Quebec Law 25 (Loi sur la protection des renseignements personnels dans le secteur privé, as amended by Bill 64) is a stringent Canadian provincial privacy law that applies to any organization—regardless of where it is based—that collects, uses, or discloses the personal information of individuals in Québec. Effective in phases from September 2022 through 2024, it imposes mandatory privacy impact assessments, data breach reporting to the Commission d'accès à l'information du Québec (CAI) and affected individuals within a reasonable timeframe, express opt-in consent for sensitive data, and steep administrative monetary penalties of up to the greater of $10,000,000 or 2% of global annual revenue for the most serious violations. For organizations already navigating Canada's federal PIPEDA, Bill C-27, or US state privacy regimes, Quebec Law 25 represents a distinct and often more prescriptive compliance obligation with significant enforcement teeth.
What Is Quebec Law 25, and Who Must Comply?
Quebec Law 25 modernizes the province's private-sector privacy framework. Its official title is An Act to modernize legislative provisions as regards the protection of personal information, and it was adopted in September 2021 with staggered enforcement dates beginning September 22, 2022. It replaces and substantially expands upon the previous privacy regime under the Québec Act respecting the protection of personal information in the private sector.
The law applies to any "person carrying on an enterprise" in Québec within the meaning of the Québec Civil Code. Critically, this includes organizations physically located outside the province—including in other Canadian provinces, the United States, or elsewhere—if they collect, use, or disclose personal information about individuals residing in Québec in the course of their business activities. The regulator responsible for enforcement is the Commission d'accès à l'information du Québec (CAI), a dedicated administrative tribunal with broad investigative and penalty powers.
Key regulated entities include:
- Businesses with employees in Québec—every employer must comply as a data controller regarding its Québec-based workforce.
- E-commerce platforms, SaaS providers, financial services firms, telecoms, healthcare organizations, and insurers that serve Québec residents.
- Any organization that collects personal information remotely (e.g., via a website or cloud application) from a person in Québec, even without a physical presence in the province.
- Non-profit organizations and associations that carry on an "enterprise" and hold personal data about members or beneficiaries in Québec.
Notably, Quebec Law 25 is not harmonized with PIPEDA. Where the federal law applies—organizations subject to PIPEDA, such as federally regulated businesses—the Québec law may also apply concurrently, and the stricter standard typically prevails. The CAI and the Office of the Privacy Commissioner of Canada (OPC) have issued joint guidance emphasizing that organizations must comply with the more onerous obligation when both laws apply.
What Are the Core Obligations Under Quebec Law 25?
The law introduces six major new requirements that organizations must operationalize:
1. Mandatory Privacy Impact Assessments (PIAs)
Any project to acquire, develop, or overhaul an information system or electronic service that involves the collection, use, or disclosure of personal information must be preceded by a privacy impact assessment (PIA). This includes cloud migrations, new CRM platforms, HR management systems, and software-as-a-service (SaaS) deployments. The PIA must be documented and retained, and must cover:
- The necessity and proportionality of the personal information collected.
- The risks to privacy and measures to mitigate them.
- Compliance with the law's consent and purpose-limitation requirements.
Unlike some frameworks where PIAs are merely recommended, Quebec Law 25 makes them a legal prerequisite before an information system "goes live."
2. Enhanced Consent Requirements
Consent must be express, free, informed, and given for specific purposes. For sensitive personal information—defined as data that, by its nature or context, gives rise to a high reasonable expectation of privacy (e.g., health, biometric, genetic, financial, or data concerning a person's sex life or sexual orientation)—organizations must obtain express, opt-in consent. Pre-ticked boxes, implied consent, or passive opt-outs are not sufficient for sensitive data. The law also restricts obtaining consent for a secondary purpose (e.g., marketing) if it is not reasonably necessary for the primary transaction.
3. Data Breach Notification and Record-Keeping
Any incident involving unauthorized access, use, disclosure, loss, theft, or destruction of personal information that creates a "risk of serious injury" must be reported to the CAI and to every affected individual. The law does not prescribe a fixed reporting window (unlike PIPEDA's "as soon as feasible" or CIRCIA's 72-hour rule), but the CAI expects prompt notice—generally within a few days of confirmation. Organizations must also:
- Maintain a register of all data breaches (including those not subject to notification) that includes a description of the incident, its date, the data involved, and the corrective measures taken.
