What Law 25 is and how it came into force

Law 25 refers to Quebec's Act to modernize legislative provisions as regards the protection of personal information — a substantial amendment to the province's existing private-sector privacy law (the Act Respecting the Protection of Personal Information in the Private Sector, sometimes called the Quebec Privacy Act). It was introduced as Bill 64 and passed in September 2021, with requirements rolling out in three phases between September 2022 and September 2023.

As of September 2023, all provisions of Law 25 are fully in force. The Commission d'accès à l'information (CAI), Quebec's privacy regulator, has stated clearly that it is enforcing the new rules and has issued guidance to businesses. This is not a future compliance concern — it is current law.

Law 25 was modelled partly on Europe's General Data Protection Regulation (GDPR). If you are familiar with GDPR requirements, many Law 25 concepts will be recognizable — but there are meaningful differences, and the two laws are not identical.

Who Law 25 applies to

Law 25 applies to any enterprise — including a sole proprietor, a small business, or a non-profit — that collects, uses, communicates, retains, or destroys personal information about Quebec residents in the course of carrying on an enterprise. The law does not require that the organization be based in Quebec. A business in British Columbia, Ontario, or Alberta that collects personal information from Quebec residents is subject to Law 25 for that collection.

For websites, this means: if Quebec residents can access your site, submit contact forms, sign up for your newsletter, or make purchases, and you are collecting their personal information, Law 25 applies to those interactions. The practical threshold for "carrying on an enterprise" that reaches Quebec is low — having a website that is accessible to Quebec residents and that accepts their information is generally sufficient.

Businesses that collect only business contact information for purely B2B purposes have some limited exceptions, but consumer-facing websites do not.

Key requirements for websites

Law 25 introduces several requirements that go beyond what federal PIPEDA demands. For a typical small business website, the most practically significant ones are as follows.

Privacy policy disclosure requirements are more detailed. Your privacy policy must explain, in plain language, the categories of personal information collected, the purposes for collection, the retention periods for each category, the rights of individuals, the name or title of the person responsible for protecting personal information in your organization, and how to contact that person. It must be written in clear and simple language and be easily accessible on your website.

Privacy notices at the point of collection are required. When collecting personal information, you must inform the individual at the time of collection: what information is being collected, why, how long it will be kept, whether it will be communicated to third parties, and the individual's rights. A one-line consent statement under a contact form is not sufficient under Law 25 — the notice must be comprehensive enough to allow meaningful informed consent.

Cookies and tracking technologies require active consent. If your website uses cookies or other technologies to collect personal information — including analytics, advertising pixels, or behavioural tracking — Law 25 requires that you obtain consent before the collection occurs. The consent mechanism must allow individuals to easily withdraw consent, and the withdrawal must be as easy as giving it. A cookie banner where "Accept All" is a large button and "Manage Preferences" is small text in the corner does not satisfy this requirement.

Privacy impact assessments (PIAs) are required for high-risk activities. Before implementing any technology that involves a significant risk to privacy — including many analytics tools, CRMs, or marketing platforms — you must conduct a privacy impact assessment. For most small business websites using standard tools, this is a relatively brief exercise, but it must be documented.

Consent under Law 25 must be manifest, free, and informed. "Manifest" means it must be expressed clearly — silence, inaction, or pre-ticked boxes do not constitute valid consent. "Free" means the person must be able to refuse or withdraw consent without suffering negative consequences. "Informed" means the person must know what they are consenting to before they consent.

For sensitive personal information — which Law 25 defines broadly to include health information, financial information, ethnic or racial origin, political opinions, religious beliefs, sexual orientation, biometric data, and similar categories — the consent requirement is stricter still. Consent must be explicit, and the purpose must be specific. You cannot obtain a single broad consent for all uses of sensitive data.

This has practical implications for contact forms that ask for more than basic contact information, for any health or wellness service collecting client health details, for financial services, and for any site that attempts to collect demographic or lifestyle data.

