Law 25 Is Not Just a Quebec Problem — Every Canadian Business That Touches Quebec Data Is Affected

The Misunderstanding That Will Cost Canadian Businesses

There's a widespread assumption among Canadian businesses outside Quebec that Law 25 — Quebec's modernized private sector privacy law, formally Act 25 amending the Act respecting the protection of personal information in the private sector — is a Quebec problem. The logic goes: we're based in Toronto, or Vancouver, or Calgary, so Quebec's privacy law doesn't apply to us.

That logic is wrong, and the consequences of acting on it are significant. Law 25 applies to any person carrying on an enterprise in Quebec, and it applies to any organization that collects, holds, uses, or communicates personal information about Quebec residents — regardless of where that organization is incorporated or headquartered.

If your e-commerce store has customers in Montreal, Law 25 applies to how you handle their personal information. If your SaaS platform has Quebec-based subscribers, you're under Law 25's obligations. If your professional services firm has clients in Quebec, their data is subject to the law. This isn't a technicality — it's the explicit scope of the legislation.

What Law 25 Actually Changed

Quebec had privacy legislation before Law 25. The old Act respecting the protection of personal information in the private sector had been in place since 1994. Law 25 is a significant modernization — in some respects, it brings Quebec closer to GDPR standards than PIPEDA does.

The law rolled out in three phases. The first phase came into force in September 2022: new breach notification rules, mandatory privacy impact assessments for high-risk technology projects, new requirements for the communication of personal information outside Quebec.

The second phase came in September 2023: the right to data portability (the right to receive your personal information in a structured format), the right to be forgotten (the right to request de-indexing of information that could harm you), expanded consent requirements, and the requirement to appoint a person responsible for the protection of personal information at every enterprise.

The third phase came in September 2024: enforcement teeth. The Commission d'accès à l'information (CAI), Quebec's privacy regulator, now has the ability to impose administrative monetary penalties of up to $25 million CAD or 4% of worldwide turnover for serious violations — whichever is higher. That penalty structure is comparable to GDPR and significantly higher than PIPEDA's current maximums.

The Requirements That Catch Non-Quebec Businesses Off Guard

The privacy officer requirement. Every enterprise subject to Law 25 must designate a person responsible for the protection of personal information. For small organizations, this is typically the CEO or a designated senior employee. This information must be published on your website or made available through your usual methods of communication. If you have Quebec customers and your website doesn't identify a privacy contact person, you're already out of compliance.

Privacy policy transparency. Law 25 requires your privacy policy to be written in clear and simple language and to be easily accessible to the people whose information you collect. It must explain how personal information is collected, why it's used, and to whom it's communicated. It must describe how people can exercise their rights. A boilerplate policy that was drafted for PIPEDA compliance may not satisfy Law 25's specificity requirements.

Consent mechanics. Law 25 requires that consent be manifest, free, and informed. Consent obtained through pre-checked boxes, buried clauses, or confusing language doesn't satisfy this standard. If you collect personal information from Quebec residents through any form — checkout flows, newsletter signups, contact forms — your consent mechanism needs review.

Cross-border transfers. If you use any service provider that processes personal information outside Quebec — which includes most US-based SaaS tools — you need to conduct a privacy impact assessment before that communication takes place. You also need a contractual clause ensuring the information receives equivalent protection. This requirement catches the vast majority of Canadian businesses who use US-based CRMs, email platforms, or cloud storage.

The right to be forgotten. Under Law 25, a person can request that an organization cease disseminating their personal information and de-index any hyperlinks attached to their name. For most SMBs, this practically means having a process to remove someone from your marketing lists, disable their account, and remove any public-facing profile information about them.

The CAI's Enforcement Approach

The Commission d'accès à l'information has been more active in 2025 and 2026 than it was under the old regime. The CAI has authority to conduct audits, investigate complaints, and impose administrative penalties — and it has made public statements about its intention to enforce the law against organizations of all sizes, not just large enterprises.

The CAI's complaint process is accessible. A Quebec resident who believes their privacy rights have been violated can file a complaint directly through the CAI's website. The complaint triggers a response obligation from your organization and potentially an investigation. The investigation can result in orders to change practices, orders to destroy improperly held information, and monetary penalties.

One pattern from early Law 25 enforcement: the CAI is particularly focused on cross-border data transfers that weren't properly assessed, and on organizations that collected personal information without meaningful consent. These are exactly the areas where organizations outside Quebec are most likely to have gaps.

A Practical Law 25 Readiness Checklist for Non-Quebec Businesses

If you have Quebec customers or users, work through these before assuming you're covered:

Does your website clearly identify a person responsible for personal information protection? Is there a way to contact that person?

Does your privacy policy explain how consent is obtained, what data is collected, where it goes, and how people can exercise their rights under Law 25 specifically?

Do your consent mechanisms comply with the manifest, free, and informed standard — no pre-checked boxes, no bundled consents, plain language?

Have you identified every service provider that receives personal information of Quebec residents? Have you conducted a privacy impact assessment for transfers outside Quebec?

Do you have a process for responding to right-to-be-forgotten requests from Quebec residents?

Do you have a breach notification process that meets Law 25's requirements, including notification to the CAI and to affected individuals within specified timeframes?

None of these is technically complex. All of them require intentional effort. The organizations that have worked through this list — even imperfectly — are in a far better position than the ones who assumed Law 25 was someone else's problem.