Quebec Law 25 small business requirements
In this guide & where to go next
Part of the Quebec Law 25 & PIPEDA Compliance series. Related: Law 25 Vs PipedaLaw 25 Compliance Checklist
Want it handled? IT Cares — hands-on managed IT across Canada.
Quebec Law 25 applies to small businesses just as it does to large ones, requiring them to appoint a privacy officer, obtain proper consent, publish a privacy policy, report confidentiality incidents, and secure personal information. There is no revenue or headcount exemption. A small clinic, shop, agency, or professional practice operating in Quebec must meet the same core obligations as an enterprise, scaled to its size and the sensitivity of the data it handles.
Why small businesses are not exempt
Many small-business owners assume privacy laws target large corporations, but Law 25 contains no small-business exemption. If you carry on an enterprise in Quebec and collect personal information, whether about customers, patients, or employees, you are covered. The obligations are proportionate, meaning a sole proprietor is not expected to build an enterprise-grade program, but the baseline duties still apply.
This matters because small businesses often handle sensitive data, such as health details, financial records, or identity documents, without dedicated privacy or IT staff. Regulators and customers expect that information to be protected regardless of company size. Ignoring Law 25 because you are small is a common and costly misconception, since penalties and reputational harm apply to organizations of any scale.
The core obligations scaled for small teams
For a small business, Law 25 compliance comes down to a manageable set of priorities:
- Designate a privacy officer: in a small firm this is often the owner or office manager, named in writing with contact details published.
- Write a plain-language privacy policy: explain what you collect, why, and how people can reach your privacy officer.
- Get clear consent: ask permission before collecting personal data and avoid bundling it into unrelated terms.
- Keep an incident register: log any confidentiality incident and be ready to report serious ones.
- Retain only what you need: set simple rules for deleting old client records.
None of these require a large budget, but they do require deliberate setup and a small amount of ongoing maintenance.
Practical first steps for owners
The most effective way for a small business to start is to focus on visibility and basic security before anything complex. Begin by listing every place personal information lives: your email inbox, accounting software, point-of-sale system, cloud storage, and any paper files. This inventory alone reveals most of your risk.
From there, tighten access so only the right people can reach sensitive data, turn on multi-factor authentication for email and key apps, and make sure you have a working, tested backup. Draft a short privacy policy and an even shorter incident-response note describing who to call and what to do if data is exposed. These steps move a small business from non-compliant to defensible quickly, and they double as basic protection against the ransomware and phishing attacks that disproportionately hit small firms.
Getting help without a full IT department
Most Quebec small businesses do not employ a privacy lawyer or a cybersecurity specialist, and they do not need to in order to comply. The technical obligations, access control, encryption, backups, breach detection, and logging, can be handled by a managed IT and security partner on a predictable monthly basis. This is often more cost-effective than hiring, and it provides the documented evidence regulators expect.
A good partner will help you build the data inventory, harden your systems, implement multi-factor authentication, and prepare a realistic incident-response plan, while your privacy officer handles the policy and consent side. For a small business, this division of labour keeps Law 25 compliance achievable without distracting from running the company, and it ensures the security controls underpinning the law are actually maintained rather than set up once and forgotten.
FAQ
Are small businesses really covered by Law 25?
Yes. Law 25 has no exemption based on revenue or number of employees. Any business that carries on an enterprise in Quebec and handles personal information must comply. The obligations are proportionate to your size and the sensitivity of your data, but the core duties apply to everyone.
Can the business owner be the privacy officer?
Yes. In a small business, the owner, a manager, or another designated person can serve as the person in charge of protecting personal information. The role should be assigned in writing, and the contact information must be made available, typically on your website or privacy policy.
What is the cheapest way for a small business to comply?
Start with a data inventory, basic access controls, multi-factor authentication, tested backups, and a plain-language privacy policy. These low-cost steps address the biggest risks. A managed IT provider can maintain the technical controls affordably, avoiding the need to hire full-time security staff.