Law 25 privacy policy requirements
In this guide & where to go next
Part of the Quebec Law 25 & PIPEDA Compliance series. Related: Law 25 Data Breach NotificationWho Must Comply With Law 25
Want it handled? IT Cares — hands-on managed IT across Canada.
Under Law 25, your privacy policy must be clear, in plain language, and explain what personal information you collect, why, how it is used and shared, how long it is kept, and how individuals can exercise their rights and reach your privacy officer. Quebec's law also requires that any policy governing technology used to collect personal information be published prominently and written in accessible terms, so a generic boilerplate notice is no longer sufficient.
What your privacy policy must disclose
A Law 25-compliant privacy policy is a transparency document, and it must give individuals a genuine understanding of your data practices. At minimum it should disclose:
- What you collect: the categories of personal information gathered, including any sensitive data.
- Why you collect it: the specific purposes for each use.
- How it is used and shared: internal uses and any disclosure to third parties or service providers.
- Retention and destruction: how long data is kept and what happens when its purpose ends.
- Individual rights: how to access, correct, port, or request de-indexing of personal information.
- Contact details: the name or title and contact information of your privacy officer.
Vague statements like we value your privacy do not satisfy the law; the policy must be specific enough that a reader understands what actually happens to their data.
Plain language and accessibility
Law 25 places real emphasis on clarity. A policy that is technically complete but written in dense legal jargon can still fall short, because the law expects information to be presented in clear and simple terms. This is especially important where you collect information from the general public or from people who may not have legal or technical backgrounds.
In practice, this means using plain language, short sentences, and a logical structure with headings. The policy should be easy to find, typically linked from every page of your website, and where you use technology that collects personal information, the relevant settings and choices should be explained accessibly. If you operate in both French and English, providing the policy in French is important given Quebec's language requirements, and offering both languages serves your audience best.
Consent, cookies, and technology disclosures
Modern privacy policies must address how data is collected through technology. Law 25's privacy-by-default rule means any technological product or service offered to the public must default to the highest privacy settings, and your policy should explain how users can review and change those settings.
If your website uses cookies, analytics, or tracking technologies that identify individuals, the policy should describe them and how consent is obtained. Where you make decisions based solely on automated processing of personal information, the law requires you to inform individuals and, on request, explain the personal information used and the reasons behind the decision. Building these disclosures into your policy keeps you aligned with both the transparency and consent obligations of the law, and it signals to customers that you take their privacy seriously.
Keeping your policy accurate and maintained
A privacy policy is only useful if it reflects what your organization actually does. One of the most common compliance failures is a polished policy that describes practices the business does not follow, or that omits new tools and data flows added over time. Regulators and courts look at the gap between what you say and what you do.
To keep the policy accurate, tie it to your data inventory and review it whenever you adopt a new system, change a vendor, or start collecting a new type of data. Your privacy officer should own this review, and your IT or managed-services partner can flag technical changes, such as a new cloud platform or analytics tool, that need to be reflected. Treating the policy as a living document, maintained alongside your actual data practices, is what turns it from a liability into evidence of a functioning privacy program.
FAQ
Does Law 25 require a written privacy policy?
Yes. Organizations must publish information about their personal-information practices, and where technology is used to collect data, a clear policy must be made available in accessible terms. In practice this means maintaining a written, easy-to-find privacy policy that accurately describes what you collect and why.
Does my privacy policy need to be in French?
Given Quebec's language laws and the requirement for clear, accessible information, providing your privacy policy in French is important for organizations serving Quebec residents. Offering both French and English is the safest approach so that all of your audience can understand your data practices.
How often should I update my privacy policy?
Review your privacy policy whenever your data practices change, such as adopting a new system, vendor, or type of data collection, and at least periodically as a routine check. Keeping it aligned with your actual practices and data inventory is essential, since regulators focus on gaps between stated and real practices.