Who must comply with Law 25
In this guide & where to go next
Part of the Quebec Law 25 & PIPEDA Compliance series. Related: Law 25 Privacy Policy RequirementsLaw 25 Penalties
Want it handled? IT Cares — hands-on managed IT across Canada.
Any private-sector organization that carries on an enterprise in Quebec and collects, uses, or holds personal information must comply with Law 25, regardless of size, revenue, or industry. This includes businesses, professionals, non-profits, and public bodies operating in the province. Even organizations based outside Quebec can be caught if they handle the personal information of Quebec residents in the course of commercial activity.
Organizations clearly within scope
Law 25 casts a wide net. The clearest cases of covered organizations include:
- Private companies of any size that operate in Quebec, from sole proprietors to large enterprises.
- Professionals and practices such as law firms, accounting firms, clinics, and dental offices that hold client or patient data.
- Retailers and service businesses that collect customer contact, payment, or loyalty information.
- Non-profit organizations and associations that handle member or donor data in the course of an enterprise.
- Public bodies, which are governed by related provisions of Quebec's privacy framework.
If your organization handles names, contact details, financial information, health data, or any other information about identifiable individuals in Quebec, you should assume Law 25 applies and plan accordingly.
Businesses outside Quebec that are still caught
A common misconception is that only Quebec-based companies need to worry about Law 25. In reality, the law focuses on the activity of carrying on an enterprise in Quebec and handling Quebec residents' personal information, not solely on where a company is headquartered.
A business based in Ontario, another province, or even abroad can fall within scope if it markets to, sells to, or collects personal data from people in Quebec as part of commercial activity. E-commerce sellers, SaaS providers, and service firms with Quebec clients are common examples. Because enforcement and reputational risk follow the data rather than the head office, out-of-province organizations with Quebec customers should evaluate their obligations rather than assuming they are exempt.
What counts as personal information
Whether Law 25 applies often hinges on whether you handle personal information. Under Quebec law, personal information is any information that relates to a natural person and allows that person to be identified, directly or indirectly.
This is broad. It covers obvious data such as names, addresses, phone numbers, and email addresses, but also less obvious identifiers like client account numbers, IP addresses in some contexts, photographs, and health or financial details. Sensitive information, such as health, biometric, or financial data, attracts heightened obligations. If your organization collects any of this about identifiable people in Quebec, the law is engaged, which is why nearly every business that interacts with the public ends up within scope.
How to confirm your obligations and act
The practical question for most organizations is not whether Law 25 might apply, but what to do once you confirm it does. The first step is a simple assessment: do you carry on an enterprise that touches Quebec, and do you handle personal information of identifiable individuals? If yes, you are almost certainly covered.
From there, the path is the same regardless of size: appoint a privacy officer, build a data inventory, fix consent and policy gaps, prepare an incident-response process, and put reasonable security measures in place. For organizations without internal privacy or IT expertise, a managed IT and cybersecurity partner can handle the technical safeguards and documentation, while a privacy officer or advisor manages the legal side. Confirming scope and acting early is far less costly than discovering your obligations after a breach or complaint.
FAQ
Does Law 25 apply to companies outside Quebec?
It can. If an out-of-province or foreign organization handles the personal information of people in Quebec in the course of commercial activity, it may fall within Law 25's scope. The law follows the data and the activity, not just where a company is headquartered, so Quebec-facing businesses should assess their obligations.
Are non-profits subject to Law 25?
Non-profits and associations that carry on an enterprise and handle personal information, such as member, donor, or volunteer data, can be subject to Law 25. The concept of an enterprise is broad in Quebec, so many non-profits should treat themselves as covered and follow the same core obligations.
Does Law 25 apply to employee data?
Yes. Personal information about employees, including hiring records, payroll, and performance data, falls within the protection of personal information rules. Employers in Quebec must handle staff data with the same care as customer data, including consent, security, and incident-reporting obligations where relevant.