Quebec Law 25

Quebec Law 25 compliance guide

Quebec's modernized privacy law introduces GDPR-like requirements including mandatory Privacy Impact Assessments, 72-hour incident notification, and automated decision-making transparency. We help you navigate all three implementation phases.

Start compliance assessmentBook Law 25 consultation

What is Quebec Law 25?

Quebec Law 25 (Bill 64) is the Act to modernize legislative provisions as regards the protection of personal information. Enacted in 2021, it significantly strengthens privacy protections in Quebec by amending the Act Respecting the Protection of Personal Information in the Private Sector.

Why this matters now: All three implementation phases are now in force as of September 22, 2024. Organizations must comply with mandatory PIAs, 72-hour incident notification, privacy by default, and automated decision-making transparency. Maximum penalties of CAD $25 million now apply.

GDPR-aligned

Similar scope and penalties to EU regulation

72-hour breach notification

Mandatory reporting to CAI and individuals

Complements GDPR and CCPA compliance for organizations operating across jurisdictions.

Who needs Law 25 compliance?

Quebec-based organizations

Any organization operating in Quebec collecting personal information

Processing Quebec residents' data

Organizations outside Quebec processing Quebec residents' information

Public sector entities

Government bodies subject to Law 25 modernization provisions

AI system operators

Organizations using automated decision-making affecting Quebec residents

Data processors

Service providers handling personal information on behalf of Quebec entities

Cross-border data transfers

Organizations transferring personal information outside Quebec

How VerifyWise supports Law 25 compliance

Comprehensive capabilities addressing mandatory privacy obligations

Privacy Impact Assessments (PIAs)

Conduct mandatory PIAs for high-risk processing activities with structured questionnaires aligned with CAI guidance. The platform documents necessity, proportionality, safeguards and generates compliance evidence for regulatory review.

Addresses: Art. 3.3 - PIA obligations for high-risk processing

Incident notification and breach management

Track privacy incidents with automated 72-hour notification workflows to CAI and affected individuals. The platform maintains incident timelines, impact assessments and remediation actions required under Law 25.

Addresses: Art. 3.5-3.8 - Incident notification within 72 hours

Automated decision-making transparency

Document AI systems making decisions exclusively through automated means. The platform tracks disclosure obligations, individual notification requirements and provides workflows for observation submission as mandated.

Addresses: Art. 12.1 - Automated decision transparency and individual rights

Privacy governance and policies

Establish privacy governance structures with designated privacy officers, accountability frameworks and policy management. The platform maintains governance documentation and ensures organizational compliance readiness.

Addresses: Art. 3.1-3.2 - Privacy governance and officer designation

Privacy by design and by default

Implement technical and organizational measures ensuring privacy protection from system design through deployment. The platform tracks privacy controls, data minimization practices and default privacy settings.

Addresses: Art. 3.4 - Privacy by design and by default

Cross-border transfer assessments

Evaluate equivalent protection for personal information transfers outside Quebec. The platform documents transfer mechanisms, adequacy assessments and contractual safeguards required for international data flows.

Addresses: Art. 17 - Equivalent protection for transfers outside Quebec

All privacy activities are tracked with timestamps, assigned owners and approval workflows. This creates the audit trail demonstrating systematic compliance required for CAI investigations.

Complete Law 25 requirements coverage

VerifyWise provides dedicated tooling for all major Law 25 obligations

36

Law 25 key requirements

36

Requirements with dedicated tooling

100%

Coverage across all categories

Privacy governance8/8

Policies, accountability, privacy officer, governance structure

Individual rights12/12

Access, portability, erasure, consent withdrawal, automated decisions

Processing obligations10/10

PIAs, privacy by default, security safeguards, retention limits

Incident management6/6

72-hour notification, individual alerts, CAI reporting, remediation

Built for Quebec privacy compliance

PIA workflows

CAI-aligned Privacy Impact Assessment templates and processes

72-hour notification

Automated incident tracking and CAI reporting workflows

Automated decision transparency

AI system documentation and individual notification tools

Multi-jurisdiction mapping

Crosswalk to GDPR and CCPA requirements

Three-phase implementation timeline

Law 25 came into force gradually between September 2022 and September 2024

Enforced
September 22, 2022

Initial requirements

  • Privacy governance and accountability obligations
  • Consent modifications (opt-in for minors)
  • Enhanced transparency requirements
  • New individual rights (data portability)
Enforced
September 22, 2023

Core compliance

  • Mandatory Privacy Impact Assessments (PIAs)
  • Privacy by default implementation
  • Incident notification (72 hours to CAI)
  • Designated privacy officer requirement
Fully in force
September 22, 2024

Full enforcement

  • All Law 25 provisions fully in force
  • Maximum penalties now applicable
  • Complete automated decision-making transparency
  • All cross-border transfer protections active

All provisions are now fully in force. Organizations must comply with all Law 25 requirements including PIAs, incident notification, privacy by default, and automated decision-making transparency.

