How to Comply With Quebec Law 25: Step-by-Step Guide

Comply with Quebec Law 25 in seven steps: privacy officer, PIA, express consent, policies, a blocking banner, incident register, and data rights.


by Riad Us Salehin • 5 July 2026


To comply with Quebec Law 25, appoint a privacy officer and map your personal information. Get express consent before collecting it. Publish a Law 25 privacy and cookie policy, and run a consent banner that blocks tracking until visitors agree. Log every choice, keep an incident register, and honour access, deletion, and portability requests. It is a doable project for any business that handles the personal information of people in Quebec, whatever its size.

What Is Quebec Law 25 and Who Must Comply? (Quick Answer)

Quebec Law 25, adopted as Bill 64, modernizes the Act Respecting the Protection of Personal Information in the Private Sector (P-39.1). It applies to every enterprise that carries on activity in Quebec and collects, holds, uses, or communicates personal information. This covers customers and employees alike, regardless of the business's size or physical location.

Law 25 does not exempt small businesses or sole proprietors. A single-employee shop that collects customer emails in Quebec carries the same core obligations as a large retailer. The law also reaches businesses based entirely outside Quebec. A developer in another province who deploys a site collecting Quebec residents' data falls under Law 25. The trigger is the data subject's location, not the business's.

For the global context, see how the world's privacy laws compare. If you serve visitors in multiple jurisdictions, the full cookie-compliance walkthrough covers every major law in order.

When Did Quebec Law 25 Take Effect? The 2022 to 2024 Phases

Law 25 came into force in three annual waves, each adding a distinct set of obligations. The phased rollout means a business that only handled the first wave is not yet compliant with the later two.

Effective dateObligations that began
September 22, 2022Appoint a privacy officer; establish confidentiality-incident protocols and a register; follow new rules for sharing personal information without consent
September 22, 2023Express, informed, opt-in consent; a governance policy on retention, destruction, and complaints; privacy impact assessments where required; cross-border transfer assessments; de-indexation rights; privacy by default for technological products; monetary penalties in force
September 22, 2024Respond to data-portability requests in a structured, machine-readable format

Every phase remains active today. A business that only completed the 2022 requirements still lacks express consent, the PIA obligation, and the portability response process. Those are the provisions the CAI enforces most.

What You Need Before You Start

The prerequisite most businesses skip is a complete inventory of the personal information they actually hold and where it flows. Without that inventory, every later step, from consent design to the incident register, starts from guesswork.

Before you begin, line up:

  • Roles: the person who will serve as privacy officer (often the owner or CEO by default) and whoever manages the website or app.
  • Time: a few weeks for a small business with a simple website; longer for organizations handling sensitive data, multiple systems, or cross-border transfers. Most of the time goes to the data inventory and policy drafting, not the banner install.
  • Inputs: a data inventory (what personal information you collect, why, and where it goes), your current privacy and cookie policies if any exist, and a list of the third-party scripts and trackers running on your site.
  • Tools: a consent management tool and a cookie scanner. Any credible option works at this stage; the specific tool choice comes later.

Step 1: Appoint a Privacy Officer

The privacy officer is the person accountable for how your organization handles personal information under Law 25. By default, that responsibility falls to the person with the highest authority in the organization, typically the CEO or owner. They can delegate it in writing to someone else instead.

The privacy officer's contact information must be published so individuals and the Commission d'acces a l'information (CAI) can reach them. Responsibilities include:

  • Overseeing the data inventory and any required privacy impact assessments
  • Maintaining the confidentiality-incident register
  • Responding to access, correction, and portability requests
  • Acting as the point of contact for CAI inquiries

Skipping a written delegation does not remove the obligation. It just means the CEO holds it by default and may not know it.

Step 2: Map the Personal Information You Collect and Run a PIA Where Required

Before you can protect personal information, you need to know exactly what you collect and why. Map where it lives, who you share it with, and where it goes, including outside Quebec. This inventory is the foundation every other step builds on.

Run a Privacy Impact Assessment (PIA) before:

  1. Communicating personal information without consent for study, research, or statistical purposes
  2. Disclosing personal information outside Quebec
  3. Undertaking high-risk processing: large-scale collection, profiling, biometric data, or new technology such as AI, IoT, or facial recognition

A PIA documents the risks a given use of personal information creates. It also records the measures you take to reduce them. There is no retroactive requirement to run a PIA on a project completed before the applicable date. Any new project or system change after September 2023 needs one when it meets these triggers.

Cross-border transfers get their own layer of scrutiny. Before sending personal information to another province or country, assess whether the recipient's privacy protection matches Quebec's standard.

Step 3: Update Your Consent to Express, Opt-In Consent

Law 25 requires consent that is clear, free, informed, specific to each purpose, and given through a positive act. A pre-checked box does not count as consent. Bundling multiple purposes under one blanket checkbox does not count as purpose-specific consent either. This is stricter than PIPEDA, the federal law, which allows implied consent in many commercial contexts. PIPEDA assumes consent to use an email address for order fulfillment once a customer provides it at checkout, for example.

