Quebec Law 25: Does It Apply to Your Business? [2026 Guide]
Free applicability checker with statutory citations — covers Quebec Law 25 scope, obligations, and penalties.
About Quebec Law 25
Quebec Law 25 — formally Bill 64, An Act to modernize legislative provisions as regards the protection of personal information — is Quebec's comprehensive privacy law, which reached full implementation in September 2023. It applies to any organisation that collects, uses, or communicates personal information about individuals located in Quebec, regardless of where the organisation is located.
Broader scope than PIPEDA: Unlike PIPEDA, which requires a commercial activity nexus, Quebec Law 25 applies to all private sector organisations — including non-profits — that process personal information about Quebec residents. An organisation based in the US, EU, or anywhere else that collects information about Quebec residents must comply.
Key new requirements introduced by Law 25:
- Mandatory appointment of a Privacy Officer (person in charge of personal information protection) — s.3.1
- Mandatory Privacy Impact Assessments (PIAs) before implementing new technology — s.3.3
- 72-hour breach reporting to the Commission d'accès à l'information (CAI) — s.3.5
- New portability rights allowing individuals to request their information in a structured format — s.28.1
- Enhanced consent requirements for collection — s.12
Quebec Law 25 is often compared to GDPR in its strictness and is considered one of the most demanding provincial privacy laws in North America.
Key obligations under Quebec Law 25
Frequently asked questions
Does Quebec Law 25 apply to businesses outside Quebec?
Yes. Quebec Law 25 applies to any organisation — wherever it is located — that collects, uses, or communicates personal information about individuals located in Quebec. A business in Ontario, the US, or the EU that has Quebec residents as customers, users, or subscribers must comply with Quebec Law 25.
What is a Privacy Impact Assessment under Quebec Law 25?
Under s.3.3 of Quebec Law 25, a Privacy Impact Assessment (PIA) must be conducted before any project involving the acquisition, development, or redesign of an information system or electronic service delivery system involving personal information, and before communicating personal information outside Quebec. The PIA must evaluate risks and determine mitigation measures.
What are the penalties under Quebec Law 25?
Quebec Law 25 provides for two tiers of penalties. Administrative monetary penalties of up to CAD $10 million or 2% of worldwide turnover. Penal offences carry fines of up to CAD $25 million or 4% of worldwide turnover — similar to GDPR in severity. The Commission d'accès à l'information (CAI) is the supervisory authority.
What is the breach notification deadline under Quebec Law 25?
Under s.3.5 of Quebec Law 25, a confidentiality incident (breach) involving personal information posing a risk of serious injury must be reported to the CAI and the affected individuals without delay. In practice, the CAI has indicated that notification should occur within 72 hours of becoming aware of the incident — mirroring GDPR's timeline.
How does Quebec Law 25 differ from PIPEDA?
Key differences: (1) Quebec Law 25 applies to all organisations, not just commercial ones; (2) Penalties are far higher (up to $25M CAD vs $100K for PIPEDA); (3) Quebec Law 25 requires mandatory PIAs; (4) 72-hour breach reporting vs "as soon as feasible" under PIPEDA; (5) New portability rights; (6) Stricter consent requirements. PIPEDA and Quebec Law 25 operate concurrently — both may apply to the same organisation.
Not sure if Quebec Law 25 applies?
Run the full assessment — covers all major privacy laws with exact statutory citations. Free, no account required.
Start free assessment →Not legal advice — educational information only