Skip links
quebec law 25

Quebec Law 25 for Startups: What you need to know about.

Data security and online privacy have become significant issues in recent years, prompting legislation from multiple nations.   

On September 22, 2021, Quebec’s Bill 64, also referred to as an act to amend legislative rules respecting the protection of personal information, was formally adopted and became Law 25.   

The province’s new privacy laws are part of a broader modernization of Canada’s privacy landscape, which has recently seen significant progress toward major federal and provincial reform.   

Law 25 imposes new requirements on businesses regarding protecting personal information belonging to Quebec residents.   

These requirements include appointing a Data Security Officer (DPO) and privacy impact assessments (PIAs).   

Most of these new laws were enacted in September 2023, with the remaining measures taking effect over three years.  

Legislation of this kind is not surprising, given the Legault CAQ government has been at the forefront of multiple innovations relating to the digital realm.  

This bill updates the law because the current legislation fails to deal with digital data adequately.   

It is important to remember that Law 25 is more than just a preparatory law; it has teeth.   

When a natural person violates the law, they could face penalties ranging from $5,000 to $100,000.  

Penalties for more severe violations range from $15,000 to $25 million, or 4% of the global revenue from the preceding financial year, whichever is higher.  

Furthermore, this law is believed to be ever-changing, meaning that additional requirements will be introduced over time to keep the provisions of the law up to date.   

This article acts as a guide and helps you understand the update on the law’s requirements, your organization’s compliance responsibilities, and strategies for ensuring alignment now and in the future.  

Overview of Law 25  

Law 25, commonly referred to as Bill 64, is a set of regulations that aims to update the data privacy practices of public and private entities.   

It is sometimes compared to the GDPR of the European Union.   

The Quebec provincial government introduced it in June 2020, and in September 2021, it was formally signed into law.   

The law encourages the use of sophisticated and multiple tools but does not enforce any specific use of technology.  

It describes potential criminal and monetary penalties if a solution isn’t implemented.  

For example, because of this rule, all businesses must use multi-factor authentication to prevent significant penalties for a data breach. Adopting data encryption would also be a wise practice.  

The law’s provision regarding citizens’ rights to erasure of data and dereferencing is also significant.   

Therefore, to prevent adding to the complexity of this process, businesses must have an effective data-handling policy in place.  

Furthermore, this law establishes a right to data portability. This right and the one stated in the above paragraph are similar.   

Nonetheless, upon request, businesses and public entities must give individuals access to all personal data they have collected about them.    

Applicability of Law 25 Quebec  

Law 25 applies to all businesses in Quebec engaged in organized economic activities, including collecting, storing, using, or sharing personal information about residents to third parties or offering services to residents of Quebec, whether they are for-profit enterprises.  

Old Version of Law 25  

First implemented on September 22, 2021, Law 25 established guidelines for new regulations businesses in Quebec had to adopt until September 22, 2022.   

The objective of these controller guidelines, privacy policies, risk assessments, and data breach reporting was to strengthen the privacy rights of individuals in Quebec.   

Businesses in Quebec were expected to perform the following during the initial implementation:  

  • A person should be assigned to oversee the protection of personal data.  
  • If personal data is involved in a confidentiality incident:  
  • Take action to mitigate the possibility of harm to the individuals concerned and stop such incidences from happening.  
  • Fill out a form to inform the person concerned and the Commission d’accès à l’information du Québec (CAI).  
  • Maintain a record of confidentiality incidents and send a copy to the Commission upon request.   
  • Follow the new guidelines when sharing personal data without the subject’s consent for purposes like study, research, or statistical purposes or while conducting a business transaction without   
  • Conduct a privacy impact assessment before sharing personal data without the subject’s consent for study, research, or statistical purposes.  
  • Submit a form to the Commission for notification before identity verification or confirmation using biometric characteristics or measures.  

What are the changes in Law 25 implemented in 2023?  

As of September 22, 2023, Law 25 has been amended to further advance the requirements for individual privacy rights.   

Businesses in Quebec were required to comply with the following in addition to the controller requirements during the initial implementation:  

  • Create a policy outlining the business’s governance for data protection. The following needs to be in the policy: 
  • Regulations governing the storage and deletion of personal data  
  • Employees’ Roles and responsibilities at every personal information life cycle stage.  
  • Procedure for filing privacy complaints.  
  • Observe the new requirements for transparency.  
  • Obtain an individual’s free and informed consent before collecting, sharing, or using their personal information, and comply with the latest consent requirements.  
  • Once the purpose for collecting the data has been met, the personal information should be deleted.

    If not, anonymize it for essential and legitimate purposes by the standards and retention period prescribed by Law 25.    
  • Perform a privacy impact assessment as mandated by the law.  
  • Observe the rights of de-indexation and cessation of dissemination. Now, anyone harmed by businesses sharing their personal information or violating the law or court order can request that these companies stop sharing their information or de-indexing any hyperlink associated with their name that gives access to their data.  
  • Respect the new standards for sharing private information and assisting the grieving process. Organizations may provide a deceased person’s spouse or close relative access to personal information if knowing the information can help them in their grieving process unless the deceased has expressly stated in writing that he does not wish to have this right of access granted.  
  • Observe the newly implemented guidelines relating to collecting personal information about minors under 14, which specify that such information may no longer be collected without the consent of the adult with parental authority.   
  • The duty to disclose the specifications ensures the maximum privacy for any technology-related good or service made available to the public.  

