All Blog Posts

Québec Law 25: An Overview

Close
Read time
16 mins
Published
Jul 7, 2026
Share
  • Québec Law 25 applies to any organization worldwide that collects or processes Québec residents’ personal information. There are no minimum thresholds.
  • Non-essential cookies and tracking technologies must be off by default and activated only after a visitor gives clear, informed, opt-in consent, making Law 25 more strict than PIPEDA or U.S. state laws.
  • Consent must be clear, freely given, informed, and specific to its purpose; consent for sensitive personal information must always be explicit.
  • Visitors have the right to know what data is collected, access or correct it, request deletion, request portability, and withdraw consent at any time.
  • Organizations must appoint a privacy officer, publish a plain-language privacy policy, and conduct privacy impact assessments before transferring personal information outside Québec or overhauling systems that handle it.
  • Penalties for non-compliance reach up to CAD 25 million or four percent of global turnover, whichever is higher; repeat violations attract double fines.

Québec has one of the most comprehensive privacy frameworks in North America. Passed in 2021 and fully in force since September 2024, Québec Law 25 modernizes the province's existing privacy regulation and introduces requirements that closely mirror those of the European Union's General Data Protection Regulation (GDPR).

This includes a consent-first approach to personal information and meaningful individual rights. For any website operator that reaches visitors in Québec, understanding and meeting these requirements is not optional.

What Is Québec Law 25?

Québec Law 25, or formally the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, was introduced in the Québec National Assembly as Bill 64 in June 2020 and passed into law in September 2021. 

It significantly amends two existing provincial statutes: the Act Respecting the Protection of Personal Information in the Private Sector (1994), which governs private-sector organizations, and the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information (1982), which applies to public bodies. 

Both of those laws were written before digital platforms and behavioral tracking became commercially significant, and neither was designed with modern data collection practices in mind.

The law gives individuals greater control over their personal information and introduces stronger accountability for the organizations that handle it. It also aligns Québec's privacy framework with international standards, including the GDPR.

Who Does Law 25 Apply To?

Law 25 applies to any “enterprise” that collects, uses, or processes the personal information of individuals residing in Québec, even if that enterprise is based outside the province or outside Canada entirely. 

The law defines “enterprise” broadly, following Article 1525 of the Civil Code of Québec, to include public bodies, private organizations, nonprofits, and individuals carrying out an organized economic activity.

Critically, Law 25 sets no minimum size threshold. There is no employee count, revenue floor, or consumer volume requirement. Processing the personal information of even a single Québec resident is sufficient to bring an organization within scope. A sole trader, a small nonprofit, and a multinational corporation are all subject to the same compliance obligations.

In practice, this means that any website with visitors in Québec that sets cookies or trackers, collects form data, or processes personal information for commercial purposes is likely within scope. 

Law 25 is the most stringent provincial privacy regulation in Canada, imposing requirements that go beyond the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

What Counts as Personal Information Under Law 25?

Personal information under Law 25 is any information that relates to a natural person and directly or indirectly makes it possible to identify them. Format is irrelevant, and written, digital, visual, audio, and biometric data all fall within scope. 

This can include the kinds of data that websites routinely collect through cookies and trackers, such as IP addresses, unique identifiers, browsing history, device data, and location signals.

Information is considered sensitive if it is inherently private. This includes health, biometric, or financial data, for example, or if the way it is used or disclosed creates a heightened expectation of privacy. 

Notably, Law 25 takes a contextual approach to sensitivity. Information that would not ordinarily be considered sensitive may become so depending on the circumstances of its use. Sensitive personal information attracts stricter requirements, including the need for explicit consent in all cases.

Law 25 does not apply to personal information collected or used exclusively for journalism, historical research, or genealogy intended for legitimate public interest purposes. It also applies only to natural persons; data about businesses or other legal entities falls outside its scope.

Key Provisions of Québec Law 25

Québec Law 25 introduces several obligations that website operators need to understand. The provisions below cover the requirements most likely to affect how your site collects, manages, and stores personal information.

Consent under Law 25 must always be clear, freely given, informed, and specific to its purpose. This is fairly standard among international privacy laws. Organizations must request consent using simple, unambiguous language, and must make a separate request for each purpose. 

If consent is requested in writing, it must be kept separate from other information presented to the individual. It cannot be buried in terms and conditions. This is where a consent management platform (CMP) that can display a customized consent banner can be an important tool on your website.

Personal information may only be used for the purpose for which it was originally collected unless the individual provides consent for a different use, known as the requirement of purpose limitation. 

