Quebec Law 25: Consent and Privacy Requirements Explained

Quebec Law 25 explained: phased 2022 to 2024 deadlines, consent rules, mandatory privacy officer duties, and penalty tiers reaching $25 million.


by Riad Us Salehin • 4 July 2026


Quebec Law 25 requires businesses to modernize how they handle personal data. It overhauled Quebec's private-sector privacy act with explicit consent rules, a mandatory privacy officer, breach reporting, and penalties reaching $25 million. The rules phased in across three deadlines from 2022 to 2024.

It applies to any organization that handles the personal information of people in Quebec, even one based outside the province. Widely called the strictest privacy law in Canada, it has been fully in force since September 2024.

What Is Quebec Law 25?

Law 25, also called Loi 25 and formerly known as Bill 64, is Quebec's modernized private-sector privacy statute. It is formally the Act respecting the protection of personal information in the private sector (P-39.1, amended by 2021, c. 25). It gives Quebec residents control over their personal data and imposes governance, consent, and reporting duties on any organization that handles it.

Law 25 is the first comprehensive, GDPR-style private-sector privacy reform in Canada. It was modeled in part on the European Union's data protection framework and covers both private businesses and public bodies operating in Quebec. It sits within the broader landscape of data privacy laws reshaping how businesses handle personal information. Quebec's privacy regulator enforces the law and receives confidentiality incident reports.

When Did Law 25 Take Effect? (The Phased Rollout)

Law 25 was adopted on September 22, 2021, and rolled out in three annual phases through 2024. Each phase added a distinct set of obligations rather than taking effect all at once.

  1. September 22, 2022: designate a privacy officer, report confidentiality incidents to the CAI and affected individuals, maintain a confidentiality incident register, run privacy impact assessments (PIAs) for certain disclosures, and notify the CAI before using biometric identification.
  2. September 22, 2023: publish a governance policy on personal information protection, meet transparency and explicit-consent obligations, apply privacy-by-default settings to technological products, honor the right to be forgotten, follow the new rules for minors under 14, and destroy or anonymize personal information once its collection purpose ends.
  3. September 22, 2024: respond to data portability requests, giving individuals their personal information in a structured, commonly used technological format.

Every provision of Law 25 has been in force since September 22, 2024. A business setting up compliance today must meet all three phases at once, not just the most recent one.

Who Has to Comply with Law 25?

Any public body or private enterprise that collects, holds, uses, or communicates the personal information of people in Quebec has to comply with Law 25. Organization size and location do not matter.

The law covers both customers and employees. It also reaches out-of-province and foreign businesses. An online store in Ontario or the United States that handles a Quebec customer's data is in scope, the same as a Montreal company.

There is no small-business size carve-out. A single-person consulting business collecting client contact details in Quebec carries the same core consent and disclosure duties as a large enterprise. Some obligations, like appointing a formal privacy officer, simply apply more lightly for a one-person operation.

What Are the Consent and Privacy-by-Default Rules Under Law 25?

Law 25 requires clear, free, informed, and purpose-specific consent before an organization collects, uses, or shares personal information. Consent must be requested separately for each distinct purpose, in plain language, and "opt-out" collection models are largely banned in favor of explicit opt-in.

Organizations offering a technological product or service with privacy settings must configure those settings to the highest level of confidentiality by default. The visitor should not have to change anything. This privacy-by-default duty took effect September 22, 2023.

Privacy-by-default does not apply to browser cookie settings. Section 9.1 of Law 25 explicitly carves browser cookies out of this rule. Cookies instead fall under the general consent standard that governs all personal information, not a separate default-setting mandate.

Cookie and Tracking-Technology Consent

Non-essential cookies and trackers, including analytics, advertising, and profiling technology, need explicit opt-in consent from a Quebec visitor before they load. A banner that pre-checks boxes or relies on "by continuing to browse, you accept" does not meet Law 25's consent bar.

The statute does not list specific cookie types. Any tracking technology that identifies or profiles a visitor falls under the same clear, free, informed, and specific standard as any other personal information.

