Frequently Asked Questions About Law 25
Short answers to the questions Quebec organizations ask most often. Each answer links to a detailed guide.
What is Law 25 in Quebec?
Law 25 (the Act to modernize legislative provisions as regards the protection of personal information) is Quebec's privacy reform, assented to in 2021 and rolled out in stages from 2022 to 2024. It modernizes the obligations of businesses and public bodies: designating a privacy officer, keeping registers, conducting privacy impact assessments (PIAs), strengthened consent, individual rights, and penalties of up to 25 million dollars.
Complete Law 25 guideWhich businesses does Law 25 apply to?
Any person or organization carrying on an enterprise in Quebec that handles personal information: businesses of every size, freelancers, private clinics, and most nonprofits. There is no size threshold. Organizations established outside Quebec that actively target the Quebec market can also be covered.
Scope and exceptionsWhen did Law 25 come into force?
In three waves: September 2022 (privacy officer, incident register, biometrics), September 2023 (most obligations: governance, consent, PIAs, penalties), and September 2024 (data portability). The law has been fully in force since September 22, 2024, with no grace period.
Complete 2022-2024 timelineHow do you comply with Law 25?
The work starts with four foundations: designate a privacy officer and publish their contact information, inventory the information you hold, adopt a governance policy, and set up the incident register. Then come the continuous processes: PIAs for projects and transfers outside Quebec, vendor management, access request handling, and a retention schedule.
Where to startWhat are the penalties for not complying with Law 25?
Three mechanisms: administrative monetary penalties imposed by the CAI (up to 10 million dollars or 2% of worldwide turnover), penal sanctions (up to 25 million dollars or 4%), and punitive damages of at least $1,000 that injured individuals can claim, often through class actions. The CAI weighs the organization's demonstrated diligence before sanctioning.
The full penalties pictureWhat is a confidentiality incident under Law 25?
Any unauthorized access, use, or communication of personal information, its loss, or any other breach of its protection. An email sent to the wrong recipient, an account compromised by phishing, or a lost device all qualify. Every incident must be logged in the register; if the incident presents a risk of serious injury, the CAI and the affected individuals must be notified diligently.
Handling an incident step by stepWhat is a PIA and when is it mandatory?
A privacy impact assessment (PIA, or EFVP in French) is a documented analysis of a project's privacy risks. It is mandatory for any project to acquire, develop, or overhaul a system involving personal information, and before any communication of information outside Quebec, which includes the use of most cloud tools.
When and how to conduct a PIAWhat are the exceptions to Law 25?
They are few: journalistic, historical, or genealogical material for the legitimate information of the public, information for strictly personal use, and a lighter regime for business contact information in B2B contexts. There is no exception for small businesses or structured nonprofits.
Scope and exceptionsDoes Law 25 apply to photos and videos?
Yes. As soon as a person is identifiable in an image, that image is personal information. Employee photos, event images, marketing, and video surveillance each require governance: documented consent, capture notices, limited retention. Quebec's Civil Code right to one's image stacks on top of Law 25.
Photos, videos, and Law 25What software tools help with Law 25 compliance?
Compliance software centralizes the registers (incidents, vendors, access requests), structures PIAs, and produces the documentation the CAI examines. The selection criteria: native coverage of Quebec obligations, French interface, data hosting, ease of adoption, and demonstration reports. Observantia is built specifically for Quebec SMEs; our buyer's guide covers the criteria that apply to every tool on the market.
Buyer's guide: Law 25 compliance softwareWhere can an SME find a consultant specialized in Law 25?
The profiles to consider: privacy advisors, lawyers specialized in privacy law, and consulting firms that work with SMEs. A consultant brings contextual judgment (structural decisions, complex PIAs, training); software carries the continuity between engagements. Observantia is built by Elite Consultation, a Quebec consulting firm that offers both.
Consultant or software: how to chooseHow does Law 25 differ from GDPR or PIPEDA?
Law 25 draws on the European GDPR (high penalties, PIAs, strengthened rights) and applies to organizations carrying on an enterprise in Quebec. Federal PIPEDA covers federally regulated businesses and interprovincial transfers; its penalties are much weaker. An organization compliant with Law 25 meets nearly all of PIPEDA's requirements.
Law 25 vs PIPEDAA question about your specific situation?
Try Observantia free for 14 days, or write to us.