There are limited exceptions. Data may be repurposed without fresh consent if: 

  • The new purpose is consistent with the original
  • The use clearly benefits the individual
  • It is necessary to deliver a requested product or service
  • The information has been de-identified for research or statistical purposes

When it comes to sensitive personal information, consent must always be explicit. Individuals have the right to withdraw consent at any time, and the organization must stop processing their personal information once withdrawal is confirmed. The withdrawal mechanism must be at least as easy to use as the original consent mechanism.

For visitors under 14 years of age, a parent or guardian must give consent. Those aged 14 or older may give their own consent.

Cookies and Tracking Technologies

Law 25 has specific and practically significant implications for any website that uses cookies, tracking pixels, analytics scripts, or similar technologies. This is the area where the law is most distinctly stricter than PIPEDA, and where most website operators will need to make concrete changes.

Under Section 8.1 of Law 25, any organization that collects personal information using technology capable of identifying, locating, or profiling individuals must, before activating those technologies, inform visitors of their use and provide a means for visitors to activate them. 

The deliberate use of "activate," rather than "deactivate," makes the intent clear. Tracking and profiling technologies must be off by default. Visitors must affirmatively turn them on. Analytics cookies, advertising pixels, and behavioral tracking scripts cannot load until the visitor has actively consented.

Law 25 defines profiling broadly to cover any collection or use of personal information to assess characteristics of a natural person, including work performance, economic situation, health, preferences, interests, or behavior. Most third-party advertising and analytics technologies fall within this definition.

This makes Law 25 the only North American privacy regulation to specifically mandate explicit opt-in consent for tracking technologies as a structural default. This is a meaningful distinction for organizations accustomed to the opt-out model common under PIPEDA or the CCPA.

To meet these requirements in practice, organizations should present a consent banner before any non-essential tracking technologies load, ensure the reject option is as prominent as the accept option, offer granular controls by cookie category, log and timestamp consent decisions, and make it easy for visitors to change or withdraw their preferences at any time.

Individual Rights

Law 25 grants individuals a meaningful and broad set of rights over their personal information. These rights apply to any organization within scope, regardless of where it is based, and individuals may exercise them directly without first going through the CAI.

  • Right to anonymity: Where services can be provided anonymously or under a pseudonym without disproportionate operational difficulty, organizations must offer that option. This right reflects the law's emphasis on data minimization and proportionality.
  • Right to know: Individuals can request to know why their information is collected, how it will be used, and with whom it will be shared. This right is triggered at the point of collection as well as on demand.
  • Right of access: Individuals can request a copy of the personal information an organization holds about them, along with information about its source, the parties to whom it has been disclosed, and how long it will be retained.
  • Right to correction: Individuals can request that incomplete or inaccurate information be corrected. Where information has been passed to third parties, the organization must advise those parties of the correction where reasonably practicable.
  • Right to erasure: Individuals can request deletion of their personal information when it is no longer needed for the purpose for which it was collected, or when it has been handled unlawfully.
  • Right to data portability: Organizations must provide individuals with their personal information — specifically data originally collected from the individual, not data derived or inferred from it — in a structured, commonly used format upon request. Individuals may also request that the data be transmitted directly to a third party. Organizations generally have approximately 30 days to fulfill portability requests.
  • Right to de-indexation: Where personal information associated with a person's name appears in search results or on a web page and causes them harm, or was collected or used in contravention of law, individuals may request that the link be de-indexed or access restricted. This right has no direct equivalent in PIPEDA or the GDPR and is particularly relevant for organizations that publish user-generated content or operate directories.
  • Right to transparency in automated decision-making: Organizations must disclose when automated systems make decisions that affect individuals. Individuals have the right to request human review of such decisions, to be given reasons, and to submit observations. No individual may be subjected to a decision based solely on automated processing, including profiling, without their prior consent.
  • Right to privacy by default: Organizations that offer technological products or services, including websites and apps, must apply the most privacy-protective settings by default, without requiring visitors to adjust them. A separate provision (Section 9.1) explicitly states that this does not apply directly to browser cookie settings, though in practice the effect of Section 8.1's opt-in consent requirement for tracking technologies is functionally equivalent.

Privacy Impact Assessments

Québec Law 25 requires organizations to conduct a privacy impact assessment (PIA), the equivalent in purpose to a GDPR data protection impact assessment (DPIA).

