What is Law 25?
Law 25, officially the "Act to modernize legislative provisions as regards the protection of personal information", is Quebec's privacy reform adopted in 2021 and phased in through 2024. It substantially rewrites the obligations of private and public sector organizations that process personal information.
It is not a policy you write once and file away. It is a set of continuous operational duties that touch governance, processes, vendor contracts and technology.
Why it matters for your organization
Failing to meet Law 25 exposes you to administrative penalties of up to 10 million dollars or 2% of worldwide turnover, and to penal sanctions of up to 25 million dollars or 4% of worldwide turnover. Beyond the fine, a mishandled confidentiality incident erodes customer trust and draws the attention of insurers and business partners.
Law 25 also shifts accountability upward: personal information governance is no longer a purely technical matter, it now sits with senior leadership.
The key obligations
- Privacy Officer: by default the person with the highest authority, with the ability to delegate in writing.
- Clear consent: separate, informed consent given for specific purposes, distinct from other terms.
- Transparency: understandable and accessible privacy policies, published on the platforms that collect data.
- Breach notification: report to the Commission d'accès à l'information and to affected individuals any incident that presents a risk of serious harm, and keep a register of incidents.
- Privacy Impact Assessment (PIA): assess risks before certain acquisition, development or system-redesign projects, and before transferring personal information outside Quebec.
- Right to portability and de-indexing: let individuals obtain their data in a structured format and request that its dissemination stop.
Where organizations most often fall short
The most common gaps are not in the high-level principles but in execution: a missing incident register, vendor contracts with no notification clause, cross-border transfers without a PIA, or consent mechanisms buried in general terms. Compliance lives in those operational details, not in the policy displayed on the website.