Quebec Law 25: Canada's Strictest Privacy Regime and What It Means for Your Business
Quebec's Act to modernize legislative provisions as regards the protection of personal information (Law 25) phased in between September 2022 and September 2024, creating privacy obligations that exceed PIPEDA in several important ways — including mandatory privacy impact assessments, a designated privacy officer, consent granularity requirements, and the right to data portability. If you have Quebec users or do business in the province, your privacy infrastructure needs specific updates.
Ruby Law
Canadian Legal Insights
Canada's Most Demanding Privacy Law Is Already in Force
Quebec's Act to modernize legislative provisions as regards the protection of personal information — commonly known as Law 25 or Bill 64 — completed its three-phase implementation in September 2024. It is now fully in force, and it imposes privacy obligations that exceed PIPEDA in several significant ways. If you have Quebec users, Quebec employees, or conduct any commercial activity within the province, your privacy infrastructure needs specific updates that go beyond federal compliance.
Law 25 amends two existing Quebec statutes: the Act respecting the protection of personal information in the private sector (the "Private Sector Act") and the Act respecting Access to documents held by public bodies. For private-sector companies, the amendments to the Private Sector Act are what matter.
Phase-In Timeline: What Applied When
Law 25 was implemented in three phases:
- September 22, 2022 (Phase 1): Designation of a person responsible for personal information protection; mandatory breach reporting to the Commission d'acces a l'information (CAI) and affected individuals; new rules for biometric databases.
- September 22, 2023 (Phase 2): New consent requirements (express, specific, granular); privacy impact assessments mandatory for certain processing activities; new transparency obligations; privacy by default; right to data portability; right to de-indexation; new rules for automated decision-making; new rules for cross-border transfers.
- September 22, 2024 (Phase 3): Right to data portability in structured, commonly used format; full enforcement powers, including administrative monetary penalties.
Where Law 25 Goes Beyond PIPEDA
Mandatory Privacy Impact Assessments
PIPEDA recommends privacy impact assessments (PIAs) as a best practice. Law 25 makes them mandatory. A PIA must be conducted before any "acquisition, development or redesign" of an information system or electronic service delivery involving the collection, use, communication, keeping or destruction of personal information. For SaaS companies, this means a PIA is required before launching any new feature that touches personal data.
The PIA must assess the purpose of the processing, the personal information involved, the privacy risks and their severity, and the mitigation measures. While the CAI has not prescribed a specific format, the PIA must be documented and available for inspection.
Designated Privacy Officer
PIPEDA requires a designated individual accountable for compliance. Law 25 goes further: the person responsible for personal information protection is, by default, the person with the highest authority in the organization — the CEO. This responsibility can be delegated in writing to another person, but the delegation must be published on the organization's website, and the title and contact information of the designated person must be accessible to the public.
Consent Granularity
Law 25 introduces stricter consent requirements than PIPEDA:
- Consent must be requested for each specific purpose, separately. Bundled consent for multiple purposes is not valid.
- Consent must be requested in clear and simple language. If the personal information is sensitive, consent must be express (not implied).
- Consent for the communication of personal information to third parties must specify the third party or the category of third party.
- Privacy by default: if a product or service offers privacy settings, those settings must be set to the highest level of confidentiality by default. Users can opt in to less privacy, but they cannot be required to opt out of data collection.
Right to Data Portability
Law 25 grants individuals the right to receive their personal information in a "structured, commonly used technological format" and to have it transferred directly to another organization. This is similar to GDPR's portability right and goes beyond anything in PIPEDA. SaaS companies need to build data export functionality that can produce user data in a machine-readable format on request.
Right to De-indexation
Individuals can request that an organization cease disseminating their personal information or de-index any hyperlink associated with their name if the dissemination contravenes the law or a court order. This is Quebec's version of the "right to be forgotten," and it applies to information accessible via search engines or online platforms.
Automated Decision-Making Transparency
When an organization uses personal information to make a decision based exclusively on automated processing, it must inform the individual at the time of the decision or before. The individual has the right to be informed of the personal information used, the reasons and principal factors that led to the decision, and the right to have the decision reviewed by a person.
Cross-Border Transfer Requirements
Before transferring personal information outside Quebec, an organization must conduct a PIA that evaluates whether the receiving jurisdiction provides adequate protection. If it does not, the organization must enter into a contractual agreement that provides equivalent protection. The CAI can prohibit transfers to jurisdictions that do not provide adequate protection.
Enforcement: Administrative Monetary Penalties
This is where Law 25 gets serious. As of September 2024, the CAI can impose administrative monetary penalties of up to $10 million or 2% of worldwide turnover for the preceding fiscal year — whichever is greater. For penal offences (e.g., knowingly violating the law), fines can reach $25 million or 4% of worldwide turnover. These are GDPR-scale penalties, applied within a Canadian province.
Law 25 also creates a private right of action for individuals who suffer harm as a result of a privacy violation, with the possibility of punitive damages.
Practical Compliance Steps for SaaS Companies
- Designate your privacy officer and publish their title and contact information on your website.
- Publish a detailed privacy policy that meets Law 25's transparency requirements — including the purposes of collection, categories of recipients, retention periods, rights of access and rectification, and the name of the designated person.
- Implement granular consent mechanisms — separate consent for each purpose, privacy by default, easy withdrawal.
- Conduct privacy impact assessments for every information system that processes personal information.
- Build data portability — the ability to export user data in a structured, machine-readable format.
- Review cross-border transfers — ensure DPAs with US-based sub-processors include adequate protection commitments.
- Document your breach response protocol — including CAI notification requirements, which are separate from PIPEDA's OPC notification.
The Broader Signal
Law 25 is a leading indicator of where Canadian privacy law is heading. The proposed federal Consumer Privacy Protection Act (CPPA), which would replace PIPEDA, includes many of the same provisions — mandatory PIAs, enhanced consent requirements, administrative monetary penalties, and a private right of action. Companies that comply with Law 25 will be substantially prepared for the eventual federal reform. Companies that ignore it are building compliance debt that will only grow.
Related Agreements
Ready to draft?
Get your agreement in minutes.
Every document is tailored to Canadian law and your specific deal. No templates, no blanks.
Browse Agreements