Quebec's Law 25 — formally known as An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information — represents the most significant overhaul of privacy law in Quebec in over 25 years. It modernizes Quebec's privacy framework and aligns it more closely with the European GDPR.
It's fully in effect as of September 2023, and penalties for non-compliance are serious. Yet many Montreal SMBs still haven't taken meaningful steps to comply. This guide gives you a plain-language breakdown of what Law 25 requires and how to get started.
Who Does Law 25 Apply To?
The short answer: virtually every business in Quebec. If your organization collects, uses, communicates, or stores personal information about Quebec residents — whether customers, employees, or website visitors — Law 25 applies to you.
There's no employee count threshold. A 5-person professional services firm is subject to the same law as a 500-person corporation. The obligations are tiered by risk, but the baseline requirements apply broadly.
Personal information under Law 25 includes: names, email addresses, phone numbers, IP addresses, location data, health information, financial data, and anything else that can identify an individual — directly or indirectly.
What Does Law 25 Require?
1. Designate a Privacy Officer
Every organization must designate a person responsible for the protection of personal information — a privacy officer. In a small business, this is often the owner or a senior manager. Their name and contact information must be published on your website.
2. Privacy Policy on Your Website
You must publish a clear, accessible privacy policy on your website that explains what personal information you collect, why you collect it, how long you keep it, and with whom you share it. Vague boilerplate policies don't cut it under Law 25.
3. Privacy Impact Assessments (PIAs)
Before launching any new project that involves personal information — a new CRM system, a marketing platform, a website redesign — you must conduct a Privacy Impact Assessment. This documents the privacy risks and how you'll mitigate them.
4. Consent for Data Collection
You need clear, explicit consent to collect personal information, and that consent must be informed — people need to know what they're agreeing to. Pre-checked consent boxes no longer meet the standard.
5. Breach Notification
If your organization suffers a data breach that poses a risk of serious harm, you must notify both the Commission d'accès à l'information (CAI) and the affected individuals — and you must do so promptly. You're also required to keep a register of all confidentiality incidents.
6. Data Retention Limits
You cannot keep personal information longer than necessary for its original purpose. You need a retention schedule and a destruction protocol.
7. Right to Data Portability and Deletion
Individuals have the right to request their personal data in a structured format and to request its deletion under certain circumstances. You need processes to handle these requests.
What Are the Penalties?
Law 25 has real teeth. Administrative penalties can reach $25 million or 4% of worldwide annual turnover — whichever is higher — for the most serious violations. Penal fines for organizations start at $15,000 and can reach $25 million.
Beyond fines, a public breach or CAI investigation can cause serious reputational damage — especially in industries where client trust is the foundation of the business (legal, accounting, healthcare, financial services).
What Should Your Montreal Business Do Now?
If you haven't started your Law 25 compliance work, here's a practical starting point:
- Designate a privacy officer — identify who's responsible and publish their contact info
- Audit your data — what personal information do you collect, where is it stored, who has access?
- Update your privacy policy — make it specific, accurate, and accessible
- Review your consent mechanisms — website forms, email lists, purchase flows
- Create a breach response plan — know what you'd do if you discovered a breach tomorrow
- Document your data retention rules — how long do you keep client data? Employee data?
- Train your team — the people handling data need to know the rules
Important: Law 25 compliance is not a one-time project. It's an ongoing program. Your privacy practices need to be reviewed regularly as your business changes.
Where IT Fits In
A significant portion of Law 25 compliance is a technology problem. Your data is stored in systems — email, CRM, cloud storage, databases, backups. Securing that data, controlling access to it, encrypting it where appropriate, and being able to locate and delete it when required are all IT challenges.
At Evolv I.T, we help Montreal SMBs address the technology side of Law 25 as part of our cybersecurity and vCIO services: access controls, encryption, backup policies, breach detection, and incident response planning. We work alongside your legal counsel (who handles the policy and governance side) to make sure your IT environment supports your compliance obligations.
If you're not sure where your business stands, our free IT assessment includes a conversation about your current data handling practices and where the gaps are.
Want to Know Where Your IT Stands?
Book a free 30-minute IT assessment with Evolv I.T — we'll review your current setup and give you honest, actionable advice. No commitment, no sales pitch.
Request My Free IT Assessment