Get Demo

What Is Quebec Law 25? A Compliance Guide

Quebec Law 25 explained for Canadian organizations — clear, practical guidance to meet Canadian privacy duties. Learn the essentials with CyberSilo.

📅 Published: June 2026 🔐 Cybersecurity • Canada Privacy • Canada ⏱️ 2,200 words

Quebec Law 25 (Loi sur la protection des renseignements personnels dans le secteur privé, as amended by Bill 64) is a stringent Canadian provincial privacy law that applies to any organization—regardless of where it is based—that collects, uses, or discloses the personal information of individuals in Québec. Effective in phases from September 2022 through 2024, it imposes mandatory privacy impact assessments, data breach reporting to the Commission d'accès à l'information du Québec (CAI) and affected individuals within a reasonable timeframe, express opt-in consent for sensitive data, and steep administrative monetary penalties of up to the greater of $10,000,000 or 2% of global annual revenue for the most serious violations. For organizations already navigating Canada's federal PIPEDA, Bill C-27, or US state privacy regimes, Quebec Law 25 represents a distinct and often more prescriptive compliance obligation with significant enforcement teeth.

What Is Quebec Law 25, and Who Must Comply?

Quebec Law 25 modernizes the province's private-sector privacy framework. Its official title is An Act to modernize legislative provisions as regards the protection of personal information, and it was adopted in September 2021 with staggered enforcement dates beginning September 22, 2022. It replaces and substantially expands upon the previous privacy regime under the Québec Act respecting the protection of personal information in the private sector.

The law applies to any "person carrying on an enterprise" in Québec within the meaning of the Québec Civil Code. Critically, this includes organizations physically located outside the province—including in other Canadian provinces, the United States, or elsewhere—if they collect, use, or disclose personal information about individuals residing in Québec in the course of their business activities. The regulator responsible for enforcement is the Commission d'accès à l'information du Québec (CAI), a dedicated administrative tribunal with broad investigative and penalty powers.

Key regulated entities include:

Notably, Quebec Law 25 is not harmonized with PIPEDA. Where the federal law applies—organizations subject to PIPEDA, such as federally regulated businesses—the Québec law may also apply concurrently, and the stricter standard typically prevails. The CAI and the Office of the Privacy Commissioner of Canada (OPC) have issued joint guidance emphasizing that organizations must comply with the more onerous obligation when both laws apply.

What Are the Core Obligations Under Quebec Law 25?

The law introduces six major new requirements that organizations must operationalize:

1. Mandatory Privacy Impact Assessments (PIAs)

Any project to acquire, develop, or overhaul an information system or electronic service that involves the collection, use, or disclosure of personal information must be preceded by a privacy impact assessment (PIA). This includes cloud migrations, new CRM platforms, HR management systems, and software-as-a-service (SaaS) deployments. The PIA must be documented and retained, and must cover:

Unlike some frameworks where PIAs are merely recommended, Quebec Law 25 makes them a legal prerequisite before an information system "goes live."

Consent must be express, free, informed, and given for specific purposes. For sensitive personal information—defined as data that, by its nature or context, gives rise to a high reasonable expectation of privacy (e.g., health, biometric, genetic, financial, or data concerning a person's sex life or sexual orientation)—organizations must obtain express, opt-in consent. Pre-ticked boxes, implied consent, or passive opt-outs are not sufficient for sensitive data. The law also restricts obtaining consent for a secondary purpose (e.g., marketing) if it is not reasonably necessary for the primary transaction.

3. Data Breach Notification and Record-Keeping

Any incident involving unauthorized access, use, disclosure, loss, theft, or destruction of personal information that creates a "risk of serious injury" must be reported to the CAI and to every affected individual. The law does not prescribe a fixed reporting window (unlike PIPEDA's "as soon as feasible" or CIRCIA's 72-hour rule), but the CAI expects prompt notice—generally within a few days of confirmation. Organizations must also:

4. Rights to Data Portability and De-indexing

Individuals have the right to request that their personal information be communicated in a structured, commonly used technological format (data portability). They also have the right to request that a search engine or other technology company cease indexing or referencing their personal information (de-indexing or "right to be forgotten"). Organizations must respond to such requests within 30 days, extendable to 60 days in certain circumstances.

