What is Quebec Law 25? (+ Compliance Tips)

Law 25 was passed officially by the Quebec National Assembly in September 2021. This law is intended to modernize the province’s privacy legislation by respecting the protection of personal information held by private sector organizations and public sector bodies.

Companies in Quebec or those that serve Quebec residents were given a three-year grace period to comply with the key provisions of Law 25, with pieces coming into effect in September 2021, 2022, and 2023.

Keep reading to understand the key tenets of Law 25, its new requirements, and how organizations can comply with the rules.

What is Quebec Law 25?

Quebec Law 25, formerly Bill 64, is a far-reaching update of privacy regulations in the Canadian province of Quebec. It was initially proposed by the government in June 2020 with a view to enacting substantial changes to the laws governing the gathering, utilization, and disclosure of personal data.

Law 25 introduces several new business obligations, including prompt data breach notifications, mandatory privacy impact assessments, clear privacy policies, and consent management practices. 

Law 25 is now in effect, impacting all businesses that process Quebecois personal data, whether or not they have a formal presence in the province. The primary government agency responsible for enforcing the law is The Commission d’accès à l’information du Québec (CAI), Quebec’s provincial privacy commissioner.

Who does Law 25 apply to?

Law 25's extensive reach covers public and private entities in or out of Quebec, including businesses, nonprofits, and government bodies. The mandate applies regardless of entity size, and, notably, applies to any company that collects, uses, or retains the personal information of Quebec citizens as part of their operations. This includes businesses located in Quebec and those that serve Quebec residents.

However, obligations differ based on business type, data handled, and processing context. Generally, if an organization deals with Quebec residents' personal information, Law 25 likely applies.

How is Personal Data Defined in Law 25?

Quebec Law 25 describes personal information as any details that can help identify a specific individual, alone or in combination. For example, this may include full name, physical address, email address, phone number, financial records, dependent information, and more.

Quebec law 25 includes another category — sensitive personal information.  This category includes data related to an individual’s health, biometrics, financial, or any other information of an intimate nature. Any data that could cause harm to an individual if disclosed or abused.

Law 25’s Key Requirements

Quebec Law 25 resembles the GDPR in several aspects while introducing new requirements. In many ways, it is considered the strictest data privacy law in North America.

While Canada already has the Personal Information Protection and Electronic Documents Act (PIPEDA), Law 25 takes its requirements up a notch.

Let’s take a closer look.

Law 25’s Consent Requirements

Under the law, any business or organization attempting to track personal information such as IP addresses, names, and email addresses must obtain explicit consent from the user. This is similar to the GDPR, where websites cannot automatically load cookies without asking for explicit permission.

Businesses familiar with US consent requirements will know that the opposite is true for them: tracking technologies can be loaded by default, with the ability to opt out if a user wishes. However, Law 25 flips the script by giving users more control over their data.

Privacy Officer Appointment

Law 25 mandates appointing a data privacy officer, responsible for ensuring compliance with the regulations. Businesses can appoint an employee and delegate privacy management tasks to them. Otherwise, the highest-ranking official of the company (such as the CEO) is considered to be the de facto data privacy officer.

If firms choose to hire a separate employee as the privacy officer, they must clearly publish the individual's name, title, and contact information on their website.

The privacy officer is responsible for all aspects of Quebec Law 25 compliance, including but not limited to:

• Data subject access requests
• Consent management and privacy workflows
• Conducting privacy impact assessments
• Data breach notifications

Privacy By Design

Similar to how it governs consent requirements, Law 25 requires companies to have the highest confidentiality settings turned on by default. This regulation aims to encourage ‘Privacy by Design’ configurations, where software development frameworks prioritize individuals, and their user data and confidentiality, from the start. 

Privacy Assessments Under Law 25

A privacy impact assessment (PIA) and/or Transfer Impact Assessment is conducted to evaluate potential risks to individual privacy, particularly when embarking on a new project involving the processing of individual data. 

Law 25 requires that businesses conduct PIAs when:

• Transferring personal information to a third party for study or research purposes or the production of statistics
• Assessing a project to acquire, develop, or overhaul an information system or electronic service delivery system (such as payment processing services, AI tools, biometric systems)
• Transferring personal information outside of Quebec 

Data Subject Rights

Most data privacy laws worldwide focus on enhancing individual rights, and Quebec Law 25 is no different. This is another area where it resembles the GDPR, with robust protections and rights for data subjects. 