- Notify any other organization (e.g., a data processor) that may be able to mitigate the harm.
4. Rights to Data Portability and De-indexing
Individuals have the right to request that their personal information be communicated in a structured, commonly used technological format (data portability). They also have the right to request that a search engine or other technology company cease indexing or referencing their personal information (de-indexing or "right to be forgotten"). Organizations must respond to such requests within 30 days, extendable to 60 days in certain circumstances.
5. Obligations for Biometric and Automated Decision Systems
If an organization uses biometric data to identify or authenticate an individual, it must notify the CAI at least 60 days before implementation and follow strict rules on proportionality, security, and retention. Additionally, when an organization uses personal information to render a "decision based exclusively on automated processing," it must inform the individual of the decision, the reasons for it, and their right to have the decision reviewed by a human being. This provision covers AI-driven credit scoring, hiring algorithms, insurance risk assessments, and similar automated determinations.
6. Privacy Officer and Governance Requirements
Every organization subject to Quebec Law 25 must designate a person (a Privacy Officer) responsible for protecting personal information. The identity and contact information of this person must be published in a visible manner (e.g., on the organization's website). The Privacy Officer is responsible for overseeing the PIA process, handling complaints, ensuring breach notification compliance, and responding to access and portability requests.
Key Takeaways — Quebec Law 25 at a Glance
- Scope: Any organization collecting personal information from individuals in Québec, regardless of where the organization is based.
- Regulator: Commission d'accès à l'information du Québec (CAI).
- Core mandates: Mandatory PIAs before new data systems; express opt-in consent for sensitive data; mandatory breach reporting to CAI and affected individuals; data portability and de-indexing rights; AI decision transparency; biometric system pre-approval.
- Penalties: Up to $10,000,000 or 2% of global annual revenue (whichever is higher) for the most serious administrative violations; criminal penalties also possible.
- Effective dates: Phased from September 22, 2022, through September 22, 2024 (the final phase applies to certain governance requirements and biometric system pre-notification).
How Does Quebec Law 25 Compare to PIPEDA and Bill C-27?
Organizations in Canada face a layered privacy landscape. While PIPEDA is the federal baseline, Quebec Law 25 supersedes or adds to it in several material ways. Bill C-27, the proposed Consumer Privacy Protection Act (CPPA) and Artificial Intelligence and Data Act (AIDA), would—if passed—create a new federal regime, but it would not override Quebec Law 25's provincial primacy. The following comparison highlights key distinctions:
As the table shows, Quebec Law 25 is currently the most prescriptive privacy framework in Canada. Organizations that achieve compliance with it are well-positioned to meet the anticipated CPPA requirements, but the reverse is not always true—PIPEDA or CPPA compliance alone will not satisfy Quebec Law 25's PIA mandate or its biometric and automated-decision provisions.
What Are the Penalties and Enforcement Mechanisms?
The CAI has robust enforcement tools. It can:
- Order an organization to cease collection, use, or disclosure of personal information.
- Require deletion or return of personal information obtained in violation of the law.
- Impose administrative monetary penalties (AMPs) of up to $10,000,000 or, if higher, 2% of the organization's global annual turnover for the preceding fiscal year.
- File a penal (criminal) complaint for willful violations, which can result in fines of up to $25,000,000 or 4% of global revenue, and imprisonment for directors or officers.
- Conduct investigations on its own initiative, take complaints from individuals, and refer cases for prosecution by the Director of Criminal and Penal Prosecutions.
Private individuals also have a right of action for damages resulting from a violation of the law, including "moral damages" (i.e., distress, loss of reputation). Class actions on privacy grounds have already been filed in Québec under the new regime.
The CAI has been active since the first phase took effect. It has issued compliance orders, published detailed guidance on PIAs and breach reporting, and signaled that it expects organizations to have dedicated compliance programs in place by the final September 2024 deadline. Organizations still operating without a privacy officer, a PIA process, or a breach register should prioritize gap remediation immediately.
