PIPEDA vs Quebec Law 25: what's the difference?
Key differences in scope, breach notification deadlines, consent standards, and penalties — with statutory citations.
If your business has users in Quebec, you may be subject to BOTH PIPEDA (federal) and Quebec Law 25 (provincial). Where they conflict, the stricter law generally applies. Quebec Law 25 is significantly more demanding than PIPEDA in several key areas.
Overview of both laws
PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada's federal private-sector privacy law. It applies to personal information collected, used, or disclosed in the course of commercial activities across Canada — with the exception of provinces that have substantially similar legislation.
Quebec has had its own provincial privacy law since 1994. In 2021, Bill 64 (Law 25) modernised Quebec's framework significantly, introducing GDPR-style obligations. Law 25 was implemented in three phases: Phase 1 (September 2022), Phase 2 (September 2023), and Phase 3 (September 2023).
Since Quebec has substantially similar legislation, PIPEDA generally does not apply to private-sector organisations in Quebec in relation to purely intra-provincial activities. However, federal organisations — banks, telecoms, and airlines — remain subject to PIPEDA regardless of province.
PIPEDA s.26(2)(b) — substantially similar province exceptionQuebec Law 25 — An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, SQ 2021, c 25Side-by-side comparison: PIPEDA vs Quebec Law 25
| Feature | PIPEDA | Quebec Law 25 |
|---|---|---|
| Jurisdiction | Federal Canada (all provinces, subject to substantially similar exceptions) | Quebec only |
| Breach notification deadline | As soon as feasible | 72 hours to CAI + affected individuals |
| Breach threshold | Real risk of significant harm (RROSH) | Risk of serious injury |
| Privacy Officer | Must designate accountability person (Principle 1) | Mandatory — must be highest-ranking employee or designated person; contact info on website (s.3.1) |
| Consent | Meaningful consent (opt-out acceptable in some cases) | Explicit consent generally required; stricter standard |
| Privacy Impact Assessment | Recommended but not mandatory | Mandatory before technology implementation (s.3.3) |
| Right to data portability | No explicit right | Yes — right to data portability in structured format (s.28) |
| Profiling / automated decisions | Limited provisions | Must inform individuals of use of automated decision-making (s.12.1) |
| Penalties | Up to CAD $100,000 per violation | Up to CAD $25,000,000 or 4% of global revenue |
| Supervisory authority | Office of the Privacy Commissioner (OPC) | Commission d'accès à l'information (CAI) |
| Regulatory body website / complaints | priv.gc.ca | cai.gouv.qc.ca |
Key areas where Quebec Law 25 is stricter
In the following four areas, Quebec Law 25 imposes materially more demanding obligations than PIPEDA.
Quebec Law 25 requires notification to the CAI and affected individuals within 72 hours of becoming aware of a confidentiality incident presenting a risk of serious injury (s.3.5). PIPEDA's standard — "as soon as feasible" — offers no fixed deadline. For organisations with Quebec users, the 72-hour clock takes precedence and will govern in practice.
Under Law 25 (s.3.3), a Privacy Impact Assessment (PIA) is mandatory before implementing any technology involving the collection, use, or communication of personal information. Under PIPEDA, PIAs are recommended best practice but carry no statutory obligation. This makes Quebec Law 25 the stricter framework for new technology deployments.
Law 25 grants individuals an explicit right to receive their computerised personal data in a structured, commonly used technological format, and to have it transmitted to another organisation (s.28). PIPEDA contains no equivalent data portability right. This right applies to data collected since September 2023.
Law 25 (s.12.1) requires organisations to inform individuals when a decision based exclusively on automated processing of their personal information produces legal or significant effects. They must also be offered the opportunity to present observations. PIPEDA has no equivalent obligation, making this a meaningful gap for organisations using algorithmic or AI-driven decision-making.
Which law applies to your business?
A decision guide for the most common scenarios.
Practical compliance checklist for Quebec
Six steps organisations with Quebec users should prioritise under Law 25.
- 1Appoint a privacy officer and publish their contact detailsLaw 25 (s.3.1) requires designation of a person responsible for personal information protection — ideally the highest-ranking employee. Their contact information must be published on your website.
Law 25, s.3.1 - 2Publish a compliant privacy policyYour privacy policy must disclose processing purposes, retention periods, third-party sharing practices, and rights available to individuals, including the right to access, correct, and withdraw consent (Law 25, s.3.2).
Law 25, s.3.2 - 3Conduct a Privacy Impact Assessment before deploying new technologyA PIA must be completed before implementing any new technology that collects, uses, or communicates personal information. The PIA must consider privacy risks and document proportionality. This is mandatory — not optional — under Law 25 (s.3.3).
Law 25, s.3.3 - 4Implement a 72-hour breach notification processEstablish internal procedures to detect, assess, and notify the CAI and affected individuals of confidentiality incidents within 72 hours of becoming aware. Maintain an incident log as required by Law 25 (s.3.5).
Law 25, s.3.5 - 5Update privacy notices to disclose automated decision-makingIf your organisation makes decisions based exclusively on automated processing of personal information that produce legal or significant effects on individuals, you must disclose this in your privacy notice and offer individuals the right to present observations (Law 25, s.12.1).
Law 25, s.12.1 - 6Implement data portability proceduresIndividuals may request their computerised personal data in a structured, commonly used technological format, or ask that it be transmitted to another organisation. Establish a process for handling such requests within a reasonable timeframe (Law 25, s.28).
Law 25, s.28
Frequently asked questions
Does PIPEDA apply in Quebec?
For most private-sector organisations operating within Quebec, PIPEDA does not apply to intra-provincial commercial activities because Quebec has substantially similar legislation (PIPEDA s.26(2)(b)). Federal undertakings — including banks, interprovincial carriers, and telecoms — remain subject to PIPEDA in all provinces. Non-Quebec commercial activities by Quebec-based organisations are also subject to PIPEDA.
What is the breach notification deadline under Quebec Law 25?
Quebec Law 25 requires notification to the Commission d'accès à l'information (CAI) and affected individuals within 72 hours of becoming aware of a confidentiality incident that presents a risk of serious injury. This is significantly stricter than PIPEDA's "as soon as feasible" standard, which carries no fixed deadline.
Does Quebec Law 25 apply to companies outside Quebec?
Yes. Under s.2.1 of Quebec Law 25, the law applies to any person or organisation that collects, holds, uses, or communicates personal information about Quebec residents in the course of carrying on an enterprise, regardless of where the organisation is based. A US company or an Ontario-based company with Quebec customers may be subject to Law 25. This mirrors the extraterritorial scope of the GDPR.
What is the CAI?
The Commission d'accès à l'information (CAI) is Quebec's supervisory authority for privacy law. It enforces Quebec Law 25 and the Quebec Act respecting access to documents held by public bodies and the protection of personal information. Complaints can be filed at cai.gouv.qc.ca. The CAI can impose administrative penalties of up to CAD $25,000,000 or 4% of worldwide revenue for the most serious violations.
What replaced PIPEDA?
PIPEDA is being replaced by the Consumer Privacy Protection Act (CPPA), proposed under Bill C-27 (Digital Charter Implementation Act, 2022). As of April 2026, Bill C-27 has not yet received Royal Assent. PIPEDA remains the applicable federal private-sector privacy law. Check the Office of the Privacy Commissioner website (priv.gc.ca) for the latest legislative status.
Related privacy law guides
Find out which privacy laws apply to your business
Answer 13 questions and get a personalised privacy law checklist with statutory citations — including whether PIPEDA, Quebec Law 25, or both apply to your organisation.
Start free assessment →