Law 25 — Fully in force

Complete guide to compliance
with Quebec's Law 25.

Law 25 (SQ 2021, c. 25) has been fully in force since September 2024. Every business handling personal information in Quebec must comply — or face fines that can reach $25,000,000. Here is what you need to know.

Updated April 2026 Sources: CAI · SQ 2021, c. 25 Reading time: ~12 min
View the checklist Free 10-question assessment →

What is Law 25?

Law 25, officially the "Act to modernize legislative provisions as regards the protection of personal information" (SQ 2021, c. 25), substantially amends the Act respecting the protection of personal information in the private sector and the Act respecting Access to documents held by public bodies. It is part of the global trend toward modernizing legal frameworks (the European GDPR, sectoral Canadian laws), with the goal of giving citizens real control over their data.

The supervisory authority is the Commission d'accès à l'information du Québec (CAI). All official documentation, methodological guides and tools are available at cai.gouv.qc.ca.

Implementation timeline

Sept. 2022 Designation of the Privacy Officer and implementation of documented personal information governance.
Sept. 2023 Privacy Impact Assessments, incident reporting, portability, right to de-indexing, consent — the densest phase of obligations.
Sept. 2024 Full data portability and the right to contest automated decisions. Law fully in force.
Reference

Official text: Act respecting the protection of personal information in the private sector · Authority: Commission d'accès à l'information du Québec

Who is affected by Law 25?

Law 25 applies to any business or organisation that collects, holds, uses or discloses personal information in Quebec — regardless of its size, sector or legal status. There is no minimum threshold.

Those covered notably include:

  • SMEs (retailers, service providers, manufacturers, professionals)
  • Self-employed workers and professionals in private practice
  • Non-profit organisations and associations
  • Businesses based outside Quebec that deal with Quebec residents or target this market
  • Canadian subsidiaries of foreign organisations operating in Quebec
Important

A website accessible to Quebec residents that collects an email address (contact form, newsletter, user account) is enough to make your organisation subject to Law 25. The criterion is the activity, not the place of business.

The main obligations under Law 25

Law 25 imposes seven broad categories of obligations. Ignoring them exposes the organisation to significant penalties — and to real reputational risk.

01 · Designate a Privacy Officer

Mandatory since September 2022. By default, the person with the highest authority in the organisation is the Privacy Officer. They may delegate this responsibility, but remain ultimately accountable. The name and contact information of the Privacy Officer must be published on the organisation's website.

02 · Governance policies

Establish and publish policies governing the management of personal information: a privacy policy accessible on the website, documented internal procedures, and a governance framework that defines roles, responsibilities and processes.

03 · Conduct Privacy Impact Assessments

A Privacy Impact Assessment (PIA) has been mandatory since September 2023 before any new project involving personal information — new software, application, CRM or organisational restructuring. The CAI's methodology is the reference.

04 · Report privacy incidents

Any incident presenting a "serious risk of injury" must be reported to the CAI and to the individuals concerned without delay. The organisation must also maintain a register of all incidents — regardless of their severity.

05 · Obtain explicit consent

Consent must be free, informed, given for specific purposes and expressed unambiguously. Pre-checked boxes and implied consent are no longer valid. Cookie banners, sign-up forms and opt-in processes must be reviewed.

06 · Respect individual rights

Data subjects benefit from strengthened rights:

  • Right of access to their information (response within 30 days, extendable to 60)
  • Right of rectification in the event of inaccuracy
  • Right to erasure under certain conditions
  • Right to portability — to receive the data in a structured and commonly used format
  • Right to contest a decision made through automated processing

07 · Govern transfers outside Quebec

Any transfer of personal information outside Quebec must be the subject of a prior Privacy Impact Assessment, guarantee a level of protection equivalent to that of Quebec, and be formalized by contract.

Penalties for non-compliance

The penalties provided for by Law 25 are among the most severe in Canada in matters of personal information protection. They fall under two regimes:

Administrative — CAI
$10M

Or 2% of worldwide turnover — whichever is higher. Penalties imposed directly by the Commission d'accès à l'information.