Practical Steps to Achieve and Sustain Compliance
For organizations in Québec or serving Québec residents, a structured compliance roadmap is essential. The following process flow outlines the recommended steps:
Conduct a Foundational Data Privacy Audit
Inventory all personal information assets held by the organization, including those stored in cloud systems, by third-party processors, or in legacy databases. Classify each data element by sensitivity (non-sensitive, sensitive) and source (employees, customers, website visitors). Identify all systems—HRIS, CRM, marketing automation, payment gateways—that collect, process, or store personal information of Québec residents. This step provides the baseline for PIAs and consent updates.
Appoint a Privacy Officer and Publish Contact Information
Designate a qualified individual (or a team, reporting to a named person) as the Privacy Officer. Ensure their name, title, and a dedicated privacy contact email or phone number are publicly accessible—typically on the organization's privacy policy page, on its website, and in its annual privacy report. The Privacy Officer must have authority to oversee PIA processes, breach response, and consent management.
Perform PIAs for All Existing and Planned Information Systems
Review every information system or electronic service that Québec residents interact with—even if that system was deployed before the law took effect. For any system that did not undergo a PIA at its launch, perform one retroactively and document it. For all new projects, embed a PIA gate into the project lifecycle. The PIA should directly map the system's data flows, purposes, legal bases for collection, and security controls to Quebec Law 25's requirements.
Update Consent Mechanisms for All Data Subjects
Review and revise all consent collection points—website banners, form checkboxes, employee onboarding agreements, data-sharing clauses in contracts. Ensure that consent is granular, opt-in, and specific to each processing purpose. For any processing of sensitive data (health, biometric, financial, biometric), implement a separate, explicit opt-in flow that does not bundle with general terms and conditions. Remove any pre-ticked boxes or passive opt-out models.
Establish a Breach Response Capability and Register
Create a documented incident response plan that includes: (a) procedures for detecting and confirming a breach involving personal information; (b) a template for notifying the CAI; (c) a template for notifying affected individuals; (d) a register to record every breach (including those not subject to notification). Ensure that notification can be issued within a few business days of confirmation, and that your organization has a legal or compliance resource ready to assess "risk of serious injury."
Implement Data Portability, De-indexing, and Automated Decision Processes
Design processes to: (1) respond to data portability requests within 30 days (extendable to 60); (2) respond to de-indexing requests for search engines and online platforms; (3) identify any fully automated decisions made about individuals, and create a mechanism to provide a timely explanation and a path to human review. For organizations using or planning to use biometric systems, submit the mandatory 60-day pre-notification to the CAI before implementation.
Embed Continuous Compliance Monitoring and Third-Party Risk Management
Quebec Law 25's requirements are ongoing. Conduct annual reviews of your PIA register, consent records, and breach register. Implement automated monitoring for new data processing activities, changes in vendor data handling practices, and emerging CAI guidance. Assess the compliance posture of all third-party data processors—ask for their own PIAs, consent records, and breach notification processes. Map these contracts to the organization's obligations under the law.
Strategic Insight: Quebec Law 25 compliance is not a one-off project. The CAI has indicated it will prioritize organizations that "systematically integrate" privacy into governance. Organizations treating compliance as a checkbox exercise—rather than embedding PIAs, consent management, and breach readiness into their operational and technology stack—face the highest risk of enforcement actions and class-action exposure.
How CyberSilo Supports Quebec Law 25 Compliance
Meeting Quebec Law 25's obligations—particularly the PIA requirement, breach response, and consent governance—demands a combination of policy expertise, technology automation, and continuous monitoring. CyberSilo's Compliance Standards Automation platform helps Canadian organizations operationalize these requirements at scale.
Our solution directly addresses the law's most operationally challenging elements:
- Automated PIA workflows: Pre-built templates and step-by-step guidance map directly to Quebec Law 25's PIA criteria, ensuring that every new system deployment is compliance-ready before launch.
- Consent lifecycle management: Centralized tracking of consent types, data sensitivity classification, and re-consent triggers that adapt to changes in data use or legal interpretations.
