Skip to content
FortaRisks
Back to the glossaryCompliance and regulation

Law 25 (Quebec)

Law 25 is Quebec's modernized privacy legislation. It imposes strict obligations on any organization that handles the personal information of Quebec residents: consent, transparency, governance, breach notification and penalties of up to 25 million dollars or 4% of worldwide turnover.

Updated on July 2, 2026

What is Law 25?

Law 25, officially the "Act to modernize legislative provisions as regards the protection of personal information", is Quebec's privacy reform adopted in 2021 and phased in through 2024. It substantially rewrites the obligations of private and public sector organizations that process personal information.

It is not a policy you write once and file away. It is a set of continuous operational duties that touch governance, processes, vendor contracts and technology.

Why it matters for your organization

Failing to meet Law 25 exposes you to administrative penalties of up to 10 million dollars or 2% of worldwide turnover, and to penal sanctions of up to 25 million dollars or 4% of worldwide turnover. Beyond the fine, a mishandled confidentiality incident erodes customer trust and draws the attention of insurers and business partners.

Law 25 also shifts accountability upward: personal information governance is no longer a purely technical matter, it now sits with senior leadership.

The key obligations

  • Privacy Officer: by default the person with the highest authority, with the ability to delegate in writing.
  • Clear consent: separate, informed consent given for specific purposes, distinct from other terms.
  • Transparency: understandable and accessible privacy policies, published on the platforms that collect data.
  • Breach notification: report to the Commission d'accès à l'information and to affected individuals any incident that presents a risk of serious harm, and keep a register of incidents.
  • Privacy Impact Assessment (PIA): assess risks before certain acquisition, development or system-redesign projects, and before transferring personal information outside Quebec.
  • Right to portability and de-indexing: let individuals obtain their data in a structured format and request that its dissemination stop.

Where organizations most often fall short

The most common gaps are not in the high-level principles but in execution: a missing incident register, vendor contracts with no notification clause, cross-border transfers without a PIA, or consent mechanisms buried in general terms. Compliance lives in those operational details, not in the policy displayed on the website.

Frequently asked questions

Who does Law 25 apply to?

Any business or public body, in Quebec or elsewhere, that collects, holds, uses or discloses the personal information of Quebec residents, regardless of sector or size. Server location is irrelevant: what matters is the residence of the individuals whose data you process.

What is the difference between Law 25 and the GDPR?

Both regimes share the same core principles (consent, minimization, individual rights, breach notification). Law 25 is specific to Quebec, however: it requires appointing a Privacy Officer, mandates a privacy impact assessment for certain projects, and sets its own penalty thresholds. Being GDPR-compliant does not guarantee Law 25 compliance.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.