Skip to content

Québec Law 25: an overview

Québec Law 25 modernizes privacy laws for the Canadian province, introducing stricter rules for obtaining consent, protecting personal information, and individuals' rights. Learn what this means for organizations that operate in Québec, and how they can comply with the law’s requirements.
Resources / Blog / Québec Law 25: an overview
Published by Usercentrics
9 mins to read
Jan 8, 2025

Québec has long had privacy laws in place to protect personal information, including:

  • The Act Respecting the Protection of Personal Information in the Private Sector 1994 (The Private Sector Act), which regulates how businesses collect and handle personal information
  • The Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information 1982 (The Public Sector Act), which applies to public organizations

While these laws established foundational protections, they were implemented before the rise of digital platforms, big data, and AI-driven decision-making. The laws became outdated as technology advanced and data collection grew more complex.

In response to these challenges, Québec Law 25 was passed in 2021. It significantly amends, updates, and modernizes these existing laws. It also aligns Québec’s privacy framework with international standards, such as the European Union’s General Data Protection Regulation (GDPR), and strengthens protections for individuals while holding organizations more accountable.

What is Québec Law 25 and who does it apply to?

Québec Law 25, or “Act to modernize legislative provisions as regards the protection of personal information,” was introduced in the Québec National Assembly in June 2020 as Bill 64. When the Bill was passed into law in September 2021, it became known as Law 25.

This new law gives individuals more control over their personal information and introduces stricter rules and stronger accountability for organizations that handle it.

Law 25 applies to any enterprise that collects, uses, or processes the personal information of individuals residing in Québec, even if the enterprise itself is located outside the province. It is the most stringent provincial privacy regulation in Canada, and includes stipulations not reflected in the federal Personal Information Protection and Electronic Documents Act (PIPEDA), though that law, passed in 2000, has been amended a number of times.

The law uses the definition of enterprise outlined in Article 1525 of the Civil Code of Québec, which is “[t]he carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service, constitutes the operation of an enterprise.”

This means that Law 25 applies to public bodies, private organizations, nonprofits, and even individuals acting in a professional capacity or carrying out an organized economic activity who collect the personal information of Québec residents.

What is personal information under Québec Law 25?

Personal information is defined similarly under both The Private Sector Act and The Public Sector Act as any information that relates to or concerns a natural person and directly or indirectly makes it possible to identify that person.

Personal information is considered sensitive if it is inherently private, such as medical or biometric data, or if the way it is used or shared creates a heightened expectation of privacy.

Québec Law 25 does not cover personal information collected, stored, shared, or used for journalism, historical research, or genealogy that is used to provide legitimate information to the public.

Key provisions under Québec Law 25

Québec Law 25 has introduced several new provisions that bring Québec’s privacy regulation closer to global data protection regulations.

Québec Law 25 outlines clear rules about how consent must be handled to give individuals control over their personal information. Personal information can only be used to serve the purpose for which it was collected unless the individual gives explicit consent for a different purpose.

However, there are a few exceptions. Personal information can be used for another purpose without new consent, but only:

  • if the new purpose is consistent with the original purpose
  • if the use clearly benefits the individual
  • if it is necessary to provide or deliver a product or service the individual requested
  • if it is needed for studies, research, or statistics, as long as the information is de-identified
  • if it’s required to prevent and detect fraud or improve security measures
  • by public bodies if it is necessary to enforce a Québec law, even if the law doesn’t explicitly provide for this use

Consent must always be clear, freely given, informed, and specific. Enterprises must request consent using simple and unambiguous language, and must make a separate request for each purpose. If enterprises request consent in writing, it should be separate from other information given to the individual, such as terms and conditions.

When it comes to sensitive personal information, consent must always be explicit.

Individuals also have the right to withdraw their consent at any time, and the enterprise must stop using the individual’s personal information once consent is withdrawn.

For personal information belonging to minors under 14 years old, a parent, guardian, or tutor must give consent. Minors aged 14 or older can give their own consent or allow their parent, guardian, or tutor to provide it.

New and expanded individual rights

Québec Law 25 has strengthened individuals’ rights relating to their personal information.

  • Right to privacy by default: Enterprises that offer technological products or services, such as apps, software, or online platforms, must collect as little personal information as possible without requiring users to adjust settings to protect their privacy. However, this does not apply to privacy settings for browser cookies.
  • Right to know: Individuals can request to know why their personal information is collected, how it will be used, and any third parties with whom it will be shared.
  • Right to access: Individuals can request a copy of the personal information that an enterprise holds about them.
  • Right to erasure: Individuals can request that their personal information be deleted when it is no longer needed for the purpose for which it was collected, or when the enterprise has handled the information in a way that violates the law.
  • Right to correction: Individuals can ask to have incomplete or inaccurate personal information corrected. They can also request that personal information that is collected, communicated, or kept contrary to law be rectified.
  • Right to data portability: Enterprises must provide individuals with their personal information in a structured, commonly used technology format upon request. This practice enables individuals to transfer their data to another service provider.