5. Obligations for Biometric and Automated Decision Systems

If an organization uses biometric data to identify or authenticate an individual, it must notify the CAI at least 60 days before implementation and follow strict rules on proportionality, security, and retention. Additionally, when an organization uses personal information to render a "decision based exclusively on automated processing," it must inform the individual of the decision, the reasons for it, and their right to have the decision reviewed by a human being. This provision covers AI-driven credit scoring, hiring algorithms, insurance risk assessments, and similar automated determinations.

6. Privacy Officer and Governance Requirements

Every organization subject to Quebec Law 25 must designate a person (a Privacy Officer) responsible for protecting personal information. The identity and contact information of this person must be published in a visible manner (e.g., on the organization's website). The Privacy Officer is responsible for overseeing the PIA process, handling complaints, ensuring breach notification compliance, and responding to access and portability requests.

Key Takeaways — Quebec Law 25 at a Glance

  • Scope: Any organization collecting personal information from individuals in Québec, regardless of where the organization is based.
  • Regulator: Commission d'accès à l'information du Québec (CAI).
  • Core mandates: Mandatory PIAs before new data systems; express opt-in consent for sensitive data; mandatory breach reporting to CAI and affected individuals; data portability and de-indexing rights; AI decision transparency; biometric system pre-approval.
  • Penalties: Up to $10,000,000 or 2% of global annual revenue (whichever is higher) for the most serious administrative violations; criminal penalties also possible.
  • Effective dates: Phased from September 22, 2022, through September 22, 2024 (the final phase applies to certain governance requirements and biometric system pre-notification).

How Does Quebec Law 25 Compare to PIPEDA and Bill C-27?

Organizations in Canada face a layered privacy landscape. While PIPEDA is the federal baseline, Quebec Law 25 supersedes or adds to it in several material ways. Bill C-27, the proposed Consumer Privacy Protection Act (CPPA) and Artificial Intelligence and Data Act (AIDA), would—if passed—create a new federal regime, but it would not override Quebec Law 25's provincial primacy. The following comparison highlights key distinctions:

Requirement
PIPEDA (Current)
Quebec Law 25
Bill C-27 / CPPA (Proposed)
Privacy Impact Assessments
Recommended, not mandatory
Mandatory before implementing new information systems or services
Mandatory for certain activities (regulations not yet drafted)
Sensitive Data Consent
Implied or express acceptable depending on context
Express opt-in required for sensitive data
Express opt-in for sensitive data, similar to Quebec Law 25
Breach Notification
Report to OPC + affected individuals if "real risk of significant harm"; no fixed timeframe but "as soon as feasible"
Report to CAI + affected individuals if "risk of serious injury"; no fixed timeframe but prompt notice expected
Report to new Personal Information and Data Protection Tribunal + affected individuals; timelines remain undefined
Data Portability
Limited to certain regulated sectors (e.g., banking); no general right
Explicit right to structured, commonly used format
Explicit right to portability in digital format
Automated Decision Transparency
Not addressed
Right to be informed of and request human review of automated decisions
Right to request explanation of automated decisions (AIDA will separately regulate AI systems)
Administrative Penalties (Max)
$100,000 per violation (very rarely issued at maximum)
$10,000,000 or 2% of global annual revenue (whichever is greater)
Up to $10,000,000 or 3% of global annual revenue (whichever is greater)

As the table shows, Quebec Law 25 is currently the most prescriptive privacy framework in Canada. Organizations that achieve compliance with it are well-positioned to meet the anticipated CPPA requirements, but the reverse is not always true—PIPEDA or CPPA compliance alone will not satisfy Quebec Law 25's PIA mandate or its biometric and automated-decision provisions.

What Are the Penalties and Enforcement Mechanisms?

