Quebec Law 25 Explained: A Compliance Guide for 2026

Quebec Law 25 Explained: A Compliance Guide for 2026

Quebec Law 25, formally known as Bill 64 (Loi modifiant la Loi sur la protection des renseignements personnels dans le secteur privé), fundamentally reshapes privacy obligations for organizations operating in Quebec. As we approach 2026, businesses must understand the expanded consent requirements, accountability measures, and enforcement mechanisms that Law 25 introduces. This guide breaks down what Law 25 means for your organization and how to achieve robust Quebec Law 25 compliance.

What Is Quebec Law 25?

Quebec Law 25 amends the private sector privacy law (Law 2000, Chapter 5) to modernize privacy protections in response to evolving data handling practices. The legislation strengthens individual rights, imposes stricter consent requirements, and introduces significant penalties for non-compliance. Organizations that collect, use, or disclose personal information from Quebec residents must adapt their practices to align with these new standards.

Key Changes and Requirements

Quebec Law 25 introduces several critical changes that directly impact how organizations handle personal data:

• Explicit Consent for Data Collection: Organizations must obtain clear, informed consent before collecting personal information. Pre-checked boxes and vague consent language no longer satisfy compliance requirements.
• Expanded Definition of Consent: Consent must be meaningful and specific to each use case. General, blanket consent is insufficient under the new framework.
• Right to Be Forgotten: Individuals gain the right to request deletion of their personal information in most circumstances, with limited exceptions for legal obligations.
• Data Portability: Organizations must enable individuals to obtain their personal data in a portable format upon request.
• Privacy by Design: Organizations must integrate privacy considerations into business processes, system design, and decision-making from inception.
• Breach Notification Requirements: Organizations must notify individuals and the Commission d'accès à l'information (CAI) when personal data breaches compromise security or confidentiality.
• Data Protection Impact Assessments (DPIA): High-risk processing activities require formal assessment to evaluate privacy impacts.
• Third-Party Accountability: Organizations remain responsible for personal information shared with service providers and vendors.

Consent Requirements Under Law 25

Consent is the cornerstone of Quebec Law 25 compliance. Organizations can no longer rely on passive opt-in mechanisms or vague privacy policies. Consent must be:

• Voluntary: Given freely without coercion or pressure
• Informed: Individuals must understand what data is collected, how it's used, and who has access
• Specific: Separate consent is required for each distinct purpose of use
• Unambiguous: Clear affirmative action (such as checking a box or signing) constitutes consent
• Documented: Organizations must maintain records proving consent was obtained

This means your consent forms, privacy notices, and data collection practices require comprehensive review and revision to meet Law 25 standards.

Data Subject Rights Expanded

Quebec Law 25 grants individuals stronger rights over their personal information:

• Right of Access: Individuals can request access to their personal data held by organizations
• Right of Correction: Individuals can demand correction of inaccurate information
• Right to Be Forgotten: Personal data must be deleted upon request unless legal obligations require retention
• Right to Data Portability: Individuals can obtain their data in a structured, portable format
• Right to Object: Individuals can object to certain processing activities

Organizations must establish efficient processes to respond to these requests within regulatory timeframes—typically 30 days from receipt.

Breach Notification and Reporting

Law 25 mandates strict breach notification protocols. When a security incident compromises the confidentiality or integrity of personal information, organizations must:

• Notify affected individuals without unreasonable delay
• Report the breach to the Commission d'accès à l'information (CAI)
• Provide details about the nature of the breach, information affected, likely consequences, and mitigation measures
• Maintain documentation of all breach incidents and notification actions

The definition of a reportable breach is broader than under previous frameworks, so organizations should adopt a cautious approach when determining notification obligations.

Penalties and Enforcement

Quebec Law 25 significantly increases consequences for non-compliance. Organizations that violate the law may face:

• Administrative Fines: Up to $25 million CAD or 4% of annual turnover (whichever is higher)
• Corrective Orders: CAI may mandate specific compliance actions
• Public Disclosure: Non-compliance may be publicly disclosed, damaging reputation
• Private Right of Action: Individuals harmed by violations may pursue civil remedies

These penalties underscore the critical importance of achieving and maintaining compliance.

Implementation Timeline for 2026

Organizations have specific deadlines to achieve compliance:

• Consent Validation (January 2024 – Ongoing): Review all existing consents; organizations must re-obtain consent for previously authorized uses if it doesn't meet Law 25 standards
• Policy and Process Updates (By Q2 2024): Revise privacy policies, data handling procedures, and consent mechanisms
• System Implementation (By Q3 2024): Deploy technology to support data subject rights (access, deletion, portability requests)
• Staff Training (Ongoing through 2025): Ensure all employees understand Law 25 obligations
• Full Compliance (2026): Organizations must demonstrate complete compliance with all Law 25 requirements

Preparing Your Organization for Law 25 Compliance

Achieving Quebec Law 25 compliance requires a systematic, organization-wide approach:

• Data Audit: Inventory all personal information collected, used, and shared; understand data flows across systems and third parties
• Consent Audit: Evaluate current consent mechanisms against Law 25 standards; identify gaps and deficiencies
• Privacy Impact Assessment: Assess compliance maturity and identify high-risk processing activities requiring formal DPIA
• Policy Review: Update privacy policy, data retention policy, breach response procedures, and vendor management protocols
• Technology Assessment: Evaluate systems' ability to support data subject rights (access, deletion, portability); consider upgrades or implementation of new tools
• Staff Training: Educate employees about Law 25 requirements, consent processes, breach protocols, and individual rights
• Third-Party Management: Update vendor contracts to clarify data protection responsibilities; ensure service providers meet Law 25 standards

Frequently Asked Questions

Does Quebec Law 25 apply to my business if we operate outside Quebec?

Yes, if your organization collects, uses, or discloses personal information of Quebec residents, Quebec Law 25 applies. It doesn't matter where your business is located. This extraterritorial reach means any organization handling Quebec resident data must achieve compliance, regardless of physical headquarters location.

What's the difference between consent under Law 25 and under PIPEDA?

Law 25 requires more explicit, granular consent than PIPEDA. Under Law 25, consent must be specific to each purpose of use, documented clearly, and obtained through affirmative action (not pre-checked boxes). PIPEDA permits broader, sometimes implicit consent. Organizations in Quebec must meet the higher Law 25 standard. If your organization operates across provinces, you'll need to implement Quebec Law 25 consent practices for Quebec residents and PIPEDA-compliant practices for others.

What should we do if we discover we're not currently compliant with Law 25?

Begin a systematic remediation program immediately: conduct a compliance audit to identify gaps, prioritize high-risk areas (such as consent practices and breach notification), update policies and processes, re-obtain compliant consent where necessary, train staff, and implement technology to support data subject rights. Many organizations benefit from working with compliance specialists who understand Law 25 requirements and can guide remediation efforts efficiently. Document all compliance actions to demonstrate good-faith efforts to regulators.

Take Action on Law 25 Compliance Today

Quebec Law 25 represents a substantial shift in privacy obligations that requires proactive attention. Organizations that understand the requirements, audit current practices, and implement necessary changes now will avoid costly penalties and reputational damage. If you're unsure about your compliance status or need guidance navigating Law 25 requirements, expert support can accelerate your readiness. Learn how Praxis-Q helps organizations achieve Law 25 compliance through comprehensive assessments, policy development, and implementation support.