Right to transparency in automated decision-making: Enterprises must disclose when automated systems make decisions that affect individuals.

Privacy impact assessments

Québec Law 25 requires enterprises to conduct a privacy impact assessment (PIA) or data protection impact assessment (DPIA) in certain situations, including:

  • when acquiring, developing, or overhauling systems or projects involving personal information
  • before transferring personal information outside Québec 
  • before sharing personal information without consent for study, research, or statistical purposes

Data breach notification

When an enterprise suspects there has been a data breach involving personal information — known under the law as a confidentiality incident — it must take reasonable measures to reduce the risk of injury and prevent similar incidents in the future.

The following are considered confidentiality incidents under the law:

  • unauthorized access to personal information
  • unauthorized use of personal information
  • unauthorized sharing or disclosure of personal information
  • loss of personal information or any other failure to properly protect it

Québec Law 25 also requires that, if the breach presents a “risk of serious injury” an enterprise must inform Québec’s privacy regulator, known as the Commission d’accès à l’information du Québec (CAI), and affected individuals about the breach. An exception may be made if notifying individuals would interfere with a legal investigation.

Enterprises must maintain a register of data breaches and make it available to the Commission upon request.

Privacy policy requirements

Québec Law 25 requires enterprises that must comply with the law to publish a privacy policy explaining their data practices. Privacy policies must be written in simple language that is easy for individuals to understand.

The privacy policy should include:

  • what personal information is being collected and through which means
  • purpose(s) for collection
  • individuals’ rights, especially the rights of access and correction
  • right to withdraw consent
  • how the information will be used, stored, and shared
  • for how long the information will be retained
  • who will have access to the information, including third parties, if any
  • details and contact information of the DPO
  • details on any automated decision-making processes, if applicable, including profiling

Appointment of a privacy officer

Québec Law 25 automatically appoints the “person exercising the highest authority” in an enterprise as the person in charge of protecting personal information. This role is similar to that of a Data Protection Officer (DPO) under the GDPR. An enterprise does have the option to appoint another individual as DPO and can assign some or all of the statutory responsibilities in writing.

A private organization may appoint any person as DPO or privacy officer, regardless of whether they are an employee. In the case of public bodies, the appointed DPO may be one of the following: 

  • a member of the public body
  • a member of its board of directors
  • a member of its management personnel

Public bodies are also required to inform the Commission in writing about the title, contact information, and start date of the appointed DPO.

Enterprises must publish the title and contact information of the DPO on their website. If the enterprise doesn’t have a website, it must make this information available by “any other appropriate means.”

When did Québec Law 25 come into effect?

The Québec privacy law was implemented in stages to give enterprises time to comply with its requirements:

  • September 22, 2022: The date the first phase of the law came into effect. This included the appointment of a privacy officer and data breach reporting requirements.
  • September 22, 2023: The date that most of the law’s provisions became effective, including consent requirements, transparency in privacy policies, data protection impact assessments, and individuals’ rights under the law.
  • September 22, 2024: The date that the final provision, the right to data portability, came into effect.

With all provisions of Québec Law 25 now fully operational, enterprises must align their privacy practices with the law to avoid penalties and maintain trust with Québec residents.

Québec Law 25 enforcement and penalties

Québec Law 25 is enforced by the Commission d’accès à l’information du Québec (CAI), which has the authority to monitor compliance, conduct investigations, and impose penalties for violations.

Noncompliance can lead to substantial financial penalties:

  • Administrative monetary penalties: Up to CAD 10 million or 2 percent of global turnover for the preceding fiscal year, whichever is higher. However, for individuals, this penalty is capped at CAD 50,000. 
  • Penal provisions: For severe violations, fines can reach up to CAD 25 million or 4 percent of global turnover for the preceding fiscal year, whichever is higher. For individuals, this penalty is capped at CAD 100,000.

Additionally, individuals who believe their privacy rights have been violated can seek damages of at least CAD 1,000 and may also pursue collective action against violators.

Beyond financial penalties, noncompliance can lead to reputational damage, which can erode customer trust and harm long-term business relationships.

Steps for compliance with Québec Law 25

To meet the requirements of Québec Law 25, organizations must take proactive measures to responsibly manage personal information and protect individual privacy.