The CAI has robust enforcement tools. It can:

Private individuals also have a right of action for damages resulting from a violation of the law, including "moral damages" (i.e., distress, loss of reputation). Class actions on privacy grounds have already been filed in Québec under the new regime.

The CAI has been active since the first phase took effect. It has issued compliance orders, published detailed guidance on PIAs and breach reporting, and signaled that it expects organizations to have dedicated compliance programs in place by the final September 2024 deadline. Organizations still operating without a privacy officer, a PIA process, or a breach register should prioritize gap remediation immediately.

Practical Steps to Achieve and Sustain Compliance

For organizations in Québec or serving Québec residents, a structured compliance roadmap is essential. The following process flow outlines the recommended steps:

1

Conduct a Foundational Data Privacy Audit

Inventory all personal information assets held by the organization, including those stored in cloud systems, by third-party processors, or in legacy databases. Classify each data element by sensitivity (non-sensitive, sensitive) and source (employees, customers, website visitors). Identify all systems—HRIS, CRM, marketing automation, payment gateways—that collect, process, or store personal information of Québec residents. This step provides the baseline for PIAs and consent updates.

2

Appoint a Privacy Officer and Publish Contact Information

Designate a qualified individual (or a team, reporting to a named person) as the Privacy Officer. Ensure their name, title, and a dedicated privacy contact email or phone number are publicly accessible—typically on the organization's privacy policy page, on its website, and in its annual privacy report. The Privacy Officer must have authority to oversee PIA processes, breach response, and consent management.

3

Perform PIAs for All Existing and Planned Information Systems

Review every information system or electronic service that Québec residents interact with—even if that system was deployed before the law took effect. For any system that did not undergo a PIA at its launch, perform one retroactively and document it. For all new projects, embed a PIA gate into the project lifecycle. The PIA should directly map the system's data flows, purposes, legal bases for collection, and security controls to Quebec Law 25's requirements.

4

Update Consent Mechanisms for All Data Subjects

Review and revise all consent collection points—website banners, form checkboxes, employee onboarding agreements, data-sharing clauses in contracts. Ensure that consent is granular, opt-in, and specific to each processing purpose. For any processing of sensitive data (health, biometric, financial, biometric), implement a separate, explicit opt-in flow that does not bundle with general terms and conditions. Remove any pre-ticked boxes or passive opt-out models.

5

Establish a Breach Response Capability and Register

Create a documented incident response plan that includes: (a) procedures for detecting and confirming a breach involving personal information; (b) a template for notifying the CAI; (c) a template for notifying affected individuals; (d) a register to record every breach (including those not subject to notification). Ensure that notification can be issued within a few business days of confirmation, and that your organization has a legal or compliance resource ready to assess "risk of serious injury."

6

Implement Data Portability, De-indexing, and Automated Decision Processes

Design processes to: (1) respond to data portability requests within 30 days (extendable to 60); (2) respond to de-indexing requests for search engines and online platforms; (3) identify any fully automated decisions made about individuals, and create a mechanism to provide a timely explanation and a path to human review. For organizations using or planning to use biometric systems, submit the mandatory 60-day pre-notification to the CAI before implementation.

7

Embed Continuous Compliance Monitoring and Third-Party Risk Management

Quebec Law 25's requirements are ongoing. Conduct annual reviews of your PIA register, consent records, and breach register. Implement automated monitoring for new data processing activities, changes in vendor data handling practices, and emerging CAI guidance. Assess the compliance posture of all third-party data processors—ask for their own PIAs, consent records, and breach notification processes. Map these contracts to the organization's obligations under the law.

Strategic Insight: Quebec Law 25 compliance is not a one-off project. The CAI has indicated it will prioritize organizations that "systematically integrate" privacy into governance. Organizations treating compliance as a checkbox exercise—rather than embedding PIAs, consent management, and breach readiness into their operational and technology stack—face the highest risk of enforcement actions and class-action exposure.

How CyberSilo Supports Quebec Law 25 Compliance

Meeting Quebec Law 25's obligations—particularly the PIA requirement, breach response, and consent governance—demands a combination of policy expertise, technology automation, and continuous monitoring. CyberSilo's Compliance Standards Automation platform helps Canadian organizations operationalize these requirements at scale.

