Law 25: A Quick Look at Quebec's Answer to GDPR

Quebec’s Law 25 has arrived to revamp privacy laws in the province’s private and public sectors. Titled “An Act to Modernize Legislation Provisions Respecting the Protection of Personal Information,” this law brings stricter privacy requirements for businesses. It comes with substantial fines and increased powers for the “Commission d’acces à l’information” (CAI) and emphasizes transparency, consent, and enhanced safeguards.

Quebec's Law 25

Major New Changes

Drawing inspiration from Europe’s General Data Protection Regulation (GDPR), Law 25 is a step in the right direction for Quebec. It aligns with GDPR’s objectives of safeguarding personal information and ensuring accountability. Quebec businesses must take note of the law’s key provisions:

1. Prompt disclosure: Businesses engaging in biometric data processing must inform the Commission d’accès à l’information du Québec (CAI) at least 60 days before implementing the system.

2. Privacy guardianship: Appointing a designated person responsible for protecting personal information becomes mandatory for businesses.

3. Incident reporting: Businesses are obliged to report any breaches of confidentiality that compromise personal information.


Quebec’s Law 25

It is expected to have a major impact on businesses in Quebec. The law introduces penalties with the potential to reach up to 4% of annual revenue, and administrative fines of up to CAD 10,000,000 or 2% of worldwide turnover from the previous year, as determined by the CAI.

With echoes of GDPR, Law 25 brings Quebec in line with global privacy standards. It enforces mandatory privacy assessments, ensuring adequate protection when sharing personal information outside the province. Additionally, businesses must secure separate and granular consent from individuals and uphold their new rights, such as data portability.


A New Era for Trust

While there is room for improvement, Law 25 is a step towards a more privacy-conscious society in Quebec. It follows the footsteps of GDPR, signaling Quebec’s commitment to protecting personal information. Compliance may pose challenges, but it presents an opportunity for businesses to foster trust, unlock the value of data, and promote innovation and economic growth.


In conclusion, Quebec’s Law 25, inspired by GDPR, presents a progressive stride in privacy protection. The law’s stringent requirements and potential fines compel businesses to prioritize the safeguarding of personal information. By embracing this privacy-focused approach, Quebec can pave the way for enhanced data governance and the establishment of a resilient and secure digital landscape.


Turn Law 25 into a competitive advantage


CEO & Co-founder - Axeptio


Related articles

Managing Your Digital Identity with Axeptio on FM 103.3 - La Radio Allumée

Managing Your Digital Identity with Axeptio on FM 103.3 - La Radio Allumée

On the airwaves of FM 103.3 La Radio Allumée (Quebec), Max Trudel engages in conversation with Romain Bessuges-Meusy, CEO of Axeptio. Together, they delve into the intricacies of digital...
Consent Rate Optimization: the Paris Opera case study

Consent Rate Optimization: the Paris Opera case study

The Paris Opera, a world-renowned cultural institution seeks to increase its cookie acceptance rate on its website. This improvement is essential to enable them to better understand their...
Axeptio joins Google's CMP Partner Program

Axeptio joins Google's CMP Partner Program

Axeptio is proud to announce that its Consent Management Platform (CMP) has been certified by Google and that it joins the Google CMP Partner Program. This milestone demonstrates our...