  • Assign a privacy officer to oversee compliance, implement privacy policies, and manage privacy practices. Having a dedicated person who is responsible for meeting the law’s requirements can streamline the process.
  • Update consent mechanisms to obtain explicit, informed consent, and implement processes that make it easy for individuals to withdraw consent at any time.
  • Conduct privacy impact assessments as required to identify and address privacy risks early.
  • Update privacy policies to clearly explain how personal information is collected, used, stored, and shared, using transparent and simple language.
  • Establish procedures that enable individuals to exercise their rights, such as the right to access their personal information, request corrections, or delete their data. 
  • Develop an incident response plan to detect, address, and report data breaches promptly, including steps to minimize harm and notify affected parties as required.
  • Strengthen data security by adopting safeguards such as encryption, access controls, and data minimization to protect personal information from unauthorized access or misuse.
  • Implement processes for data portability, enabling individuals to receive their personal information in a structured, commonly used format for transfer to another service provider.

We strongly recommend consulting a qualified legal expert who can give advice for achieving compliance with Québec Law 25 that is specific to your enterprise’s data privacy practices.

Québec Law 25 compliance with Usercentrics

Using a consent management platform (CMP) like Usercentrics CMP can help enterprises meet the Québec privacy law’s consent requirements by enabling them to collect explicit, informed consent from individuals. CMPs streamline this process by clearly presenting consent requests that are specific to their purpose, as required by the law.

Usercentrics CMP also enables users to withdraw their consent easily, enabling enterprises to meet Québec Law 25’s requirements for consent withdrawal.

Differences between Québec Law 25 and PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy law that governs how organizations handle personal information for commercial activities. It sets baseline privacy standards across the country, while provinces like Québec can enact their own laws, such as Law 25, to impose additional requirements.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Frequently asked questions

What is Law 25 in Québec?

Law 25, formerly known as Bill 64 before its passage, is Québec’s modernized privacy law that strengthens protections for personal information. Passed in September 2021, it updates Québec’s existing privacy legislation to align with international standards, such as the European Union’s General Data Protection Regulation (GDPR). Law 25 introduces stricter consent requirements, enhanced individual rights, and greater accountability for organizations that handle personal information.

What is Bill 64 in Canada?

Bill 64 was the initial name of Québec’s Act to modernize legislative provisions regarding the protection of personal information. Introduced in June 2020 and passed into law in September 2021, it became known as Law 25. The law significantly amends Québec’s privacy regulations for both public and private sectors to reflect the realities of digital data collection and processing.

Who does Québec Law 25 apply to?

Québec Law 25 applies to any enterprise that collects, uses, or processes the personal information of individuals residing in Québec, even if the organization is based outside the province. Public bodies, private organizations, nonprofits, and individuals acting in a professional capacity are all subject to the law when handling Québec residents’ personal information.

What rights do individuals have under Québec Law 25?

Individuals have several rights under Québec Law 25, including the right to access their personal information and know why it was collected, how it will be used, and with whom it will be shared. Québec residents also have the right to request corrections to inaccurate or incomplete data, the right to erase data when their information is no longer needed or if it is handled unlawfully, and the right to data portability in a usable format. Additionally, individuals are entitled to transparency regarding automated decision-making processes that affect them.

What are the penalties for noncompliance of Québec Law 25?

Noncompliance with Québec Law 25 can result in significant penalties. Administrative fines can reach up to CAD 10 million or 2 percent of an organization’s global turnover, whichever is higher. For severe violations, penalties can rise to CAD 25 million or 4 percent of global turnover. Individuals may also pursue civil damages for privacy violations, with a minimum compensation of CAD 1,000.

Feb 3, 2025
Norway’s data privacy protections have become stricter and in line with EU standards, with regulatory updates for cookie use taking effect as part of the E-Com Act (Ekomloven). We explore what the new rules are, how companies can comply with them, and what penalties are for violations.
Visual representation of adpaa, showcasing innovative data protection solutions for enhanced security and privacy.
Jan 31, 2025
The American Data Privacy and Protection Act (ADPPA), if enacted, would have established the first comprehensive federal data privacy law in the US. Learn about privacy requirements, enforcement mechanisms, and special obligations for large data holders.
Person looking at a smartphone with a concerned expression, hand on forehead. A warning icon is displayed on the image.
Jan 30, 2025
Privacy advocacy group noyb filed a complaint against social networking app BeReal for allegedly manipulating its users into consenting to specific uses of their data. Is consent by banner fatigue a violation of the GDPR? We look into the case.