Key compliance obligations

Core requirements organizations must implement under Law 25

Privacy Impact Assessments

Art. 3.3

Mandatory PIAs required for processing activities likely to create a significant risk of serious injury to privacy. Must be completed before processing begins and updated when circumstances change.

Key requirements

  • High-risk processing activities
  • New technologies or processing methods
  • Large-scale systematic monitoring
  • Sensitive data categories

Incident notification

Art. 3.5-3.8

Organizations must notify CAI and affected individuals within 72 hours of becoming aware of an incident involving personal information that presents a risk of serious injury.

Key requirements

  • Notification to CAI within 72 hours
  • Direct notification to affected individuals
  • Incident documentation and record-keeping
  • Remediation measures implementation

Automated decision-making

Art. 12.1

When decisions are made exclusively by automated processing, individuals must be informed and have the right to submit observations, obtain human intervention, and contest the decision.

Key requirements

  • Inform individuals of automated decisions
  • Provide opportunity to submit observations
  • Enable human intervention on request
  • Explain decision-making criteria

Transparency and consent

Art. 8-14

Enhanced transparency obligations require clear privacy notices. Consent must be specific, express, and obtained separately for different purposes. Special protections apply to minors.

Key requirements

  • Clear, simple privacy notices
  • Specific consent for each purpose
  • Opt-in consent required for minors
  • Withdrawal of consent mechanisms

Law 25 implementation roadmap

A practical path to achieving full compliance

Phase 1Weeks 1-3

Gap assessment

  • Audit current privacy practices against Law 25
  • Identify high-risk processing requiring PIAs
  • Designate or confirm privacy officer
  • Document existing consent mechanisms
Phase 2Weeks 4-8

Governance foundation

  • Develop privacy governance policies
  • Implement privacy by design framework
  • Establish incident response procedures
  • Create privacy notice templates
Phase 3Weeks 9-14

Operational compliance

  • Conduct mandatory PIAs for high-risk processing
  • Implement 72-hour incident notification workflows
  • Document automated decision-making systems
  • Assess cross-border transfer mechanisms
Phase 4Ongoing

Continuous monitoring

  • Monitor compliance with all Law 25 obligations
  • Update PIAs when processing changes
  • Maintain incident response readiness
  • Regular privacy training and awareness

Penalties and enforcement

Commission d'accès à l'information du Québec has broad powers and significant penalties

Administrative penalties

Up to CAD $25 million or 4% of worldwide turnover

Whichever is greater, for serious violations

Examples

  • Failure to conduct mandatory PIAs
  • Non-compliance with incident notification
  • Inadequate privacy governance
  • Cross-border transfer violations

Penal penalties

Up to CAD $10 million or 2% of worldwide turnover

For criminal violations and repeated non-compliance

Examples

  • Obstruction of CAI investigations
  • False or misleading information to CAI
  • Intentional privacy violations
  • Repeated failures to comply with orders

Enforcement authority

Commission d'accès à l'information du Québec (CAI)

Independent authority with investigation and enforcement powers

Examples

  • Compliance investigations and audits
  • Orders to cease non-compliant practices
  • Public reporting of violations
  • Referral to prosecution for criminal matters

Enforcement authority

The Commission d'accès à l'information du Québec (CAI) is Quebec's independent privacy authority. CAI has powers to investigate complaints, conduct audits, issue orders, and impose penalties.

Visit CAI website →

How Law 25 compares to other privacy laws

Understanding Quebec's privacy law in the context of global regulations

AspectQuebec Law 25GDPRCCPA
Jurisdiction
Quebec (Canada)European Union + EEACalifornia (USA)
Legal status
Provincial law (Quebec)EU Regulation (mandatory)State law (California)
Applicability
Quebec residents' dataEU residents' dataCalifornia consumers' data
Penalties
Up to CAD $25M or 4% turnoverUp to €20M or 4% turnoverUp to $7,500 per intentional violation
Breach notification
72 hours to CAI + individuals72 hours to DPA + individualsNo mandatory breach notification timeline
Consent model
Opt-in (especially minors)Opt-in (explicit consent)Opt-out (right to say no)
Impact assessments
Mandatory PIAs for high-riskMandatory DPIAs for high-riskNo mandatory impact assessments
Data portability
Yes (new right under Law 25)Yes (comprehensive right)Limited portability rights
Enforcement
CAI (Quebec)National DPAsCalifornia Attorney General + CPPA

Pro tip: Organizations complying withGDPRwill find Law 25 requirements familiar. Many GDPR practices (PIAs, breach notification, privacy by design) transfer directly to Law 25 with Quebec-specific adjustments.

