What is Quebec Law 25
In this guide & where to go next
Part of the Quebec Law 25 & PIPEDA Compliance series. Related: Law 25 Compliance ChecklistLaw 25 Compliance For Accounting Firms
Want it handled? IT Cares — hands-on managed IT across Canada.
Quebec Law 25 is the province's modernized private-sector privacy law that sets strict rules for how organizations collect, use, store, and protect personal information. Formerly known as Bill 64, it amended Quebec's existing privacy legislation and rolled out in phases between September 2022 and September 2024. It applies to virtually any business operating in Quebec, regardless of size, and introduces obligations such as appointing a privacy officer, reporting confidentiality incidents, and obtaining clearer consent for data use.
The background and purpose of Law 25
Law 25 is the short name for the Act to modernize legislative provisions as regards the protection of personal information. It was passed by Quebec's National Assembly in 2021 and overhauled the province's private-sector privacy framework, which had not kept pace with modern data practices. The goal was to give individuals more control over their personal information and to hold organizations accountable for how they handle it.
The law was designed to align Quebec more closely with global privacy standards, particularly the European Union's GDPR. As a result, several of its concepts, such as privacy by default, data portability, and mandatory impact assessments, will feel familiar to anyone who has worked with GDPR. For Quebec businesses, this means the bar for responsible data handling is now considerably higher than it was a few years ago.
When Law 25 took effect
Law 25 was implemented in three phases to give organizations time to adapt:
- September 2022: Businesses had to designate a person in charge of the protection of personal information and begin reporting confidentiality incidents to the Commission d'accès à l'information (CAI) and affected individuals.
- September 2023: The bulk of obligations came into force, including consent rules, privacy impact assessments, transparency requirements, and rights related to automated decision-making.
- September 2024: The right to data portability took effect, allowing individuals to obtain their computerized personal information in a structured, commonly used format.
Because all phases are now active, every covered organization is expected to be fully compliant. There is no longer a grace period to lean on.
Core obligations under Law 25
Law 25 imposes a broad set of duties on organizations. The most important ones to understand are:
- Privacy officer: a named person responsible for compliance, defaulting to the highest-ranking executive unless delegated in writing.
- Consent: consent must be clear, free, informed, and given for specific purposes, with extra care for sensitive information.
- Incident reporting: confidentiality incidents posing a risk of serious injury must be reported to the CAI and affected individuals, and logged in a register.
- Privacy by default: technological products and services must offer the highest privacy settings by default.
- Impact assessments: privacy impact assessments are required for projects involving sensitive data or cross-border transfers.
These obligations apply together, so meeting just one or two does not make an organization compliant.
What Law 25 means for your IT systems
Although Law 25 is a legal framework, much of compliance is technical. Privacy by default and reasonable security require concrete configurations: restricting who can access personal data, encrypting sensitive files, securing backups, and logging system activity so incidents can be investigated. Meeting the incident-reporting obligation means you must be able to detect a breach quickly and understand its scope, which depends on monitoring and alerting being in place.
For most Quebec small and mid-sized businesses, the gap is not awareness of the law but the technical capacity to satisfy it. Working with a managed IT and cybersecurity provider helps translate the legal requirements into a maintained, evidence-backed program, covering access management, encryption, breach detection, and the documentation a regulator would expect to see during a review.
FAQ
Who does Quebec Law 25 apply to?
Law 25 applies to virtually any private-sector organization that carries on an enterprise in Quebec and collects, uses, or holds personal information, regardless of company size. Public bodies are covered by related provisions. Even small businesses and non-profits operating in Quebec generally fall within its scope.
Is Law 25 the same as Bill 64?
Yes. Bill 64 was the legislative bill that, once adopted in 2021, became the law commonly referred to as Law 25. The terms are used interchangeably, though Law 25 is the more accurate name now that the legislation is in force.
How is Law 25 different from PIPEDA?
PIPEDA is the federal private-sector privacy law for most of Canada, while Law 25 is Quebec-specific and generally stricter. Law 25 adds requirements such as privacy by default, mandatory impact assessments, and more prescriptive incident reporting. Businesses operating in Quebec and nationally often need to comply with both.
Does Law 25 apply to small businesses?
Yes. Unlike some privacy laws that exempt small organizations, Law 25 applies regardless of size or revenue. A small clinic, shop, or professional practice in Quebec must designate a privacy officer, handle consent properly, and be ready to report confidentiality incidents.