting.com.

For more information about the processing of your personal data by DPO Consulting, you can consult the Data Protection Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
The data collected on this form are intended for DPO Consulting. They are used to process your request. They are also used for sending you our newsletter if you have consented to it by checking the box below. Mandatory data are indicated on the form by an asterisk. In accordance with the EU Regulation 2016/679 of 27 April 2016 on the protection of personal data and the amended Law "Informatique et Libertés" of 6 January 1978, you have the right to the access, rectification, deletion, portability as well as limitation and opposition to the processing of your personal data. You can exercise that right by sending an email to the following address: dpo@dpo-consulting.com.

For more information about the processing of your personal data by DPO Consulting, you can consult the Data Protection Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Contactez nous directement sur notre adresse email
contact@dpo-consulting.com

The data collected on this form are intended for DPO Consulting. They are used to process your request. They are also used for sending you our newsletter if you have consented to it by checking the box below. Mandatory data are indicated on the form by an asterisk. In accordance with the EU Regulation 2016/679 of 27 April 2016 on the protection of personal data and the amended Law "Informatique et Libertés" of 6 January 1978, you have the right to the access, rectification, deletion, portability as well as limitation and opposition to the processing of your personal data. You can exercise that right by sending an email to the following address: dpo@dpo-consulting.com.

For more information about the processing of your personal data by DPO Consulting, you can consult the Data Protection Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Work with professionals

Experts in Law 25 and Global Data Protection Frameworks

DPO Consulting works across GDPR, the UK Data Protection Act, Canada's PIPEDA and provincial equivalents, PDPA frameworks in Southeast Asia, and the EU AI Act, as well as Quebec's Law 25. That global perspective means we bring cross-jurisdictional insight to every engagement, identifying synergies between frameworks and avoiding duplicated compliance efforts.

Organizations already compliant with GDPR will find significant overlap, but Quebec's specific requirements around consent language, EFVP obligations, and CAI notification timelines mean dedicated Law 25 attention is still required.

Commonly asked questions on Law 25 compliance.

Who must comply with Law 25?

Any private-sector organization that collects, uses, communicates, or retains the personal information of Quebec residents must comply, regardless of where the organization is headquartered.

Does Law 25 apply to organizations outside Quebec?

Yes. If your organization targets Quebec residents, through e-commerce, digital marketing, service delivery, or employment, Law 25 applies to how you handle their personal information.

What types of personal information are regulated under Law 25?

Law 25 covers any information that directly or indirectly identifies a natural person, including names, contact details, financial data, health information, biometric data, location data, and online identifiers such as IP addresses and cookies.

How does Law 25 differ from GDPR?

Both frameworks share foundational principles, lawful basis, transparency, data minimization, and individual rights, but Law 25 has Quebec-specific requirements: French-language privacy notices, mandatory EFVP documentation, CAI-specific breach notifications, and strict rules on cross-border data transfers. Organizations that are GDPR-compliant still need dedicated bill 64 law 25 analysis.

What penalties apply for non-compliance?

Administrative penalties reach up to $25 million CAD or 4% of worldwide turnover for the most serious violations. Penal fines for intentional breaches can also reach $25 million. Penalties are tiered by the nature and severity of the violation.

Do GDPR-compliant organizations still need Law 25 support?

Yes. While GDPR compliance provides a strong foundation, Law 25 imposes specific obligations, particularly around Privacy Impact Assessments, consent for cookies, cross-border transfers, and CAI engagement, that are not fully covered by GDPR controls alone. A targeted law 25 compliance checklist review is essential even for organizations with mature European privacy programs.

Check out some of our helpful resources to learn more.
Read all articles
Smiling chef in a white shirt and striped apron standing in a modern kitchen with stovetops and cooking utensils.

GDPR Trends of 2024: What’s Changing & What You Need to Know

Explore the art of storytelling in design and its impact on brand communication.
Read More
A young man in a gray shirt working on a laptop at a round wooden table in a plant-filled indoor cafe.

GDPR Trends of 2024: What’s Changing & What You Need to Know

Separating trends from fads – a deep dive into strategies that truly drive results.
Read More
Person using laptop and holding receipts at a wooden table with a payment terminal and sewing machine nearby.

GDPR Trends of 2024: What’s Changing & What You Need to Know

Discover the cutting-edge technologies reshaping the landscape of mobile experiences.
Read More
Stay up to date on all the latest data privacy and GDPR compliance news.
Your email address will be used to send you our newsletter as well as information concerning the activity and news of DPO Consulting. You can unsubscribe at any time by clicking on the unsubscribe link in the emails. To find out more about your rights, see our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
About us
Our expertise
myDPO
Contact us
contact@dpo-consulting.com
+33 (0)1 55 06 16 86
50, Avenue des Champs-Elysées, 75008, Paris, France
Outsourced DPOInternational DPODPO AssistanceEU RepresentativeUK RepresentativeData privacy training
Clinical Trial ComplianceGDPR Compliance auditPrivacy Impact Assessments (PIA)Digital transformationMulti regulatory complianceUK GDPR, UK DPA, & DUAA
Cybersecurity Compliance
CISO as a serviceCybersecurity maturity assessmentProject support
AI Act Compliance
AI Maturity assessmentAI Act training
DPO Consulting © 2026 All Rights Reserved |
Terms of Use
|
Privacy Policy
|
Cookie Policy
|
Legal Notice
Let’s create an experience as remarkable as your business
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Main pages
CMS Pages
Utility
Templates
hi@byq.studio
@byqstudio
+1 600 600 000