CanucktAI
PrivacyQuebec, CanadaIn force September 22, 2023 (full enforcement)

Law 25

Act Respecting the Protection of Personal Information in the Private Sector (Bill 64 / Law 25)

Quebec's sweeping privacy reform — Canada's strictest

Overview

Law 25 modernized Quebec's private-sector privacy law and is the most comprehensive privacy legislation in Canada. It introduced mandatory Privacy Impact Assessments for high-risk projects, a 72-hour breach notification window, explicit consent requirements for profiling, and the right to data portability. It applies to any organization that collects Quebec residents' personal information.

Authority
Commission d'accès à l'information du Québec (CAI)
Jurisdiction
Quebec, Canada
Effective date
September 22, 2023 (full enforcement)
Applicability

Who must comply with Law 25?

Any organization — regardless of where it is incorporated or headquartered — that collects, holds, uses, or communicates the personal information of Quebec residents. This includes non-Quebec businesses operating websites, apps, or services accessible to Quebec consumers.

Compliance scope
Your organization collects personal information
You operate in the applicable jurisdiction
Commercial activities are involved
You use or disclose personal data

Not sure if Law 25 applies? Run a free assessment →

Requirements

Key obligations under Law 25

Privacy Officer Designation

Publish the name and contact of your privacy officer (or by title) on your website. This is publicly verifiable.

Privacy Impact Assessments

Conduct a PIA before any new project involving high-risk personal information processing. This is mandatory under Law 25 Phase 2.

72-Hour Breach Notification

Report breaches with serious injury risk to the CAI within 72 hours — stricter than PIPEDA's "as soon as feasible" standard.

Consent for Profiling

Explicit opt-in consent is required before using personal information for profiling, targeted advertising, or automated decision-making.

Data Portability

Individuals can request their personal information in a structured, technology-neutral format for transfer to another service provider.

Cross-border Transfer Rules

Before transferring personal information outside Quebec, conduct a privacy impact assessment and obtain a signed data transfer agreement.

Enforcement

Penalties & enforcement

Maximum penalty
$25M CAD or 4% of global revenue
Enforced by: Commission d'accès à l'information (CAI)
Notable case

Desjardins was fined following a 9.7M member data breach — the largest in Canadian history

How Canuckt keeps you penalty-free:
Guides you through a full Law 25 gap assessment covering all three phases of implementation
Generates PIA templates pre-formatted for CAI review with risk scoring and mitigation steps
Manages your 72-hour breach notification clock with CAI-specific report templates in English and French
Tracks consent for profiling activities and generates compliant profiling opt-in language for your website

Run a free Law 25 gap assessment

Answer 47 questions, get a scored gap report, and see exactly what you need to do to comply with Law 25 — in under 3 hours. Free forever.

Start free assessment
No credit card
Results in hours
Canadian data residency
Quebec Law 25 Compliance Guide for Businesses | Canuckt | Canuckt AI