What is Law 25?
What is Law 25?
Law 25 (formerly Bill 64) is Québec's sweeping update to its private-sector privacy law, officially titled *An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information* (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels — LMRSPP in French).
Law 25 substantially rewrites the *Act respecting the protection of personal information in the private sector* (LPRPSP) of 1994 — Québec's foundational private-sector privacy statute. It also amends the *Act respecting access to documents held by public bodies and the protection of personal information* (LRDPSP), which governs the public sector.
Official source: Commission d'accès à l'information — Law 25
Why Law 25 Was Created
The 1994 Québec privacy law was written before widespread internet use, social media, cloud computing, or data brokers. By the early 2020s, it was clearly insufficient for the modern data economy. The Legault government introduced Bill 64 to:
- Align Québec with GDPR-level protections — ensuring data can flow between Québec and the EU without restrictions
- Address AI systems and automated decision-making about individuals
- Require active transparency and granular consent — not buried terms of service
- Create meaningful financial accountability through heavy penalties
- Establish a "privacy by design" culture in all organizations
Law 25 is widely recognized as the strictest private-sector privacy law in Canada and one of the most comprehensive in North America.
Three-Phase Implementation
Law 25 was implemented in three annual phases to give organizations time to adapt:
| Phase | Date | Key Changes |
|---|---|---|
| Phase 1 | September 22, 2022 | Mandatory Privacy Officer, privacy incident register, breach notification to CAI, confidentiality obligations |
| Phase 2 | September 22, 2023 | Privacy Impact Assessments (PIAs), confidentiality agreements with third parties, cross-border transfer rules, privacy policy requirements, website tracking transparency |
| Phase 3 | September 22, 2024 | Right to data portability, right to de-indexation (right to be forgotten), automated decision-making disclosures, stricter consent technology standards |
Who Must Valdra?
Law 25 applies to every enterprise that collects, holds, uses, or communicates personal information about a natural person — regardless of size, revenue, or sector — if that enterprise:
- Is established in Québec, or
- Collects personal information about persons located in Québec, even if the enterprise has no physical presence in the province
This extraterritorial reach is critical: a startup in Toronto with 1,000 Québec customers must comply with Law 25. A US e-commerce company shipping to Québec must comply with Law 25.
There is no small business exemption. However, the CAI has acknowledged that compliance expectations are proportional to the size, nature, and sensitivity of data processing activities.
Financial Penalties
Law 25 introduced the most significant privacy penalties in Canada:
| Type | Imposed By | Maximum |
|---|---|---|
| Administrative monetary penalty | CAI (Commission d'accès à l'information) | Higher of 2% of worldwide revenue or $10 million CAD |
| Penal sanction | Courts | Higher of 4% of worldwide revenue or $25 million CAD |
Penal sanctions apply to the most serious violations — deliberate non-disclosure of breaches, obstructing CAI investigations, collecting information without lawful basis for a prohibited purpose.
The Commission d'accès à l'information (CAI)
The CAI is Québec's independent privacy regulator — equivalent in function to the OPC federally but with broader enforcement powers and the ability to impose administrative penalties directly without going to court.
Contact and guidance: www.cai.gouv.qc.ca
The CAI publishes:
- Practical guidance on each Law 25 obligation
- Model templates for privacy policies and consent forms
- Decision precedents from past investigations
- Guidance on cross-border transfer adequacy assessments
Module Quiz
1. What year did Law 25 Phase 3 — portability rights and automated decision disclosures — come into force?
2. Which body enforces Law 25 in Québec?
3. A company headquartered in Ontario with 5,000 Québec customers must comply with Law 25.
All Modules