Quebec Law 25 Penalties & Fines: What Small Businesses Risk (2026)
The two penalty tracks
Law 25 has administrative monetary penalties (up to $10M or 2% of worldwide turnover) and penal fines (up to $25M or 4%). Those ceilings target large enterprises, but a small business can still face significant orders and fines for clear violations.
What actually gets a small business in trouble
Regulators focus on real harm: no privacy policy, ignoring access or deletion requests, collecting data without consent, and failing to report a breach. These are exactly the gaps a quick checklist closes.
Cheaper to comply than to fix
Baseline compliance costs a fraction of even a modest penalty or the reputational hit of a public breach. Closing the obvious gaps first — consent, breach plan, access requests — removes most of the exposure. IT Cares can lock down the technical side.
Action checklist
- ✅ Publish a privacy policy (missing one is an easy violation)
- ✅ Honour access and deletion requests on time
- ✅ Collect consent before gathering personal data
- ✅ Report qualifying breaches to the CAI promptly
- ✅ Keep records that prove your compliance
- ✅ Fix the highest-risk gaps first
FAQ
What are the penalties for breaking Law 25 in Quebec?
Law 25 allows administrative penalties up to $10M or 2% of worldwide turnover and penal fines up to $25M or 4%. The maximums target large firms, but small businesses can face real fines and orders for clear violations like no privacy policy or unreported breaches.
Can a small business be fined under Law 25?
Yes. While the ceiling figures target big companies, a small business that ignores access requests, collects data without consent, or fails to report a breach can face penalties. Basic compliance removes most of this risk cheaply.
Get a free assessment
Tell us where you are — we send back a clear, no-pressure plan. Leads only, no payment.