Implications of new amendments of Law 25  

Significant amendments have been made to Quebec’s Law 25, affecting various stakeholders, including individuals and businesses. The new amendments place more responsibilities on businesses, such as:   

  • Privacy Impact Analysis (PIA)  
  • Management of incidents  
  • Framework for consent  
  • Transparency on automated decisions   
  • Penalties for non-compliance   

The amendments to the law provide individuals with additional rights over their data and improved data protection.   

Although Law 25 is essential for enhancing personal data privacy, putting its requirements into practice can be challenging and resource-intensive.   

The most difficult tasks are getting stakeholders to agree on privacy impact assessments, ensuring data protection agreements are in place, and updating consent mechanisms.  

The amendments, however, also present prospects for companies to improve their data protection techniques, earning their customers’ trust and enabling them to use data management to get a competitive edge.   

This further leads to better customer relationships.  

Key privacy requirements of Quebec’s Bill 64 (Law 25)  

Below are some of the key requirements stated by Law 25  

Breach Notification  

When there is a breach of confidentiality concerning personal data, companies must act to mitigate the harm and stop such occurrences from happening again.   

If the incident can cause serious harm, it must be reported to the CAI, and the affected person should be notified.   

They can be withheld if this disclosure and notice get in the way of a criminal investigation.  

By Law 25, companies must also record confidentiality incidents and, upon request, give a copy to the appropriate regulatory body.  

Appointing a DPO  

They must comply with Law 25’s guidelines for protecting personal data. The person with the highest authority in the company is given specific duties, though they can be delegated to another individual.  


Individuals responsible for protecting personal information must make their contact details easily accessible to people by making them publically available on the business website or by other feasible means.   

Governance Policies  

Policies for protecting personal data must be designed and complied with. These policies should include:   

  • Duration of Data Storage  
  • The roles and duties of various team members involved in managing personal data.  
  • How the company responds to data protection complaints.   

The policies need to be approved by the person in charge of data protection and should align with the company’s size.   

Additionally, particulars of these policies must be shared on the company website or made accessible in other ways.  

Privacy Impact Assessment  

In Quebec, companies undertaking any project involving collecting, using, sharing, retaining, or destroying personal data must perform a privacy impact assessment. The assessment should consider the data’s intended use, sensitivity, quantity, distribution, and storage format.  

Protection Measures  

The person in the responsibility of protecting personal data may suggest specific security measures, such as:   

  • Designating a responsible person  
  • Protecting documents  
  • Outlining the obligations of project participants concerning data protection  
  • Conducting data protection training  

Risk Assessment  

Businesses in Quebec should consider the following when determining the potential harm to individuals from a confidentiality incident:  

  • Information sensitivity  
  • Expected repercussions of misusing it 
  • Possibility of harmful use   

Additionally, they need to speak with individuals in control of personal data.  

Privacy Policy  

Any company that collects personal data is required to notify users of the following:  

  • Why the information is being collected  
  • How it will be used  
  • Who has access to the information within the organization  
  • Where will the data be stored  
  • Users’ rights to access and update the information  
  • Right to withdraw consent to use the data  
  • The identity and specifics of the third party with whom the information will be shared  
  • Will the information be sent outside of Quebec  
  • The technology used for user identification, location, profiling, and deactivation.  

Users must have easy access to a privacy policy that should be used to communicate this.  

International data transfers  

Businesses must carefully ensure that the personal data they transfer from Quebec to places outside the province is secure and safe.  

Because of this, they must notify the individuals whose data is being shared, establish a contract with the recipient, and carry out a Privacy Impact Assessment.  

How does the new Law 25 affect your business?  

Organizations are required by the new Law 25 amendments to implement steps to improve user data protection.   

This implies that the following steps are necessary for compliance:   

  • Informing users with a privacy policy.  
  • Ensure that explicit and informed consent forms the basis for all data collection, use, and sharing. 
  • Develop and share data security policies.   
  • Provide a way for consumers to exercise their data rights.   
  • Appoint a privacy officer and provide the public with their contact details.  
  • Perform Privacy impact assessments.   
  • Put suggested protection measures into action.   
  • In case of a data breach, notify the enforcing Commission and the impacted users.   
  • To ensure compliance with Law 25, employees should receive data protection training, such as cybersecurity awareness training.  


Law 25 establishes explicit privacy and cyber security measures, a crucial upgrade to Quebec’s legal system.   

Businesses must implement more stringent methods to protect user data, such as designating a privacy protection officer, obtaining explicit and informed consent, enhancing user transparency, performing privacy impact assessments, and more.

Despite the importance of the indicators discussed in this post, establishing a company culture prioritizing cyber security knowledge is the greatest way to stop these breaches.   

Employees can avoid the issues raised by Act 25 if they have access to thorough cybersecurity training.