Mandatory privacy officer

Law 25 requires that every enterprise designate a person responsible for protecting personal information. In a large organization, this might be a Chief Privacy Officer. For a small business, it can be the owner or an employee. The requirement has two practical components: first, someone must actually be designated, and second, the name or title of that person must be published on your website and in your privacy policy.

This is a concrete and easily verifiable requirement. The CAI can check your website to see whether you have published this information. A privacy policy that does not identify a responsible person is non-compliant with Law 25 on its face.

Breach reporting: 72-hour rule

Law 25 requires that if a privacy incident — a breach of security safeguards involving personal information — occurs, and the incident presents a risk of serious injury to individuals, you must notify both the Commission d'accès à l'information and the affected individuals. The notification to the CAI must happen promptly, and the CAI has interpreted "promptly" as within 72 hours of becoming aware of the incident.

This is significantly more demanding than federal PIPEDA's breach notification requirement, which does not specify a timeline. Law 25's 72-hour rule aligns with GDPR's approach and requires that organizations be prepared to move quickly when a breach is identified.

You must also maintain a register of all privacy incidents — even those that do not meet the threshold for mandatory notification. The CAI can request this register at any time.

Individual rights: deletion, portability, and more

Law 25 grants Quebec residents a set of rights over their personal information that are more extensive than those under federal PIPEDA.

Right to access: Individuals can request a copy of any personal information you hold about them, in a plain and accessible format.

Right to correction: Individuals can ask you to correct inaccurate personal information in your records.

Right to deletion: Individuals can ask you to delete their personal information when it is no longer necessary for the purposes for which it was collected, or when they withdraw consent. This is a significant addition to Canadian privacy law — PIPEDA does not include an explicit right to deletion. You must be able to locate and delete individual records on request.

Right to data portability: Individuals can request that their personal information be provided to them in a structured, commonly used technological format. If technically feasible, they can also request that their data be transferred directly to another organization. For most small business websites, this applies primarily to account data held in a CRM or customer database.

Right to object to automated decision-making: If your organization uses automated means to make decisions that significantly affect individuals — such as automated loan scoring, credit decisions, or similar systems — individuals have the right to be informed of this, to have the logic explained to them, and to request human review. Most small business websites are not affected by this provision.

Fines and enforcement

Law 25's penalties are significant. Administrative monetary penalties can reach $10 million or 2% of worldwide turnover, whichever is greater. Penal fines for more serious violations can reach $25 million or 4% of worldwide turnover. These are not theoretical maximums — the CAI has signalled its intention to enforce actively, particularly for organizations that have had time to comply and have not done so.

Individuals also have a private right of action for intentional or grossly negligent privacy violations, which is a meaningful addition to Quebec law.

For most small businesses, the risk of maximum fines is limited — the CAI has indicated it will focus enforcement on organizations that handle large volumes of personal data or that process sensitive data. But smaller penalties and compliance orders are more likely for small businesses that ignore the law entirely, and reputational damage from a breach or a regulatory action can be significant regardless of fine size.

Practical steps for small business websites

The following steps address the most critical Law 25 requirements for a typical small business website.

Designate a privacy officer and publish their name or title in your privacy policy and on a contact page. For most small businesses, this is simply the owner.

Update your privacy policy to include all Law 25 required elements: what data is collected, why, retention periods for each category, third-party disclosures, individual rights, and how to contact the privacy officer.

Implement a proper cookie consent mechanism if your site uses analytics, tracking pixels, or any non-essential cookies. The consent must be obtained before the cookies fire, must be easy to withdraw, and must not use dark patterns to nudge users toward accepting.

Add point-of-collection notices to your contact forms and any other data collection points. These need to be concise but must cover the required elements: what you collect, why, how long you keep it, and whether it is shared.

Document a breach response process. Know who in your organization is responsible for identifying and responding to a breach, and know how to notify the CAI. The 72-hour clock starts when you become aware of the incident, not when you have fully investigated it.

Be able to fulfil individual rights requests. If someone contacts you to request their data, correct it, or delete it, you need to be able to respond. For small businesses with a simple contact form and a newsletter list, this is usually straightforward — but you need to know where all your personal data lives.