PrivacyQuebec, CanadaIn force September 22, 2023 (full enforcement)

Law 25

Act Respecting the Protection of Personal Information in the Private Sector (Bill 64 / Law 25)

Quebec's sweeping privacy reform — Canada's strictest

Overview

Law 25 modernized Quebec's private-sector privacy law and is the most comprehensive privacy legislation in Canada. It introduced mandatory Privacy Impact Assessments for high-risk projects, a 72-hour breach notification window, explicit consent requirements for profiling, and the right to data portability. It applies to any organization that collects Quebec residents' personal information.

Authority

Commission d'accès à l'information du Québec (CAI)

Jurisdiction

Quebec, Canada

Effective date

September 22, 2023 (full enforcement)

Applicability

Who must comply with Law 25?

Any organization — regardless of where it is incorporated or headquartered — that collects, holds, uses, or communicates the personal information of Quebec residents. This includes non-Quebec businesses operating websites, apps, or services accessible to Quebec consumers.

Compliance scope

Your organization collects personal information

You operate in the applicable jurisdiction

Commercial activities are involved

You use or disclose personal data

Not sure if Law 25 applies? Run a free assessment →

Requirements

Key obligations under Law 25

Privacy Officer Designation

Publish the name and contact of your privacy officer (or by title) on your website. This is publicly verifiable.

Privacy Impact Assessments

Conduct a PIA before any new project involving high-risk personal information processing. This is mandatory under Law 25 Phase 2.

72-Hour Breach Notification

Report breaches with serious injury risk to the CAI within 72 hours — stricter than PIPEDA's "as soon as feasible" standard.

Consent for Profiling

Explicit opt-in consent is required before using personal information for profiling, targeted advertising, or automated decision-making.

Data Portability

Individuals can request their personal information in a structured, technology-neutral format for transfer to another service provider.

Cross-border Transfer Rules

Before transferring personal information outside Quebec, conduct a privacy impact assessment and obtain a signed data transfer agreement.

Enforcement

Penalties & enforcement

Maximum penalty

$25M CAD or 4% of global revenue

Enforced by: Commission d'accès à l'information (CAI)

Notable case

Desjardins was fined following a 9.7M member data breach — the largest in Canadian history

How Canuckt keeps you penalty-free:

Guides you through a full Law 25 gap assessment covering all three phases of implementation

Generates PIA templates pre-formatted for CAI review with risk scoring and mitigation steps

Manages your 72-hour breach notification clock with CAI-specific report templates in English and French

Tracks consent for profiling activities and generates compliant profiling opt-in language for your website

Frameworks that often overlap with Law 25

Privacy

PIPEDA

Canada's federal private-sector privacy law

Privacy

CPPA / Bill C-27

Canada's GDPR-equivalent — the biggest privacy law reform in 20 years

Privacy

PIPA (BC)

BC's private-sector privacy law — recognized as substantially similar to PIPEDA

Run a free Law 25 gap assessment

Answer 47 questions, get a scored gap report, and see exactly what you need to do to comply with Law 25 — in under 3 hours. Free forever.

Start free assessment

No credit card

Results in hours

Canadian data residency