PIAs are required in three situations:

  • When acquiring, developing, or significantly overhauling information systems or projects involving personal information
  • Before transferring personal information outside Québec
  • Before sharing personal information without consent for research, study, or statistical purposes

A PIA is a substantive analysis of the necessity and proportionality of the proposed processing, the risks it poses to individuals, and the measures in place to mitigate those risks. 

For cross-border transfers, the assessment must also evaluate whether the destination jurisdiction provides equivalent protection, and additional contractual safeguards are required where it does not. Organizations should treat the PIA obligation as ongoing. Changes to systems, vendors, or data flows may each trigger a fresh assessment.

Data Breach Notification

Law 25 uses the term "confidentiality incident" to describe what most privacy frameworks call a data breach. The category covers unauthorized access to personal information, unauthorized use or disclosure, loss of personal information, and any other failure to protect it adequately. 

The obligation to act arises once an organization has reason to believe an incident has occurred. Organizations cannot wait for confirmation before beginning their response.

Where the incident presents a "risk of serious injury," the organization must notify both Québec's privacy regulator, the Commission d'accès à l'information du Québec (CAI), and the affected individuals without delay. 

An exception applies only where notification would actively interfere with a law enforcement investigation. Organizations must maintain a register of confidentiality incidents and make it available to the CAI on request.

Learn more about personal data breaches: What they are and how to prevent them

Privacy Policy Requirements

Any organization subject to Law 25 must publish a privacy policy explaining its data practices in plain, accessible language. The policy must cover: 

  • What personal information is collected and through what means
  • Purposes of collection
  • How personal information is used, stored, and shared
  • How long it is retained
  • Who has access to it, including third parties
  • Individuals' rights and how to exercise them
  • Details of any automated decision-making or profiling
  • The title and contact details of the organization's privacy officer

Organizations must also notify individuals of any material amendments to the policy.

Appointment of a Privacy Officer

Law 25 operates a default-appointment mechanism: unless an enterprise formally designates someone else in writing, the most senior person in the organization is automatically treated as the privacy officer responsible for personal information protection. 

This means a CEO bears this responsibility unless they explicitly delegate it. The CAI will treat the most senior executive as accountable if no designation has been made. Private-sector organizations may appoint any individual to the role, including external consultants. 

Public bodies are more constrained. The appointee must be a member of the body, its board of directors, or its management personnel. Public bodies must also notify the CAI in writing of the officer's title, contact information, and start date. 

All organizations must publish the privacy officer's title and contact details on their website in a location visitors can find without difficulty.

When Did Québec Law 25 Come into Effect?

The law was implemented in three annual phases, all of which are now effective.

  • September 22, 2022: The first phase took effect, covering privacy officer appointment, data breach reporting requirements, and the requirement to maintain a confidentiality incident register.
  • September 22, 2023: The majority of the law's substantive provisions became enforceable, including consent requirements, privacy policy transparency obligations, the right to erasure, privacy impact assessments, and individual access and correction rights.
  • September 22, 2024: The final provision — the right to data portability — came into effect, completing the rollout.

With all provisions now fully in force, organizations must meet the law's requirements or risk enforcement action. The CAI has made clear through its enforcement posture that it expects demonstrated compliance, not merely declarations of intent.

Enforcement and Penalties

Québec Law 25 is enforced by the Commission d'accès à l'information du Québec (CAI), which is an independent body with investigative and adjudicative powers. The CAI can initiate investigations on its own motion, respond to individual complaints, and conduct audits and inspections.

The penalty structure is tiered. Administrative monetary penalties are imposed by the CAI directly, and can reach CAD 10 million or two percent of global turnover for the preceding fiscal year, whichever is higher (capped at CAD 50,000 for individuals). 

For serious violations referred for penal prosecution, fines can reach CAD 25 million or four percent of global turnover (capped at CAD 100,000 for individuals). Repeat violations attract double fines at both tiers.

Separately, individuals whose privacy rights are violated may seek civil damages of at least CAD 1,000 per person, and groups of affected individuals may bring collective actions. This right exists independently of any CAI proceeding. An organization can face regulatory investigation and civil litigation simultaneously arising from the same incident.

The CAI has been exercising its enforcement powers under the law. In September 2024, it issued its first formal decision under the amended Law 25 framework, ordering a printing company to stop using facial recognition technology for employee access control. 

The CAI found the collection of facial biometric data unnecessary and disproportionate given less intrusive alternatives were available. Notably, the investigation was self-initiated following the company's mandatory biometric disclosure to the CAI, not prompted by a complaint. 

Organizations deploying automated identification, behavioral analytics, or AI-driven profiling should treat CAI scrutiny as a realistic near-term risk.

