What Quebec Law 25 requires
Quebec Law 25 compliance means meeting a modernized set of private-sector privacy obligations. Core requirements include appointing a person responsible for the protection of personal information, obtaining valid and granular consent, being transparent about how you use data, honouring individual rights such as access and data portability, conducting privacy impact assessments for certain projects and transfers, and reporting confidentiality incidents.
Because Law 25 was introduced in phases and continues to be interpreted through regulation and guidance, confirm your current obligations against the official Commission d'accès à l'information du Québec (CAI).
Who must comply with Quebec Law 25
Law 25 applies to private-sector organizations that handle the personal information of individuals in Quebec, regardless of where the organization is located. If you serve Quebec customers, you are likely in scope — and because Law 25 is generally stricter than the federal regime, many organizations build to it so a single program also satisfies PIPEDA. For the cross-border view, see our guide on PIPEDA vs GDPR.
How SecuritComply helps with Law 25 compliance
- Privacy governance — assign and track the person responsible for personal information
- Consent and privacy policy templates aligned to Quebec requirements
- Privacy Impact Assessment (PIA) module for projects and data transfers
- Confidentiality-incident logging, assessment, and record-keeping
- Safeguards and vendor risk management to keep data handling accountable
- Canadian data residency — your records stay on Canadian servers
Need hands-on security help? Our sister company Secur-IT Data Solutions provides managed cybersecurity services across Canada.
Quebec Law 25 compliance FAQ
What is Quebec Law 25?▾
Quebec Law 25 (formerly Bill 64) modernized Quebec's private-sector privacy law. It significantly strengthens requirements around consent, transparency, privacy governance, individual rights, and breach reporting, and was introduced in phases. Always confirm current obligations against the official Commission d'accès à l'information du Québec (CAI) materials.
Who must comply with Quebec Law 25?▾
Law 25 generally applies to private-sector organizations that collect, use, or disclose the personal information of individuals in Quebec, regardless of where the organization itself is located. If you do business with Quebecers, it is likely in scope.
What does Quebec Law 25 require?▾
Core obligations include appointing a person responsible for the protection of personal information, obtaining valid consent, being transparent about practices, honouring individual rights (including data portability), conducting privacy impact assessments for certain projects, and reporting confidentiality incidents. Confirm specifics against current CAI guidance.
How is Law 25 different from PIPEDA?▾
Law 25 is Quebec's provincial regime and is generally stricter than the federal PIPEDA, particularly on consent, governance, and penalties. Organizations operating across Canada often build to the stricter standard so one program covers both.
How does SecuritComply help with Law 25 compliance?▾
SecuritComply helps you operationalize Law 25: privacy governance, consent and policy templates, a Privacy Impact Assessment module, breach record-keeping, and vendor risk — all with your data stored in Canada.