Free consent also means visitors cannot be forced into accepting cookies to use your site. A "accept cookies or create an account to continue reading" wall fails the free-consent test, because the visitor has no real option to decline. If your site currently blocks content behind a cookie-acceptance wall, that setup needs to change.

A consent management platform captures this express, opt-in consent at the moment a visitor lands on your site and records the choice as proof. Consently's opt-in banner template supports only explicit consent, with no implied or scroll-based option, which matches Law 25's stricter standard directly. Every choice is timestamped and logged.

Step 4: Publish a Law 25 Privacy Policy and Cookie Policy

Publish a clear, accessible privacy policy. State what personal information you collect, why, how long you keep it, and what rights individuals have. Add how to reach your privacy officer and whether data moves outside Quebec. Publish a cookie policy that lists the trackers your site actually uses. Both documents should use plain language, and French where your audience requires it.

If you do not have these documents yet, a policy generator can produce editable cookie and privacy policy drafts from a guided workflow. Consently's generators start from your site's own detected trackers and data practices. The output is a starting draft, not a finished legal document. Review it against your specific Law 25 obligations before publishing, and treat generator output as compliance assistance rather than legal advice.

Step 5: Deploy a Consent Banner That Blocks Tracking Until Visitors Agree

This is the website heart of Law 25 compliance. Scan every cookie and tracker on your site, and block the non-essential ones before consent. Show visitors a banner with an accept option and a reject option that are equally easy to use, and log every choice as proof.

To deploy a compliant banner:

  1. Scan the site for cookies, trackers, scripts, and iframes, including ones added by third-party embeds
  2. Configure auto-blocking so non-essential items stay off until the visitor consents
  3. Set the banner to privacy-by-default, meaning the strictest confidentiality setting is the starting point, not an opt-in extra
  4. Give visitors an equally weighted accept and reject button, with no dark-pattern styling that makes reject harder to find
  5. Add a preference center for granular category-level choices
  6. Show Quebec visitors the correct consent model automatically based on their location
  7. Log every consent decision with a timestamp

Law 25 is more explicit than the GDPR on this last point. Hiding the reject button or making a site unusable without accepting cookies undermines the "free" consent the law requires. The reject option needs equal visual weight to accept.

Consently scans your site for cookies, trackers, scripts, and iframes, then auto-blocks the non-essential ones until a visitor consents. It displays an opt-in banner with equal-weight accept and reject buttons plus a preference center. Automatic geotargeting shows Quebec visitors the correct consent model, and every choice is stored in a consent log as proof. Consently does not detect browser-level Global Privacy Control signals, so that specific signal type is not part of its blocking logic today.

For the general mechanics of adding a banner to any site, see how to add a cookie banner. For the deeper checklist of what a compliant banner must do, see what a compliant consent banner must do.

Step 6: Set Up a Confidentiality Incident Register and Breach Process

Law 25 calls a data breach a "confidentiality incident," and every organization must keep a register of them, whether or not the incident triggers notification. The register documents what happened, when, and what you did about it.

When an incident creates a risk of serious injury:

  1. Take reasonable measures immediately to reduce the risk
  2. Notify the CAI using the required form
  3. Notify the affected individuals
  4. Record the incident, your response, and the outcome in the register

Keep the register current even for incidents that do not meet the notification threshold. The CAI can request a copy at any time, and an incomplete register is itself a compliance gap.

Step 7: Honour Access, Correction, De-Indexation, and Data Portability Requests

Individuals can ask to access their personal information and correct inaccuracies. They can request de-indexation: that you stop disseminating information that violates the law or causes them injury. Since September 22, 2024, they can also receive their personal data in a structured, machine-readable format such as CSV or JSON.

Data portability applies only to computerized personal information collected directly from the individual. It does not cover paper records. It also does not cover data your organization inferred or derived, such as a credit score or a behavioral profile built from browsing activity. You generally have about 30 days to respond to a request, though extensions apply for genuinely complex extractions. You can offer a written transcript instead of a structured file when a technological format raises serious practical difficulties.

This right is not a mechanism for transferring a website or a business asset. It only covers a person's own personal data, delivered to them or, at their request, to another authorized organization. Build a simple intake process for these requests. Name a person accountable for responding within the deadline, and keep a record of each request's resolution.

What Are the Penalties for Breaking Quebec Law 25?

Quebec Law 25 penalties run up to C$25 million or 4% of worldwide turnover, whichever is greater. Enforcement has been active since September 22, 2023. The CAI applies a three-tier structure: administrative penalties, penal fines, and a private right of action for affected individuals.

