Quebec Law 25 compliance means that any organization collecting, using, or disclosing personal information of individuals in Quebec must adhere to a comprehensive set of privacy obligations that came into full effect over a phased timeline from September 2022 to September 2024. These obligations include appointing a designated privacy officer, conducting privacy impact assessments (PIAs) for any information system or project involving personal data, obtaining meaningful consent that is clear and separate from general terms, de-identifying data used for research or statistical purposes, and reporting privacy breaches to the Commission d'accès à l'information du Québec (CAI) and affected individuals where there is a risk of serious injury. Law 25, formally known as Loi 25 or Bill 64, modernizes Quebec's private-sector privacy framework and applies to all enterprises doing business in Quebec, regardless of where they are based, making it one of the strongest provincial privacy laws in Canada.
Quebec Law 25 (2021, chapter 25) amended the Act respecting the protection of personal information in the private sector (CQLR c P-39.1) and the Act respecting Access to documents held by public bodies and the Protection of personal information. It applies to any enterprise that collects, holds, uses, or communicates personal information in the course of carrying on an enterprise within the province of Quebec. This includes organizations physically located in Quebec, as well as any out-of-province or out-of-country entity that offers goods or services to individuals in Quebec, monitors their behaviour, or otherwise processes their personal data. The law is enforced by the Commission d'accès à l'information du Québec (CAI), which has the authority to issue orders, impose administrative monetary penalties up to CAD $50,000 for individuals and CAD $10,000,000 or 2% of worldwide turnover (whichever is greater) for organizations, and pursue penal offences with fines up to CAD $100,000 for individuals and CAD $25,000,000 or 4% of worldwide turnover for organizations.
Key Takeaway: Quebec Law 25 applies to any organization that targets Quebec residents with goods, services, or behavioural monitoring, irrespective of the organization's physical location. The CAI has broad enforcement powers including fines of up to CAD $25 million or 4% of global turnover for the most serious violations.
Every enterprise must designate a person with primary responsibility for the protection of personal information. This privacy officer's name and contact details must be published and communicated to the CAI. The officer oversees compliance, handles access and correction requests, manages breach response, and ensures privacy impact assessments are conducted. Under section 3.1 of the act, the privacy officer can be an employee or an external agent, but must be empowered to act independently within the organization.
Law 25 mandates that consent must be clear, free, and informed, and given for specific purposes. Consent cannot be buried in general terms and conditions; it must be obtained separately for each purpose where personal information is collected, used, or disclosed. Organizations must also provide a mechanism for individuals to withdraw consent at any time, and cessation of services cannot be the sole consequence of withdrawal when the information is not necessary for the provision of the service. Additionally, consent for minors under 14 must be obtained from a parent or guardian, and consent for minors aged 14 and over must be collected from both the minor and their parent or guardian.
Any project to acquire, develop, or overhaul an information system or electronic service delivery system that involves the collection, use, disclosure, or retention of personal information now requires a mandatory privacy impact assessment. The PIA must be completed before the project proceeds and must evaluate the necessity and proportionality of the proposed collection, the measures to protect the information, and the residual risks to individuals. The results of the PIA must be documented and made available to the CAI upon request. This obligation applies to new projects as well as significant modifications to existing systems.
Where personal information is used for research, statistical, or analytical purposes, organizations must de-identify the data according to a prescribed process. Law 25 establishes a two-tier standard: de-identified data (which may still be linked back to an individual using a key) and anonymized data (where re-identification is reasonably and permanently impossible). Anonymized data is no longer considered personal information, whereas de-identified data remains subject to certain protections. The law also requires that organizations establish and document a de-identification policy that meets the criteria set out in the regulation.
Organizations must take reasonable steps to reduce the risk of a privacy breach causing serious injury to an individual and, where there is such a risk, notify the CAI and any affected individuals. The notification window is not strictly defined in days, but the law expects "prompt" notification once the organization becomes aware of the breach and determines that there is a risk of serious injury. The notification must include a description of the incident, the personal information concerned, a description of the corrective measures taken, the contact information of the privacy officer for further information, and a description of the affected individuals' rights to complain to the CAI. Organizations must also maintain a register of all privacy breaches, including those that do not present a risk of serious injury, and provide that register to the CAI upon request.
Key Takeaway: The four pillar obligations under Quebec Law 25 are: (1) a designated privacy officer, (2) mandatory PIAs for new or modified information systems, (3) clear and separate consent with robust withdrawal mechanisms, and (4) prompt breach notification to the CAI and affected individuals where there is a risk of serious injury. Non-compliance can result in fines of up to CAD $25 million or 4% of global turnover.
While Quebec has historically been deemed substantially similar to Canada's federal private-sector privacy law (PIPEDA), Law 25 introduces several key differences that organizations must understand. Under PIPEDA, privacy impact assessments are recommended but not mandatory for most projects; under Law 25, they are a legal requirement. PIPEDA allows implied consent for certain business purposes; Law 25 requires express, separate, and specific consent for most collections and uses. PIPEDA deems Quebec's law substantially similar, meaning organizations subject to Quebec Law 25 generally do not also need to comply with PIPEDA for intra-provincial activities; however, for inter-provincial or international data flows, PIPEDA may still apply. Additionally, Law 25's provisions on de-identification and anonymization, including the requirement for a documented policy, are more prescriptive than PIPEDA's general principle of safeguarding information. The fine ceilings under Law 25 are also significantly higher than PIPEDA's current maximum of CAD $100,000 per violation (though Bill C-27 proposes to increase PIPEDA's penalties to 5% of global revenue or CAD $25 million).
