Law 25 for Small Business: What You Actually Have to Do (2026)
Does Law 25 apply to you?
If you operate in Quebec and collect any personal information — customer names, emails, employee records, website analytics tied to a person — you are in scope. Size does not matter; a one-person shop and a 50-person firm have the same core duties (scaled to risk).
The core obligations, in order
Appoint someone responsible for privacy (by default the highest-authority person), know what personal data you hold and why, get valid consent, publish a clear privacy policy, protect the data with reasonable security, and have a process to handle access/deletion requests and breaches.
Deadlines & penalties
The law is fully in force; the data-portability requirement took effect September 22, 2024. Penalties scale to severity — administrative penalties can reach into the millions for organizations — but the practical small-business risk is complaints and orders, which the checklist below avoids.
Action checklist
- ✅ Designate a person responsible for privacy (publish their contact)
- ✅ Map what personal data you collect, where it lives, who can access it
- ✅ Refresh consent language at every collection point
- ✅ Publish a compliant privacy policy on your website
- ✅ Apply reasonable security (MFA, encryption, access control)
- ✅ Write a 1-page breach-response procedure
- ✅ Review contracts with vendors that touch your data
FAQ
Does Quebec Law 25 apply to small businesses?
Yes — every private-sector business operating in Quebec that collects personal information must comply, regardless of size. There is no small-business exemption.
What is the first step to Law 25 compliance?
Designate a person responsible for privacy and map what personal information you hold and why. Everything else — consent, policy, security — builds on knowing your data.
Get a free assessment
Tell us where you are — we send back a clear, no-pressure plan. Leads only, no payment.