Beyond financial penalties, non-compliance risks reputational harm and erodes the trust of customers and website visitors alike.

Québec Law 25 vs. PIPEDA: Key Differences

PIPEDA is Canada's federal privacy law governing personal information used in commercial activities. It sets a national baseline, but provinces may enact their own laws that meet a "substantially similar" threshold. Where that designation applies, PIPEDA withdraws and the provincial law governs in its place for most private-sector activity conducted entirely within that province. 

Alberta, British Columbia, and Québec have all achieved this designation, with Québec's Law 25 representing the most far-reaching of the three. PIPEDA continues to apply to federally regulated industries such as banks, telecoms, and airlines, and governs any transfer of personal information across provincial or national borders.

Compliance with Law 25 will in most instances satisfy PIPEDA's requirements as well, but the reverse is not true. The main differences between the two frameworks are summarized below.

Québec Law 25PIPEDA
ScopeAny enterprise handling personal information of Québec residents; no size thresholdOrganizations collecting personal information in the course of commercial activities
ConsentExplicit, purpose-specific opt-in consent required; no implied consent pathwayHybrid model; implied consent permissible in many low-risk circumstances
CookiesOpt-in consent required before non-essential tracking technologies activateNo opt-in consent requirement for cookies in most circumstances
Individual rightsAccess, correction, erasure, portability, de-indexation, anonymity, and automated decision-making protectionsAccess and correction only
PIAsMandatory in specified circumstancesRecommended but not required
EnforcementCAI can impose direct financial penaltiesOPC can investigate and recommend but cannot impose financial penalties
Private actionStatutory minimum damages of CAD 1,000; collective actions availableNo private right of civil action

Québec Law 25 and the GDPR: What Organizations Already Compliant with European Law Need to Know

Because Law 25 was modeled in significant part on the GDPR, organizations already operating under European data protection rules will find considerable common ground. Consistencies across both laws include: 

  • Requires opt-in consent for personal data processing
  • Imposes data minimization obligations
  • Imposes purpose limitation obligations
  • Grants individuals a comparable suite of rights
  • Empowers regulators with meaningful enforcement authority
  • Applies extraterritorially based on the location of the data subject

For GDPR-compliant organizations, a few differences are worth noting. Law 25 sets no threshold for territorial application. This means that processing the data of even a single Québec resident is sufficient, with no systemic monitoring requirement. 

Law 25 requires a privacy officer in every enterprise without exception, whereas the GDPR requires a DPO only in defined circumstances. Law 25 also provides a direct private right of action, something the GDPR does not. 

On sensitive data, Law 25 takes a contextual approach rather than enumerating fixed special categories, meaning information can become sensitive depending on how it is used, even if it would not ordinarily be classified that way.

For organizations subject to both regimes, the practical approach is to apply the more demanding standard wherever the two diverge, which, on most points, will be Law 25.

Steps to Support Law 25 Compliance Obligations

Meeting the requirements of Québec Law 25 involves several practical steps. While this article is for informational purposes only and does not constitute legal advice, the following actions are broadly applicable to organizations within scope.

  • Designate a privacy officer in writing, publish their title and contact information on your website in a location visitors can find easily, and ensure they have the mandate and resources to oversee compliance. 
  • Audit your consent mechanisms: map every point at which personal information is collected and verify that each collection is supported by clear, purpose-specific, opt-in consent. For websites, this means ensuring no non-essential cookies or tracking scripts load before a visitor has consented. 
  • Conduct a full scan of your website to identify every cookie and tracking technology in use and confirm that non-essential technologies are blocked pending consent. 
  • Conduct privacy impact assessments where required, and document them. 
  • Publish a plain-language privacy policy that covers all mandatory elements, and update it whenever material changes are made to your data practices. 
  • Build clear procedures for responding to access, correction, erasure, portability, and de-indexation requests. 
  • Develop and test a confidentiality incident (data breach) response plan that covers assessment, CAI notification, individual notification, and incident register maintenance. 
  • Identify all flows of personal information outside Québec and establish contractual safeguards where the destination jurisdiction does not provide equivalent protection.

How Cookiebot™ CMP Supports Law 25 Requirements

For most organizations, consent management is the highest-friction compliance requirement under Law 25 and the area where a dedicated tool delivers the greatest practical benefit. 

Cookiebot™ CMP scans your website to detect all cookies and trackers in use, categorizes them, and presents visitors with a clear, purpose-specific consent banner that supports Law 25's opt-in consent requirements. Non-essential technologies are blocked until the visitor has actively consented, meeting the opt-in standard required under Section 8.1.