Begin with a systematic review of your current privacy program mapped to each section of Quebec Law 25, including consent collection mechanisms, PIA processes, breach response procedures, privacy officer designation, data inventory, and record retention schedules. Use the Canada Cybersecurity Compliance framework as a baseline for your assessment.
Designate a privacy officer with sufficient authority, budget, and organizational support. Publish their contact information on your website and with the CAI. Ensure the officer is trained on Law 25's specific requirements, including the PIA methodology and breach notification standards.
Establish a PIA protocol that triggers before any new information system or significant modification proceeds. Your PIA should evaluate necessity, proportionality, controls, and residual risk. Document the results and be prepared to share them with the CAI upon request.
Audit all existing consent collection points and reform them to provide clear, separate consent for each purpose. Ensure withdrawal mechanisms are simple and do not penalize individuals. Implement age-verified consent workflows for minors under 14 (parental consent) and 14-17 (dual consent).
Document your approach to de-identification and anonymization, including the techniques used (e.g., k-anonymity, differential privacy), the criteria for determining when data is truly anonymized, and the safeguards applied to de-identified data links. Train data analysts and researchers on these protocols.
Develop a breach response plan that includes prompt triage, risk assessment for serious injury, CAI notification templates, and individual notification procedures. Maintain a register of all breaches—even low-risk ones—and conduct tabletop exercises at least annually to ensure readiness.
Our team of Canadian privacy experts can help you conduct a gap analysis, build a PIA program, overhaul consent collection, and implement compliant breach notification workflows using CyberSilo Compliance Standards Automation to streamline and evidence your compliance posture.
Many organizations operate dozens of separate systems that collect personal information, each with its own consent interface. To comply with Law 25's requirement for separate, express, and specific consent per purpose, you need a centralized consent management platform that tracks individual consents across systems, provides a unified withdrawal mechanism, and maintains an audit trail. This is where Compliance Standards Automation can help by integrating consent workflows into your existing systems through API connectors and policy-as-code frameworks.
Law 25 mandates PIAs for modifications to existing systems that process personal information. If you have legacy systems that were developed before the law came into effect, any upgrade, migration, or significant process change involving personal data now triggers a PIA requirement. Organizations should prioritize a comprehensive data mapping exercise to identify which legacy systems hold personal information and schedule PIAs for any upcoming modifications.
The CAI's interpretation of "anonymization" requires a standard that is reasonably and permanently irreversible. Organizations cannot simply remove direct identifiers and claim the data is anonymized. You may need to apply advanced techniques such as k-anonymity (minimum k=5), l-diversity, differential privacy (ε ≤ 1), or a combination, and document the methodology and re-identification risk assessment for each dataset.
The CAI has steadily increased enforcement activity since the law's phased implementation. Administrative monetary penalties (AMPs) of up to CAD $50,000 for individuals and CAD $10,000,000 or 2% of worldwide turnover for organizations came into effect on September 22, 2023, for most obligations. Penal offences, which carry fines of up to CAD $100,000 for individuals and CAD $25,000,000 or 4% of worldwide turnover for organizations, are also available for the most serious violations, such as knowingly contravening the law. The CAI may also issue compliance orders, suspend or prohibit the processing of personal information, and order the destruction or return of data. Organizations should be aware that the CAI can also publish the names of non-compliant organizations, causing reputational damage alongside financial penalties.
CyberSilo's Compliance Standards Automation solution is designed to help organizations operationalize Quebec Law 25 obligations without manual overhead. The platform provides pre-built control mappings aligned to Law 25 sections, including consent management, PIA workflow automation, de-identification policy templates, breach register tracking, and audit-ready evidence collection. For organizations that also need to comply with PIPEDA, Bill C-27 (CPPA and AIDA), PHIPA, or other Canadian privacy frameworks, the platform supports a unified compliance program with cross-framework mapping. CyberSilo's Canadian compliance experts can also provide personalized advisory services through our GRC services in Canada to conduct readiness assessments, develop privacy programs, and respond to CAI inquiries.
Ensure your organization meets all obligations under Quebec Law 25 before the next CAI audit cycle. Our readiness review identifies gaps in consent, PIA, breach response, and privacy officer compliance, and provides a prioritized remediation roadmap.
Quebec Law 25 represents a fundamental shift in Canadian provincial privacy regulation, introducing mandatory privacy impact assessments, strict consent requirements, de-identification standards, and significant financial penalties for non-compliance. For any organization that does business in Quebec or processes data about Quebec residents, achieving compliance is not optional—it is a legal requirement with real enforcement consequences. The phased implementation between 2022 and 2024 means that all major obligations are now in effect, and the CAI has demonstrated its willingness to investigate and penalize non-compliant organizations.
We recommend that organizations subject to Quebec Law 25 prioritize a comprehensive gap analysis against each pillar obligation, appoint and resource a privacy officer, implement a centralized consent and PIA management system, and establish robust breach notification workflows. CyberSilo's Compliance Standards Automation platform is purpose-built to streamline these requirements, reducing manual effort while providing verifiable evidence of compliance for both internal audit and CAI oversight. Start with a readiness review to understand your current posture and build a prioritized roadmap to full compliance.
Our team has deep experience with Quebec Law 25, PIPEDA, and Bill C-27. Let us help you achieve and maintain compliance with confidence.
Stay ahead of evolving cyber threats with our expert insights
SIEM
See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s
Read Article
SIEM
Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia
Read Article
SIEM
See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.
Read Article
SIEM
See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi
Read Article
SIEM
Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.
Read Article
SIEM
Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy
Read Article
We are committed to delivering cutting-edge cybersecurity solutions that empower organizations to stay ahead of threats
©Cybersilo 2026 - All Rights Reserved