Law 25: A Quick Look at Quebec's Answer to GDPR

Quebec’s Law 25 has arrived to revamp privacy laws in the province’s private and public sectors. Titled “An Act to Modernize Legislation Provisions Respecting the Protection of Personal Information,” this law brings stricter privacy requirements for businesses. It comes with substantial fines and increased powers for the “Commission d’acces à l’information” (CAI) and emphasizes transparency, consent, and enhanced safeguards.

Quebec's Law 25

Major New Changes

Drawing inspiration from Europe’s General Data Protection Regulation (GDPR), Law 25 is a step in the right direction for Quebec. It aligns with GDPR’s objectives of safeguarding personal information and ensuring accountability. Quebec businesses must take note of the law’s key provisions:

1. Prompt disclosure: Businesses engaging in biometric data processing must inform the Commission d’accès à l’information du Québec (CAI) at least 60 days before implementing the system.

2. Privacy guardianship: Appointing a designated person responsible for protecting personal information becomes mandatory for businesses.

3. Incident reporting: Businesses are obliged to report any breaches of confidentiality that compromise personal information.


Quebec’s Law 25

It is expected to have a major impact on businesses in Quebec. The law introduces penalties with the potential to reach up to 4% of annual revenue, and administrative fines of up to CAD 10,000,000 or 2% of worldwide turnover from the previous year, as determined by the CAI.

With echoes of GDPR, Law 25 brings Quebec in line with global privacy standards. It enforces mandatory privacy assessments, ensuring adequate protection when sharing personal information outside the province. Additionally, businesses must secure separate and granular consent from individuals and uphold their new rights, such as data portability.


A New Era for Trust

While there is room for improvement, Law 25 is a step towards a more privacy-conscious society in Quebec. It follows the footsteps of GDPR, signaling Quebec’s commitment to protecting personal information. Compliance may pose challenges, but it presents an opportunity for businesses to foster trust, unlock the value of data, and promote innovation and economic growth.


In conclusion, Quebec’s Law 25, inspired by GDPR, presents a progressive stride in privacy protection. The law’s stringent requirements and potential fines compel businesses to prioritize the safeguarding of personal information. By embracing this privacy-focused approach, Quebec can pave the way for enhanced data governance and the establishment of a resilient and secure digital landscape.


Turn Law 25 into a competitive advantage


CEO & Co-founder - Axeptio


Related articles

Ensuring GDPR Compliance with Your Shopify Store

Ensuring GDPR Compliance with Your Shopify Store

Today, protecting customer data is paramount and becoming a requirement around the globe. The General Data Protection Regulation (GDPR) is a critical legislative framework designed to...
The American Privacy Rights Act of 2024 (APRA)

The American Privacy Rights Act of 2024 (APRA)

The U.S. Congress has been trying for several years now to adopt comprehensive federal legislation for privacy protection. In April 2024, a bipartisan and bicameral bill proposal was...
Axeptio and Law 25: An essential Asset for Small Businesses

Axeptio and Law 25: An essential Asset for Small Businesses

Patricia Filiatrault is the founder of a web agency in Quebec that bears her name: PF Communications. She helps companies with their website and SEO projects, navigating the challenges of...