Cookiebot™ CMP also supports consent withdrawal, making it easy for visitors to change or revoke their preferences at any time through the consent interface. Consent decisions are logged with a timestamp automatically, providing an audit trail that can support your documentation obligations if the CAI requests evidence of your practices or in the event of civil litigation.

For organizations running Google Analytics or Google Ads, Cookiebot™ CMP supports Google Consent Mode natively, enabling consent signals to pass correctly to Google's systems without compromising compliance. 

For organizations subject to both Law 25 and the GDPR, Cookiebot™ CMP handles both within a single consent framework, supporting consistent, multi-jurisdictional compliance from one platform.

This article is for informational purposes only and does not constitute legal advice. Organizations should seek advice from qualified legal professionals regarding compliance with Québec Law 25 and any other applicable data privacy regulations.

Frequently asked questions

Québec Law 25, or formally the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, is a Canadian provincial privacy law that modernizes Québec's data protection framework. 

It requires explicit opt-in consent for data collection and tracking technologies, introduces new individual rights including erasure and portability, and mandates the appointment of a privacy officer. It applies to any organization, anywhere in the world, that handles personal information belonging to Québec residents.

Law 25 applies to any enterprise anywhere in the world that collects, uses, or processes the personal information of individuals residing in Québec. It covers private companies, public bodies, nonprofits, and individuals carrying out an organized economic activity. 

Critically, there is no minimum size threshold, so a small business, sole trader, or nonprofit that handles even a single Québec resident's data is within scope.

Yes. Under Section 8.1 of Law 25, any technology capable of identifying, locating, or profiling individuals, which includes most analytics and advertising cookies, must be inactive by default and activated only after the visitor actively consents. 

If your website is visited by individuals in Québec, you are required to obtain consent before non-essential cookies load, and also provide the right to withdraw such consent.  A consent banner makes it straightforward for visitors to provide such consent and withdraw it at any time.

No. PIPEDA is Canada's federal privacy law and sets a national baseline for commercial data practices. It applies across the whole country. 

Law 25 applies only in the province of Québec, though in most cases within the province it overrides PIPEDA. Law 25 is stricter in every material respect. 

It requires explicit opt-in consent where PIPEDA allows implied consent in many circumstances; it mandates opt-in consent for cookies; it adds individual rights, including erasure, portability, and de-indexation, that PIPEDA does not include; and its regulator can impose direct financial penalties, which PIPEDA's enforcer cannot. 

Compliance with Law 25 will generally satisfy PIPEDA's requirements, but not the other way around.

Yes. Unlike many privacy laws, Law 25 sets no minimum size threshold, so no employee count, revenue floor, or consumer volume. A sole proprietor or small nonprofit that collects personal information from Québec residents falls within scope on the same terms as a large enterprise.

All provisions of Law 25 are now in force. The final requirement, which is the right to data portability, took effect on September 22, 2024. Earlier phases covering privacy officer appointment, data breach notification, consent requirements, privacy policies, and privacy impact assessments became effective between September 2022 and September 2023.

Administrative penalties can reach CAD 10 million or two percent of global annual turnover, whichever is higher. For serious violations, penal fines can reach CAD 25 million or four percent of global turnover. 

Repeat violations attract double fines. Individuals face separate caps of CAD 50,000 (administrative) and CAD 100,000 (penal). Affected individuals may also seek civil damages of at least CAD 1,000 per person and may pursue collective action.

Yes. Law 25 applies to personal information about any natural person, including employees. Organizations must handle employee data in compliance with the law's consent, transparency, and security requirements, and employees have the same rights as consumers with respect to their personal information.

Law 25 uses the term "confidentiality incident" to mean any unauthorized access, use, disclosure, or loss of personal information. So a common term for it under other laws would be a data breach.

Where such an incident presents a risk of serious injury to affected individuals, the organization must notify both the CAI and those individuals without delay, and must maintain a register of incidents.

Yes. Every enterprise subject to Law 25 must have a designated privacy officer. If no one is formally appointed in writing, the law automatically treats the most senior person in the organization as the privacy officer. The officer's title and contact details must be published on the organization's website.

A privacy impact assessment (PIA) is a structured analysis of the privacy risks posed by a new or modified information system, a cross-border data transfer, or the sharing of personal information for research purposes. 

Law 25 makes PIAs mandatory in those three situations. The assessment must evaluate the necessity and proportionality of the processing and document measures taken to address identified risks.