- Breach register and notification automation: A built-in incident register that captures all required fields, generates CAI-ready notification texts, and maintains a complete audit trail for regulatory review.
- Third-party risk integration: Automatically assess vendor PIAs, privacy policies, and breach records against the organization's compliance threshold, and flag gaps for remediation.
As a provider of compliance and security services to Canadian organizations, CyberSilo's Canada cybersecurity compliance services offer a comprehensive framework that also addresses the interplay between Quebec Law 25, PIPEDA, Bill C-27, and sector-specific regulations such as OSFI Guideline B-13 for federally regulated financial institutions. For organizations in Québec, our Quebec Law 25 compliance services provide end-to-end readiness assessments, PIA facilitation, and ongoing monitoring support.
Is Your Organization Ready for Quebec Law 25 Enforcement?
With the final phase now in effect and the CAI actively enforcing, every organization serving Québec residents needs a complete compliance picture. A structured, technology-enabled approach minimizes risk and reduces operational overhead. Schedule a confidential compliance assessment with CyberSilo's team to identify gaps in your privacy program before they become regulatory action or litigation.
Common Pitfalls and How to Avoid Them
Even organizations with mature privacy programs often miss critical Quebec Law 25 requirements. The following are the most frequent compliance gaps we observe:
Pitfall 1: Assuming PIPEDA compliance is sufficient. Quebec Law 25 is more stringent in several dimensions—particularly PIAs, sensitive data consent, and automated decision transparency. Organizations that rely solely on their PIPEDA program expose themselves to enforcements by the CAI.
Pitfall 2: Failing to scope PIAs to existing legacy systems. The law requires a PIA before implementing an information system "or electronic service." Many organizations interpret this as applying only to new systems. The CAI's interpretation is that if the system was not preceded by a PIA, one must be performed retroactively—and that any material change to an existing system triggers a new PIA requirement.
Pitfall 3: Treating breach notification as discretionary. The "risk of serious injury" threshold is broader than PIPEDA's "real risk of significant harm." Organizations often under-report incidents to the CAI, assuming only confirmed data theft requires notification. Any unauthorized access or loss that could plausibly lead to identity theft, financial harm, reputational damage, or emotional distress should trigger the notification obligation.
Pitfall 4: Neglecting de-indexing requests. Unlike the "right to be forgotten" under GDPR, Quebec Law 25's de-indexing obligation applies to organizations that operate search engines or online platforms accessible in Québec. Even if your organization is not a search engine provider, if you operate a public-facing directory, listing, or forum, you may be subject to de-indexing requests from individuals.
Pitfall 5: Overlooking biometric system pre-notification. Any organization using—or planning to use—biometric data (fingerprint, facial recognition, voiceprint, etc.) for identification, authentication, or access control must notify the CAI at least 60 days before implementation. The CAI has published detailed guidance on what the notice must include: the nature of the biometric data, the purposes, the security measures, and the retention period. Non-compliance can result in an order to cease the biometric system entirely.
Our Conclusion & Recommendation
Quebec Law 25 represents a significant regulatory shift that demands a deliberate, systematic compliance response. Its phased deadlines have now fully taken effect, and the CAI is actively investigating and ordering corrective measures. For organizations with operations in Québec—or simply serving Québec residents—the combination of mandatory PIAs, enhanced consent regimes, automated decision transparency, and substantial penalties creates a liability profile that cannot be addressed reactively.
Organizations that invest now in a compliance automation platform—such as CyberSilo's Compliance Standards Automation—can reduce the cost and complexity of meeting these requirements while building a defensible compliance posture that also positions them for Bill C-27 and evolving provincial privacy laws. The key is to move beyond paper-based compliance and embed privacy governance directly into the technology systems that process personal information. A comprehensive assessment, followed by systematic remediation across the seven steps outlined above, will place your organization on a solid footing for enforcement and litigation alike.
Book Your Quebec Law 25 Compliance Assessment
CyberSilo's team of compliance specialists can help you map your current state against all phases of Quebec Law 25, identify gaps, and prioritize a remediation plan that fits your operational and budgetary context. Contact us today to schedule your confidential assessment.