Right to be informed: Individuals have the right to be informed about how their personal data will be collected, processed, and used. This includes being aware of whether the data is shared with third parties.

Right to access: Individuals can request access to the personal data held by an organization. They have the right to know what data is being processed and obtain a copy of it.

Right to rectification: Individuals can request corrections to their personal data if they find inaccuracies or incomplete information.

Right to deletion: users can request the deletion of their personal data under certain circumstances, such as when the data is no longer necessary for the purpose it was collected.

Right to withdraw consent: Individuals have the right to withdraw their consent for processing their personal data at any time.

Right to data portability [effective September 22, 2024]: Users can request their data in a format that is readable and portable.

Right to be informed about automated processing: Users have the right to be informed when their personal information is used for automated decisions in business.

Businesses are expected to reply to requests within 30 days of receiving them.

Breach Notifications

Businesses that experience a privacy breach must promptly notify the Commission d’accès à l’information du Québec (CAI), the government body responsible for enforcing Law 25.

Businesses must also maintain a comprehensive record of all privacy incidents as part of their regulatory responsibilities. A copy of these records should be made available on request by the CAI.

It is also the responsibility to notify affected individuals in the case of a data breach that may cause them significant harm, however, exceptions can be made if this impedes a criminal investigation.  

Privacy Policies

Under Law 25, businesses that collect personal information, must have a clearly written privacy policy that discloses:

• The purpose of data collection
• The types of data being collected
• Who can access it
• The rights of users to access the data collected and request changes
• Whether it’s shared with third parties and the details
• If the information is subject to any international data transfer

If the business collects any personally identifiable information via cookies, this needs to be outlined in the privacy policy with clear instructions on how to opt out.

International Data Transfer Requirements 

Businesses are allowed to transfer personal information outside of Quebec, but are required to undergo a transfer impact assessment prior. This helps assess whether the data will receive a similar level of protection. Data subjects must also be informed of this transfer and all relevant agreements with the third party should be enunciated. 

Quebec Law 25 penalties for non-compliance

Law 25 imposes strict fines on both individuals and entities alike; the severity of which depends on whether it is a first-time or repeat offense. 

For companies, the fine can reach up to $10 million CAD or 2% of their global turnover, whichever is greater.

Individuals can be fined anywhere from $5,000 to $100,000 (CAD).

However, the fines for businesses can increase to $25 million CAD or 4% of global turnover for severe and repeated violations. 

Law 25 vs PIPEDA

The main difference between Quebec Law 25 and PIPEDA is the scope of the two legislations — Law 25 is a provincial law that focuses on Quebec while PIPEDA is a federal law applying to all provinces across Canada.

One of the key ways that sets the two legislations apart are its consent management guidelines. Law 25’s consent requirements are stricter than PIPEDA’s guidelines. Under Law 25’s confidentiality first principle, businesses must turn off tracking cookies by default and implement the highest level of confidentiality. Under PIPEDA, tracking technologies can be used if a consumer is reasonably informed beforehand and can opt out if required. 

Quebec Law 25 Compliance Checklist

• Set up an opt-in mechanism for collecting personal information, via a cookie consent management tool
• Allow users to modify their consent preferences
• Publish a privacy policy that’s compliant with Law 25
• Give users an automated way to request a copy of their data, via a Data Subject Access Request form
• Allow for the correction and modification of incorrect data
• Determine the appropriate Privacy Officer and publish their contact information on your website
• Agree on an internal operational workflow to deal with data breach notifications
• Run privacy and transfer  impact assessments for required processes
• Inform data subjects when their personal information may be transferred outside of Quebec

Get Compliant with Quebec Law 25

In a recent PwC survey, only 35% of businesses expected to be fully ready for Law 25 compliance, and nearly 4 in 10 say they did not understand the full scope of Law 25 on their activities.

If your company hasn’t transitioned toward Law 25 compliance, now is the perfect time to begin.

No matter where you are in this compliance journey, Enzuzo can help. Our dedicated team is ready to help evaluate your practices and procedures to ensure they align with the Quebec legislation and other relevant laws in Canada and North America.

Book a no obligation 1-1 call with Mate Prgin, Enzuzo's CEO 👇