Québec’s Law 25: A Deep Dive into Canada’s Most Stringent Privacy Law (and What It Means for Your Business)
Privacy laws around the world are tightening, but one of the most ambitious and broad-reaching regulations in North America isn’t U.S. federal law — it’s Law 25, the province of Québec’s modernized privacy regime. Originally introduced as Bill 64, Law 25 represents a fundamental shift in how organizations must collect, manage, and protect personal information — not just in Quebec, but for any business that handles the data of Québec residents.
If your company operates in Canada or serves customers in Québec, understanding Law 25 is critical — because its requirements touch governance, consent, accountability, data transfers, and even individual legal rights.
What Is Québec’s Law 25?
Law 25 is Québec’s modern privacy statute, designed to bring provincial protections in line with global data privacy standards like the General Data Protection Regulation (GDPR). It applies to both public and private organizations that collect, use, disclose, store, or transfer personal information of individuals in Québec. Importantly, its reach isn’t limited to Québec-based companies — any organization handling Québec residents’ data is in scope.
The law has been rolling out since September 2022, with the most significant provisions in effect since September 22, 2023 and additional rights (like data portability) coming into force in 2024
Key Principles and Requirements
Law 25 introduces a set of privacy obligations that go far beyond traditional consent mechanics, emphasizing accountability and individual right.
1. Governance and Accountability
Every organization must:
- Designate a privacy officer (or equivalent) responsible for compliance.
- Maintain documented policies and procedures governing personal information.
- Ensure personnel are trained and aware of privacy responsibilities.
Law 25 even assumes the CEO as the default privacy officer if no one is formally appointed.
2. Consent and Transparency
Consent must be clear, informed, specific, and given freely for each purpose — much like GDPR’s standards. Organizations must also disclose:
- What they collect
- Why it’s collected
- Who it’s shared with
- How long it’s kept
For individuals under 14, parental consent is specially required.
3. Privacy by Default
Law 25 mandates confidentiality by default, meaning systems and services must be configured in the most privacy-protective settings without any action by the data subject.
4. Privacy Impact Assessments (PIAs)
Organizations must conduct Privacy Impact Assessments when:
- Implementing new technologies or systems
- Transferring personal information outside of Québec
- Introducing services that pose heightened privacy risk
PIAs help identify and mitigate risks before the processing begins.
5. Data Subject Rights
Québec residents gain robust data subject rights under Law 25, including:
- Right to access personal information
- Right to correction
- Right to deletion (“right to be forgotten”)
- Right to data portability (effective September 2024)
- Right to object to automated decision-making
- Right to be informed about third-party sharing
These rights closely mirror global privacy norms but are unique in some aspects — like data portability implementation specifics under Québec law.
6. Breach Notification
Confidentiality incidents that pose a risk of serious harm must be reported to both the Commission d’accès à l’information (CAI) and affected individuals. Processes for logging and responding to incidents are required.
7. Cross-Border Data Transfers
If personal data is transferred outside Québec (including international transfers), organizations must:
- Assess whether the destination provides a similar level of protection
- Conduct a PIA
- Put contractual safeguards in place
- Inform the data subject
This mimics GDPR’s approach to international transfers, reflecting Québec’s emphasis on protecting data regardless of geography.
Penalties and Enforcement
Law 25 empowers both administrative and judicial enforcement:
- Administration penalties up to the greater of CAD 10 million or 2% of worldwide turnover for violations such as failure to implement privacy policies, report breaches, or obtain proper consent.
- Judicial penalties for serious offenses can reach CAD 25 million or 4% of worldwide turnover.
- Private right of action allows individuals to seek statutory damages directly — including collective action claims.
These sanctions make Law 25 one of the most consequential privacy laws in North America, outstripping many regional U.S. laws in both scope and enforcement power.
PieEye POV
Whether you’re a Quebec-based company or serve users there, Law 25 requires a privacy-centric operational framework. Here are compliance steps to take now:
- Appoint a privacy officer and publish their contact info.
- Audit personal data collection and ensure purpose-specific consent.
- Implement privacy policies and PIA processes for new initiatives.
- Configure systems for privacy by default — no unnecessary tracking.
- Build workflows for breach reporting and data subject rights.
- Update contracts with third parties to ensure adequate protection and compliance.
Approaching Law 25 with a proactive privacy mindset — rather than a reactive checklist — will help your organization build durable trust with customers and minimize both legal and operational risk.