Discuss multi-jurisdiction compliance
Policy templates

Privacy governance policy repository

Access ready-to-use privacy policy templates aligned with Law 25, GDPR, and CCPA requirements

Privacy governance

  • • Privacy Governance Policy
  • • Privacy Officer Charter
  • • Accountability Framework
  • • Privacy by Design Policy
  • • Third-Party Privacy Policy
  • • Privacy Training Program
  • + 4 more policies

Risk & assessment

  • • Privacy Impact Assessment Policy
  • • PIA Templates (CAI-aligned)
  • • Risk Assessment Methodology
  • • Data Protection Impact Assessment
  • • Transfer Risk Assessment
  • • Vendor Privacy Assessment
  • + 5 more policies

Incident & response

  • • Incident Response Policy
  • • 72-Hour Notification Procedure
  • • Breach Assessment Template
  • • CAI Notification Form
  • • Individual Notification Template
  • • Incident Documentation
  • + 3 more policies
Browse all policy templates

Frequently asked questions

Common questions about Quebec Law 25 compliance

Law 25 is the Act to modernize legislative provisions as regards the protection of personal information. It significantly amends Quebec's Act Respecting the Protection of Personal Information in the Private Sector, introducing requirements similar to GDPR. See the official Law 25 text.
Law 25 applies to organizations in Quebec that collect, hold, use or disclose personal information in the course of commercial activities. It also applies to organizations outside Quebec processing the personal information of Quebec residents. This includes businesses, non-profits, and public sector entities operating in Quebec.
Law 25 has a phased implementation. Phase 1 (September 22, 2022) introduced governance and transparency obligations. Phase 2 (September 22, 2023) added mandatory PIAs and incident notification. Phase 3 (September 22, 2024) brought all provisions into force with full penalties. Organizations must comply with all applicable requirements now.
PIAs are mandatory assessments required before beginning any processing activity that presents a significant risk of serious injury to privacy. This includes new technologies, large-scale processing, systematic monitoring, sensitive data processing, and automated decision-making. PIAs must document necessity, proportionality, safeguards, and risk mitigation measures.
Organizations must notify CAI and affected individuals within 72 hours when they become aware of an incident involving personal information that presents a risk of serious injury. This includes data breaches, unauthorized access, accidental disclosure, or loss of personal information. The notification must include the nature of the incident, affected data, and remediation measures.
When decisions are made exclusively by automated processing (including AI systems), Law 25 requires organizations to inform individuals, provide an opportunity to submit observations, offer human intervention upon request, and explain the decision-making criteria. This applies to consequential decisions affecting individuals like credit, employment, or service provision.
Administrative penalties can reach CAD $25 million or 4% of worldwide turnover (whichever is greater) for serious violations. Penal penalties up to CAD $10 million or 2% of turnover apply to criminal violations. The Commission d'accès à l'information du Québec (CAI) has broad investigation and enforcement powers including orders to cease non-compliant practices.
Organizations transferring personal information outside Quebec must ensure the recipient provides equivalent protection. This requires assessing the jurisdiction's privacy laws, implementing contractual safeguards (like standard contractual clauses), and documenting the transfer mechanisms. Individuals must be informed of cross-border transfers in privacy notices.
Law 25 shares many similarities with GDPR including mandatory breach notification, impact assessments, privacy by design, and data portability rights. However, Law 25 applies to Quebec residents, has CAD-denominated penalties, and includes specific provisions for minors' consent. Organizations complying with GDPR will find many transferable practices.
Yes, Law 25 requires organizations to designate a person responsible for privacy compliance (privacy officer). This person oversees privacy governance, ensures compliance with Law 25 obligations, handles access requests, and serves as the contact point for individuals and CAI. The privacy officer's contact information must be published.
Privacy by design requires integrating privacy protections into system design, development, and deployment from the outset. Privacy by default means systems must automatically provide the highest privacy protection without requiring user configuration. This includes data minimization, purpose limitation, and technical safeguards built into processing operations.
Law 25 requires express consent for personal information collection, use, and disclosure. Consent must be specific, informed, and obtained separately for different purposes. Special protections apply to minors (under 14) requiring opt-in consent. Organizations must enable easy consent withdrawal and respect withdrawal requests promptly.
Yes, VerifyWise provides comprehensive Law 25 compliance tools including PIA workflows, incident notification tracking, automated decision-making documentation, and governance policy management. Our platform also maps controls across GDPR, CCPA, and Law 25 for organizations operating across multiple jurisdictions.

Ready to achieve Law 25 compliance?

Start your Quebec privacy compliance journey with our comprehensive assessment and implementation tools.

Start compliance assessmentSchedule consultation
Quebec Law 25 (Bill 64) privacy compliance guide