Law 25, formerly known as Bill 64, is Québec’s modernized privacy legislation that updates the province’s existing data protection framework. Enacted in 2021, it brings Québec in line with global privacy standards like the GDPR. The law applies to all businesses handling the personal information of Québec residents, whether operating inside or outside the province.

Key Provisions

Law 25 introduces several major requirements:

• Privacy by Design: Organizations must build data protection into systems and processes from the start.

• Consent Requirements: Clear, informed, and specific consent is required before collecting personal data.

• Privacy Impact Assessments (PIAs): Mandatory for any project involving sensitive personal information.

• Breach Notification: Any data breach posing a risk of serious harm must be reported to Québec’s privacy regulator and affected individuals.

• Automated Decision-Making Disclosure: Individuals must be informed when decisions are made based solely on automated processing.

Starting from September 2023, businesses must also appoint a Privacy Officer by default—the CEO, unless delegated in writing.

Why Law 25 Matters

Failure to comply can lead to steep fines of up to $25 million CAD or 4% of global turnover. More importantly, Law 25 reflects a broader shift toward accountability and user rights. Businesses that handle Québec residents’ data should audit current practices, update privacy policies, and implement compliance tools. Adopting Law 25 not only ensures legal compliance but strengthens consumer trust and corporate reputation.