Quebec Law 25 Compliance: What Every Business Operating in Quebec Needs to Know

What Is Law 25?

Law 25 (formerly Bill 64) is Quebec's sweeping modernization of provincial privacy law. It amends the Act Respecting the Protection of Personal Information in the Private Sector and establishes some of the strictest privacy requirements in Canada. If your organization collects, uses, or discloses personal information about Quebec residents — even if you're headquartered outside the province — Law 25 applies to you.

What Changed and When

September 2022: Mandatory appointment of a person in charge of personal information protection. Organizations must publish the name and contact info of their privacy officer on their website.

September 2023: Privacy impact assessments (PIAs) became mandatory before launching any new technology project involving personal information. Consent rules tightened significantly. Individuals gained new rights including the right to data portability and the right to be forgotten (deindexation).

Ongoing enforcement: Breach reporting to the Commission d'accès à l'information (CAI) is required for any breach presenting a "risk of serious injury." Fines reach up to $25 million or 4% of worldwide revenue — whichever is higher.

Key Requirements

Privacy Officer: Every organization must designate a privacy officer and publish their contact information publicly. This person is accountable to the CAI.

Privacy Impact Assessments: Required before any project that involves personal information — new software, third-party integrations, acquisitions. The PIA must assess risks and document mitigations.

Consent: Must be clear, free, and informed. Pre-checked boxes and bundled consent are no longer acceptable. Organizations must be able to demonstrate valid consent was obtained.

Right to Be Forgotten: Individuals can request that organizations stop disseminating their information or deindex content that makes their personal information accessible via search engines.

Data Portability: Individuals have the right to receive their personal information in a structured, commonly used technological format.

Law 25 Compliance Checklist

☐ A privacy officer is designated and their contact info is on your website

☐ A privacy policy written in plain language is publicly accessible

☐ A process exists for conducting Privacy Impact Assessments before new projects launch

☐ Consent mechanisms meet Law 25 standards — no pre-checked boxes, no bundled consent

☐ Breach detection and CAI reporting procedures are documented

☐ A process exists for individuals to exercise portability and deindexation rights

☐ Vendors and third parties have signed data processing agreements ☐ Staff have been trained on Law 25 obligations

How It Compares to PIPEDA

Law 25 is stricter than PIPEDA in several key ways: the fines are dramatically larger, the PIA requirement is more prescriptive, and the right to be forgotten has no equivalent in federal law. Organizations subject to both laws need to meet the higher standard — which means Law 25 sets the floor for Quebec operations.

How Technology Can Help

Law 25's PIA requirement and breach reporting timelines demand that organizations actually know where personal information lives. Manual processes don't provide that visibility. Purpose-built tools can discover personal information across your systems, assess exposure, and generate the documentation your PIAs require.

Explore PII Protect Suite → https://overallworks.com/piiprotectsuite

Conclusion

Law 25 is not a future obligation — enforcement is active and fines are real. If your organization hasn't completed a privacy gap assessment against Law 25's requirements, now is the time.

This post is for informational purposes only and does not constitute legal advice. Consult a qualified privacy lawyer for guidance specific to your organization.