Skip to content
FortaRisks
Back to blogCompliance

Quebec's Law 25: are you actually compliant?

December 5, 2025 · 3 min read

Many Quebec organizations believe they are compliant with Law 25. They have appointed an officer, updated their privacy policy, added a cookie banner, and consider the matter closed. Then a confidentiality incident, an unusual access request, or a transfer of data outside Quebec occurs, and the gap becomes obvious.

Law 25 (formerly Bill 64) is fully in force. It is not just a document published on your website: it is a set of operational obligations that touch governance, processes, contracts and technology. Here is what it actually requires, and where the most common gaps hide.

What Law 25 actually requires

Beyond the privacy policy, six areas shape compliance.

  1. Governance and accountability. A person in charge of the protection of personal information must be designated, with their title and contact details published. Your governance policies covering retention, destruction and handling of personal information must be established and accessible.
  2. Consent and transparency. At the point of collection, you must inform individuals of the purposes, the means, their rights and the third parties involved. Consent must be clear, free, informed and requested separately for each purpose, with express consent for sensitive data.
  3. Individual rights. Access and rectification within the deadlines, but also the right to data portability (in force since September 2024) and the handling of requests to stop dissemination or de-index information.
  4. Confidentiality incidents. An up-to-date incident register, a process to assess the "risk of serious injury" and, where applicable, prompt notification of the Commission d'accès à l'information and affected individuals.
  5. Assessments and transfers. A privacy impact assessment for information system projects, and an assessment before any disclosure of information outside Quebec.
  6. Security and lifecycle. Reasonable security measures, privacy by default in your public-facing products, a retention and destruction schedule, and protection clauses in your agreements with processors.

The deadlines are behind us, not ahead

The "we still have time" argument no longer holds. Obligations came into force in stages: September 2022 for the privacy officer and incident reporting, September 2023 for most obligations (consent, assessments, transparency), and September 2024 for data portability. In other words, the transition period is over.

Why the exposure is real

  • Problem: compliance is often treated as a documentation exercise, when it rests on living processes and evidence.
  • Impact: administrative monetary penalties can reach CA$10M or 2% of worldwide turnover, and penal fines CA$25M or 4% of worldwide turnover, whichever is higher. Add to that the loss of trust and contractual risk with your clients.
  • Action: treat Law 25 as a continuous program, with an identified officer, documented assessments, and the ability to prove, on request, that your controls work.

The gaps most often underestimated

Three blind spots come up constantly. First, data portability: few organizations are actually able to provide computerized information in a structured, commonly used format. Second, transfers outside Quebec: hosting data with a foreign cloud provider without an assessment or contractual framing is a common gap. Third, evidence: keeping an incident register and assessments that are genuinely current, not just an empty template.

Take stock in a few minutes

Before investing in a compliance program, gauge your starting point. Our free Law 25 readiness self-assessment covers the six areas above in 18 questions, computes a maturity score and highlights your priorities. No sign-up, no data sent: everything is calculated in your browser.

Once your gaps are identified, the FortaRisks Compliance module turns these requirements into a prioritized action plan, with continuous compliance evidence rather than a point-in-time audit.

Law 25 is not a form you tick once. It is a way to demonstrate, at any time, that you genuinely protect the information entrusted to you. This assessment does not replace legal advice, but it tells you exactly where to start.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.