Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Loi 25) introduced GDPR-equivalent obligations in Canada - mandatory privacy officers, privacy impact assessments, breach notification, data minimization, and penalties up to 4% of worldwide revenue or $25 million. If you operate in Quebec or hold data on Quebec residents, this applies to you.
Law 25 applies to any organization - private sector - that holds personal information about Quebec residents, regardless of where the organization is headquartered.
Every organization must designate a person in charge of the protection of personal information (the "Privacy Officer"). Their contact information must be published on the organization's website. This person bears accountability for Law 25 compliance.
A PIA is mandatory before any project involving acquisition, development, or redesign of a technology-based system for collecting, using, communicating, retaining, or destroying personal information. This includes new SaaS implementations, CRM deployments, and analytics platforms.
Confidentiality incidents posing a risk of serious injury must be reported to the Commission d'accès à l'information (CAI) within 72 hours of discovery. Affected individuals must also be notified. A confidentiality incident register must be maintained for all incidents, regardless of severity.
Organizations must publish a clear privacy policy in plain language. The policy must describe: what personal information is collected, why it is collected, with whom it is shared, and how individuals can exercise their rights.
Only collect what is necessary for the specified purpose. Establish and enforce retention schedules. Implement destruction or anonymization of personal information when its purpose has been served. Lavawall® helps monitor data access patterns and identify retention policy violations.
Before transferring personal information outside Quebec, organizations must conduct a privacy impact assessment and implement contractual protections. Transfers to US cloud providers require documented assessments - default cloud configurations may not comply.
Consent must be manifest, free, and informed. Implied consent is significantly restricted. Separate consent is required for purposes beyond the primary collection purpose. Consent for sensitive personal information (health, biometric, etc.) must be explicit.
Right of access, right of rectification, right to portability (for computerized personal information), and right to de-indexation. Organizations must have documented processes to respond to requests within 30 days.
The CAI can impose administrative monetary penalties of up to $10 million or 2% of worldwide turnover for less serious violations, and up to $25 million or 4% of worldwide turnover for the most serious violations. The CAI has demonstrated it will use these powers - organizations outside Quebec have received notices for failing to comply with Quebec residents' data rights.
Law 25 requires more explicit, granular consent than PIPEDA. Implied consent for secondary uses is largely eliminated. Organizations that rely on bundled consent for multiple purposes need to redesign their consent processes for Quebec operations.
PIPEDA requires a privacy contact but Law 25 requires the Privacy Officer's information to be publicly listed on the organization's website. This is a visible compliance obligation that the CAI actively monitors.
PIPEDA recommends PIAs as best practice. Law 25 mandates them before any new technology project touching personal information. The PIA must be documented and available to the CAI on request.
Law 25 creates a right to portability for computerized personal information - one of the first Canadian laws to do so, following GDPR. Organizations with significant Quebec customers must build data portability capabilities.
For organizations with internal privacy and legal capacity that need security tooling to support Law 25 safeguard requirements
Expert guidance for organizations needing Law 25 program development alongside their internal team
Full Law 25 compliance program delivered end to end
Yes, if you collect personal information about Quebec residents. Law 25 applies based on where the data subjects are located, not where the organization is incorporated. An Alberta company with Quebec customers, Quebec employees, or Quebec website visitors is subject to Law 25 for that personal information. This is similar to GDPR's territorial scope. If you serve national customers and don't have a Law 25 compliance program, you have a material compliance gap.
Quebec's Law 25 has been declared "substantially similar" to PIPEDA by the federal government, meaning PIPEDA's federal requirements are largely displaced for provincially regulated organizations handling Quebec residents' personal information. However, federally regulated industries (banking, telecom, rail, air) remain subject to PIPEDA. Once Bill C-27 (CPPA) is enacted federally, the overlap will need to be reassessed - ThreeShield tracks these interactions and provides guidance on the most stringent applicable requirement.
Law 25 applies to personal information - any information about an identifiable individual, including business contact information used in a personal capacity. Business contact information used strictly for business communication may have reduced obligations, but the distinction is fact-specific. Employee data (whether your own employees or those of vendor companies you deal with) is clearly covered. ThreeShield maps your data categories to determine the applicable requirements.
With penalties up to $25M and an active CAI enforcement posture, Law 25 compliance is not optional for any organization holding Quebec residents' data. ThreeShield delivers rapid gap assessments and full compliance programs.
Book a Law 25 AssessmentAlso covers PIPEDA / Bill C-27 · Alberta PIPA · BC PIPA