Penal — Courts
$25M

Or 4% of worldwide turnover. For individuals: up to $100,000. Proceedings brought by the DPCP.

Beyond fines, the impact of non-compliance includes: civil lawsuits (damages), reputational harm (media coverage, loss of trust) and erosion of the relationship with clients and suppliers.

Law 25 compliance checklist

The ten essential steps for an organisation in Quebec to achieve — and maintain — compliance:

Designate a Privacy Officer and publish their contact information

Mandatory since September 2022. The person, their role and a point of contact must appear on the website.

Map the personal information held

What, why, where, who accesses it, retention period, sharing with third parties.

Draft and publish a privacy policy

Clear, accessible and kept up to date. It must describe the organisation's actual practices.

Implement valid consent

Compliant banners, forms and opt-in processes. No pre-checked boxes. Granularity by purpose.

Maintain a privacy incident register

Procedures for notifying the CAI and the individuals concerned within the legal deadlines.

Conduct Privacy Impact Assessments for every technology project

Mandatory since Sept. 2023. Follow the CAI methodology. Document mitigation measures.

Strengthen technical security

Encryption (at rest/in transit), MFA, role-based access, logging, encrypted backups, incident response plan.

Train employees

Obligations, internal procedures, incident recognition and reporting. Ongoing training.

Document procedures for individual rights

Access (30 days), rectification, erasure, portability — each process traced and auditable.

Carry out annual compliance reviews

Compliance is ongoing — not a one-time project. A posture that is maintained over time.

How Synéra supports you

Synéra focuses all of its expertise on compliance with personal information protection laws. Our approach is built around four complementary programs designed to meet you at every stage of your journey:

  • Synéra Check — a complete assessment of your current posture
  • Synéra Conforme — turnkey compliance implementation
  • Synéra Vigile — ongoing governance, regulatory monitoring, quarterly review
  • Privacy Officer on demand — a designated, reachable, accountable Privacy Officer — without hiring a full-time position

For areas outside our field of expertise (IT, legal advice, training), we orchestrate an ecosystem of leading partners — RB Avocats, Conformaze, ITGS and AAPI. Discover our partners →

You get a single point of contact, several specialists mobilized as needed, and a defensible audit trail.

Frequently asked questions

/ 01 Is my business subject to Law 25?
Any business or organisation that collects, holds, uses or discloses personal information in Quebec is subject to Law 25 — with no minimum size threshold. This includes SMEs, self-employed workers, non-profits and businesses outside Quebec that deal with Quebec residents.
/ 02 What is a Privacy Officer and who must designate one?
The Privacy Officer has been mandatory since September 2022. By default, it is the person with the highest authority in the organisation, but this responsibility can be delegated. Their name and contact information must be published on the website.
/ 03 What is a Privacy Impact Assessment (PIA)?
A Privacy Impact Assessment has been mandatory since September 2023 before any new project involving personal information — new software, application, CRM or restructuring. It must follow the CAI's methodological guide.
/ 04 What are the penalties for non-compliance?
Administrative monetary penalties can reach $10M or 2% of worldwide turnover. Penal fines can reach $25M or 4% of worldwide turnover. For individuals, fines can reach $100,000.
/ 05 How does Synéra support SMEs?
Synéra offers complete support: initial assessment, Privacy Officer designation, development of governance policies, conducting Privacy Impact Assessments, team training and ongoing support. Four core programs: Synéra Check, Synéra Conforme, Synéra Vigile, and Privacy Officer on demand.
/ 06 How long does it take to become compliant?
For a small SME, a complete path to compliance can be achieved in 4 to 8 weeks. For a more complex organisation, it generally takes 3 to 6 months. But compliance is ongoing — it is a posture, not a one-time project.
/ 07 What is the difference between Law 25 and the GDPR?
Law 25 and the GDPR share a common philosophy but differ in several respects: geographic scope, definitions, rights granted to data subjects and penalty amounts. A business already compliant with the GDPR has a head start, but must adjust certain practices to fully meet Law 25.
— Ready to get started?

Let's start your compliance.

Free assessment, tailored path, human support. A single conversation to find out where you stand — and what remains to be done.

Free assessment 438-686-4693