Our solution directly addresses the law's most operationally challenging elements:

As a provider of compliance and security services to Canadian organizations, CyberSilo's Canada cybersecurity compliance services offer a comprehensive framework that also addresses the interplay between Quebec Law 25, PIPEDA, Bill C-27, and sector-specific regulations such as OSFI Guideline B-13 for federally regulated financial institutions. For organizations in Québec, our Quebec Law 25 compliance services provide end-to-end readiness assessments, PIA facilitation, and ongoing monitoring support.

Is Your Organization Ready for Quebec Law 25 Enforcement?

With the final phase now in effect and the CAI actively enforcing, every organization serving Québec residents needs a complete compliance picture. A structured, technology-enabled approach minimizes risk and reduces operational overhead. Schedule a confidential compliance assessment with CyberSilo's team to identify gaps in your privacy program before they become regulatory action or litigation.

Common Pitfalls and How to Avoid Them

Even organizations with mature privacy programs often miss critical Quebec Law 25 requirements. The following are the most frequent compliance gaps we observe:

Pitfall 1: Assuming PIPEDA compliance is sufficient. Quebec Law 25 is more stringent in several dimensions—particularly PIAs, sensitive data consent, and automated decision transparency. Organizations that rely solely on their PIPEDA program expose themselves to enforcements by the CAI.

Pitfall 2: Failing to scope PIAs to existing legacy systems. The law requires a PIA before implementing an information system "or electronic service." Many organizations interpret this as applying only to new systems. The CAI's interpretation is that if the system was not preceded by a PIA, one must be performed retroactively—and that any material change to an existing system triggers a new PIA requirement.

Pitfall 3: Treating breach notification as discretionary. The "risk of serious injury" threshold is broader than PIPEDA's "real risk of significant harm." Organizations often under-report incidents to the CAI, assuming only confirmed data theft requires notification. Any unauthorized access or loss that could plausibly lead to identity theft, financial harm, reputational damage, or emotional distress should trigger the notification obligation.

Pitfall 4: Neglecting de-indexing requests. Unlike the "right to be forgotten" under GDPR, Quebec Law 25's de-indexing obligation applies to organizations that operate search engines or online platforms accessible in Québec. Even if your organization is not a search engine provider, if you operate a public-facing directory, listing, or forum, you may be subject to de-indexing requests from individuals.

Pitfall 5: Overlooking biometric system pre-notification. Any organization using—or planning to use—biometric data (fingerprint, facial recognition, voiceprint, etc.) for identification, authentication, or access control must notify the CAI at least 60 days before implementation. The CAI has published detailed guidance on what the notice must include: the nature of the biometric data, the purposes, the security measures, and the retention period. Non-compliance can result in an order to cease the biometric system entirely.

Our Conclusion & Recommendation

Quebec Law 25 represents a significant regulatory shift that demands a deliberate, systematic compliance response. Its phased deadlines have now fully taken effect, and the CAI is actively investigating and ordering corrective measures. For organizations with operations in Québec—or simply serving Québec residents—the combination of mandatory PIAs, enhanced consent regimes, automated decision transparency, and substantial penalties creates a liability profile that cannot be addressed reactively.

Organizations that invest now in a compliance automation platform—such as CyberSilo's Compliance Standards Automation—can reduce the cost and complexity of meeting these requirements while building a defensible compliance posture that also positions them for Bill C-27 and evolving provincial privacy laws. The key is to move beyond paper-based compliance and embed privacy governance directly into the technology systems that process personal information. A comprehensive assessment, followed by systematic remediation across the seven steps outlined above, will place your organization on a solid footing for enforcement and litigation alike.

Book Your Quebec Law 25 Compliance Assessment

CyberSilo's team of compliance specialists can help you map your current state against all phases of Quebec Law 25, identify gaps, and prioritize a remediation plan that fits your operational and budgetary context. Contact us today to schedule your confidential assessment.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!