Penalty typeMaximum amountNotes
Administrative monetary penalty (AMP)C$10 million or 2% of worldwide turnover, whichever is greaterIssued directly by the CAI for violations such as inadequate security measures or improper handling of personal information
Penal fineC$25 million or 4% of worldwide turnover, whichever is greaterDoubles for repeat offenses; individuals acting as directors face fines from C$5,000 to C$100,000
Punitive damages (private right of action)Minimum C$1,000 per affected individualAvailable when an intentional or grossly negligent breach causes harm; can escalate through class-action claims

These figures are not theoretical ceilings sitting unused. The CAI has had enforcement power since September 2023, and the private right of action lets individuals sue directly, independent of any CAI action.

Common Quebec Law 25 Compliance Mistakes to Avoid

The most damaging mistake is treating Law 25 as "GDPR-lite" and reusing an implied-consent setup built for a different law. Law 25 requires express, opt-in consent, and an implied-consent banner does not meet that bar.

  1. Using a cookie wall that forces acceptance. Blocking site content or requiring login unless a visitor accepts cookies fails the free-consent test. Consequence: the resulting consent is invalid, and it invites a complaint. Remedy: let visitors freely reject non-essential cookies without losing access to the core content.
  2. Pre-checking consent boxes or bundling purposes. A pre-checked box is not a positive act, and bundling several purposes under one checkbox is not purpose-specific consent. Consequence: the consent record does not hold up under review. Remedy: require a separate, unchecked, positive action for each distinct purpose.
  3. Loading analytics or advertising scripts before consent. Firing Google Analytics or a Meta Pixel on page load, before the visitor responds to the banner, is collection without consent. Consequence: every visit before consent is an unauthorized collection event. Remedy: block non-essential scripts until the visitor actively agrees.
  4. Stopping at the banner and skipping the organizational duties. Installing a consent banner and considering the job done leaves the privacy officer, PIA, and incident-register obligations untouched. Consequence: partial compliance that still exposes the business to the AMP and penal-fine regime. Remedy: complete Steps 1, 2, and 6 alongside the website work.
  5. Assuming the law does not apply because the business is outside Quebec. Law 25 attaches to where the data subject is, not where the business operates. Consequence: an unaddressed legal obligation the business did not know it carried. Remedy: if your site or app collects personal information from Quebec residents, treat Law 25 as applicable regardless of where you are based.

How Consently Helps With the Website Side of Law 25

Consently handles the website and consent portion of Law 25 compliance. It scans and blocks trackers before consent, and shows Quebec visitors a compliant opt-in banner with equal-weight accept and reject. It records every choice as proof and generates editable cookie and privacy policy drafts.

The organizational duties remain the business's responsibility. No consent tool appoints a privacy officer, runs privacy impact assessments, keeps the confidentiality-incident register, or fulfills data-portability requests for business records. Consently is the tooling for the consent and banner layer, not a replacement for the compliance program those steps build.

FAQs

Does Quebec Law 25 apply to businesses outside Quebec?

Yes. Law 25 applies to any organization that collects, holds, uses, or communicates the personal information of people in Quebec. This holds regardless of where the business itself is located or incorporated.

Is Law 25 the same as GDPR?

No. Law 25 shares similar principles with the GDPR, such as consent and privacy by default. It is its own Quebec statute with its own penalty scheme. It is also stricter than the GDPR on some points, including the requirement for an equally weighted decline button.

What is the difference between PIPEDA and Law 25?

PIPEDA is federal law and permits implied consent in many commercial contexts, such as assuming consent when a customer provides an email at checkout. Law 25 generally requires express, purpose-specific, opt-in consent for each use.

Do I need a cookie banner to comply with Law 25?

You need valid, documented consent before non-essential trackers load on your site. A compliant consent banner is the standard, practical way to obtain and log that consent.

Can I block my website content until visitors accept cookies?

No. Forcing acceptance as a condition of access undermines the free consent Law 25 requires. Let visitors refuse non-essential cookies without losing access to your site's core content.

Does Law 25 apply to a small business or sole proprietor?

Yes. There is no small-business exemption. If you handle personal information of people in Quebec, the same core obligations apply regardless of your size.

How much are Law 25 fines?

Administrative monetary penalties reach C$10 million or 2% of worldwide turnover. Penal fines reach C$25 million or 4% of worldwide turnover, doubling for repeat offenses. A private right of action carries a minimum of C$1,000 in punitive damages per affected individual.

When does the Law 25 data portability right take effect?

September 22, 2024. Individuals can request their personal data in a structured, commonly used, machine-readable format, and the request applies only to computerized data collected directly from them.

Do I need consent to use Google Analytics under Law 25?

Yes. Analytics cookies are non-essential. Get consent before they load, and block them until the visitor agrees.

Consently handles the website side of Law 25. It scans and blocks trackers before consent, shows Quebec visitors a compliant opt-in banner, keeps the consent record, and generates cookie and privacy policy drafts. The organizational duties stay with your business: appointing a privacy officer, running PIAs, and keeping the incident register. Start your free 14-day trial to see the website-side setup in your own dashboard, no credit card required.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.