Law 25 Compliance Checklist for Quebec Small Business: 8 Steps (2026)
Who Law 25 applies to
Every private business operating in Quebec that collects personal information — customers, employees, leads — is covered, no matter how small. There is no employee-count exemption, so a five-person shop has the same core duties as a bank, scaled to its risk.
The 8 steps in order
1) Name a person in charge of privacy. 2) Map what personal data you hold and why. 3) Publish a clear privacy policy. 4) Get valid consent at collection. 5) Lock down access and add MFA. 6) Write a breach-response plan. 7) Honour access/deletion requests. 8) Review yearly. Done in this order, each step builds on the last.
What it realistically costs
A small business can reach baseline compliance for the cost of a privacy policy, an MFA rollout and a few hours of staff time — far less than the penalties for ignoring it. Where the data map or breach plan gets complex, IT Cares can set up the technical controls for you.
Action checklist
- ✅ Designate a privacy officer (can be the owner)
- ✅ Inventory every system holding personal data
- ✅ Publish a Law 25-compliant privacy policy
- ✅ Collect explicit, purpose-limited consent
- ✅ Enable MFA and least-privilege access
- ✅ Write and test a breach-response plan
- ✅ Set up access & deletion request handling
- ✅ Schedule an annual privacy review
FAQ
Does Law 25 apply to small businesses in Quebec?
Yes. Any private business that collects personal information in Quebec is covered regardless of size — there is no small-business exemption. Obligations scale to your risk, but the core duties (privacy officer, consent, breach plan) apply to everyone.
How much does Law 25 compliance cost a small business?
Baseline compliance is mostly staff time plus a privacy policy and MFA — often a few hundred dollars. Costs rise only if you handle sensitive data at scale or need a full privacy-impact assessment.
Get a free assessment
Tell us where you are — we send back a clear, no-pressure plan. Leads only, no payment.