quebec law 25 scytale

Quebec Law 25: All You Need to Know

Lauren Blanc

Marketing Manager


Picture this: June 2020, the year our lives moved online. Quebec’s provincial government introduces Bill 64, a response to the privacy regulations evolving worldwide to address data protection in the digital age. Fast forward to September 2021, and voila – Bill 64 transforms into Quebec Law 25, the Canadian law that modernizes how businesses handle personal information.

Quebec Law 25 adopts a phased approach to implementation, with key privacy requirements becoming active in three stages over the course of three years: September, 2022; September, 2023; and September, 2024. This phased rollout allows businesses time to gradually prepare for new data security obligations.

And yet, despite this phased approach, many organizations are still struggling with their strategy to comply. Let’s explore the key requirements of this legislation so you can understand how it impacts organizations and residents alike.

What is Quebec Law 25?

Quebec made headlines by passing Law 25, also previously known as Bill 64, in September 2021. This comprehensive law regulates how companies and organizations operating in Quebec manage people’s personal data. It makes companies get real careful about collecting, using and sharing private details, with stiff penalties if they don’t follow the rules.

The main goal? Empower Quebec residents with more choice and transparency about how their data is handled. It updates privacy practices to restore public trust in today’s digital world where so much of our lives happen online. The internet boom means way more personal data out there about each and every one of us. This law equips the people of Quebec with legal tools to lock that information down.

Who Does Law 25 Apply to?

The scope of Law 25 is far-reaching – setting baseline privacy standards across Quebec. The law applies to any organization that has personal data of Quebec residents, regardless of their location. That goes for small local businesses, big multinational corporations, websites, apps — you name it. If you’re part of any organized economic activity in Quebec – yes, that includes you too, startups – Law 25 has its eyes on you.

That means retail chains must follow the rules for shopper information. Banks need to implement them for customer financial records. SaaS platforms have to apply the law for user data. Digital platforms like social networks or streaming services also fall under its jurisdiction for subscriber details. Any entity profiting off Quebec residents’ information is subject to the new requirements.

Compliance with Quebec Law 25: Key Privacy Requirements

Law 25 contains numerous provisions that strengthen protections around citizens’ personal details. A few initial requirements of Quebec’s Law 25 were implemented in September 2022, followed by additional measures in September 2023, with the final phase scheduled for September 2024. Let’s look at some of the most notable:

The September 2022 provisions require companies to:

Appoint a Privacy Officer

First things first, all companies need to appoint a privacy officer. The privacy officer is the go-to person for all privacy compliance and data protection within an organization. They ensure that their company is playing by the rules. Importantly, the privacy officer role can be delegated, but the highest person in charge needs to oversee adherence.

Report Breach Notifications

In case of a data breach, responsible measures need to be taken to fix it. Certain incidents require reporting to the Commission d’accès à l’information du Québec (CAI) and affected individuals. Risk assessment, involving consultation with your privacy officer, becomes pivotal when evaluating potential harm to those affected.

The September 2023 provisions require companies to:

At the heart of the law is the principle of requiring clear consent for collecting, using or sharing personal data. Companies can’t just assume permission – Law 25 demands a clear ‘yes’ in the form of an opt-in. Companies need to get explicit approval from each individual. Silence or inaction doesn’t cut it. And they can’t sneak consent into tricky terms and conditions.

Allow Data Subject Rights

People have rights, and Law 25 ensures they know it. The right to know what’s happening with their data, access it, correct it, erase it in some cases, and even take it with them (coming September, 2024), and businesses are obligated to respond to these requests within 30 days.

What’s more, with increasing reliance on AI and automated systems, Law 25 also provides Quebecers with the right to opt-out of and know when an automated process has been used to make a decision with their personal information. Humans ultimately need to stay accountable for automated data activities, and Law 25 imposes due diligence requirements around developing these activities responsibly with privacy in mind.

Provide Transparency

Organizations must clearly explain what data they take, why they need it, how they use it and who they share it with. No more vague or blanket reasons allowed. Privacy policies need to be straightforward without the complex legal jargon. Also, the privacy officer’s contact information needs to be out there, on the company website or wherever it’s easy for people to find.

Implement Policies and Practices

Companies need to review their existing privacy policies and notices to make sure they’re crystal clear on the measures they’re using to keep personal information safe. Updated policies need to match Law 25’s rules around consent, access, and collecting only necessary data.

Conduct Privacy Impact Assessments (PIAs)

Ever heard of a Privacy Impact Assessment (PIA)? Think of it as a health checkup for projects involving personal information. The assessment evaluates factors such as data sensitivity, intended use, quantity, distribution, and storage medium. A company’s privacy officer should be on board from the get-go, making sure everything’s in tip-top shape.

The final key provision in September 2024 will require companies to:

Allow Data Portability Rights

From the 22nd of September 2024, organizations holding Quebecers’ personal data must allow for citizens to easily request for data portability. This means that Quebecers have the right to receive and download their information in a structured, commonly used, and machine-readable format (like a CSV file for example) within a reasonable timeframe as requested.


Penalties for Noncompliance

Violating Law 25 can hit you in the pocket, hard. While fines range from $15,000 to $25 million for organizations, the real kicker is the potential 4% hit on your global revenue, whichever amount is higher. This applies to both first-time and more severe violations, the latter being determined by the severity of the offense and potential harm caused. But the financial blow isn’t all. Law 25 also requires public disclosure of violations, which can significantly damage your reputation and customer trust. 

quebec law 25 scytale

Your Quebec Law 25 Compliance Checklist

  1. Report breach notifications promptly and appropriately to the CAI and affected individuals.
  2. Appoint a privacy officer and ensure oversight by the highest authority within the company.
  3. Obtain clear consent from individuals through explicit opt-in methods, avoiding assumptions or sneakily embedded consent.
  4. Respect data subject rights including access, correction, erasure, and eventually data portability (from September 2024).
  5. Provide transparent explanations of data practices and ensure easy access to privacy officer contact details.
  6. Establish clear governance policies for data protection.
  7. Conduct Privacy Impact Assessments (PIAs) with the involvement of the privacy officer.
  8. Prepare to allow data portability rights by September 22, 2024, ensuring Quebecers can request their data in a structured, commonly used, and machine-readable format.

Moving Forward with Quebec Law 25

Whew, that’s a lot to digest! In short, Law 25 is a big move to return control of personal data to Quebec people. It aims to rebuild public trust in the digital age through stronger privacy standards and individual rights.

Wise companies should see this as an opportunity to be more transparent and win customer loyalty. While companies may pay more up front for compliance, Quebecers benefit long term from tighter control of their information. And remember, complying with the law isn’t just about avoiding hefty fines, it’s about safeguarding privacy and building lasting trust with your customers.

Only time will tell if Quebec’s example influences privacy laws across Canada and beyond. Don’t wait for a costly wake-up call, speak with one of our compliance experts to see how Scytale can support your organization’s compliance with Law 25.  

Share this article

A CTO’s Roadmap to Security Compliance: Your Go-To Handbook for Attaining SOC 2 and ISO 27001

Security Compliance for CTOs