What Does Law 25 Require Businesses to Do?

Covered organizations carry a consistent set of core duties under Law 25. The main obligations are as follows.

  • Appoint a privacy officer and publish that person's title and contact details.
  • Publish a governance policy describing how the organization protects personal information.
  • Obtain valid consent and post a clear, plain-language privacy notice.
  • Run privacy impact assessments before technology projects that involve personal information and before transferring personal information outside Quebec.
  • Report confidentiality incidents that risk serious injury to the CAI and to affected individuals, and keep an incident register.
  • Destroy or anonymize personal information once the purpose it was collected for is fulfilled.
  • Honor individual rights, including access, correction, portability, and deletion requests.

Appoint a Privacy Officer

By default, the person with the highest authority in the organization automatically becomes the privacy officer responsible for compliance. In a small business, that is often the CEO. The role can be delegated in writing to someone else. The organization must still publish the officer's title and contact information on its website.

Run a Privacy Impact Assessment (PIA)

A privacy impact assessment is a documented review an organization must complete before launching a technology project that collects or uses personal information. The same review is required before transferring personal information outside Quebec.

The assessment evaluates the risks to the individuals involved and the safeguards in place. For cross-border transfers, it must also confirm the destination offers protection equivalent to what the information receives inside Quebec.

What Rights Does Law 25 Give Individuals?

Law 25 gives Quebec residents broad, GDPR-style rights over their personal data. These rights include the following.

  • Right to be informed: know why personal information is collected, how it is used, and who it is shared with.
  • Right of access: request a copy of the personal information an organization holds.
  • Right to correction: fix inaccurate or incomplete personal information.
  • Right to data portability: since September 22, 2024, receive personal information in a structured, commonly used technological format.
  • Right to withdraw consent: stop an organization from using previously consented-to personal information.
  • Right to be forgotten: request the cessation of dissemination, re-indexation, or de-indexation of information that causes serious injury to reputation or privacy.
  • Special protection for minors under 14: their personal information cannot be collected without parental or guardian consent, unless the collection is clearly for the minor's benefit.

Data portability applies to an individual's own personal data, not to unrelated business assets. A Reddit thread in r/canadasmallbusiness shows the boundary in practice. A consultant invoked Law 25's data-portability right to push a vendor to hand over a client's website. Another commenter correctly pointed out that the right covers structured exports of personal data, not the transfer of a built asset like a website itself.

What Are the Penalties for Breaking Law 25?

Law 25 carries two-tier penalties enforced by the Commission d'accès à l'information du Québec (CAI), among the steepest privacy penalties in Canada.

Penalty tierNatural personOrganization
Administrative monetary penalty (imposed directly by the CAI)Up to $50,000Up to $10 million or 2% of worldwide turnover, whichever is greater
Penal (offence) fine (prosecuted through the courts)$5,000 to $100,000$15,000 to $25 million or 4% of worldwide turnover, whichever is greater

Penal fines can double for repeat offences. Beyond the two regulatory tiers, individuals have an independent private right of action. A court must award punitive damages of not less than $1,000 when an infringement of the law is intentional or results from gross negligence.

How Is Law 25 Different from PIPEDA?

Law 25 is Quebec's provincial privacy law and generally requires express, purpose-specific consent. PIPEDA, Canada's federal privacy law, often permits implied consent in ordinary commercial transactions.

AttributeLaw 25PIPEDA
JurisdictionProvincial (Quebec)Federal
Consent standardExpress, purpose-specific consent for most collectionImplied consent accepted in many commercial contexts
Who it covers in QuebecThe primary framework for organizations handling Quebec residents' dataApplies to federally regulated industries and cross-border or interprovincial activity
Maximum penalty$25 million or 4% of worldwide turnoverAdministrative penalties up to $100,000 CAD per violation

The federal Office of the Privacy Commissioner of Canada has deemed Quebec's private-sector law "substantially similar" to PIPEDA. Organizations subject to Law 25 are therefore generally exempt from PIPEDA for activity that happens within Quebec. PIPEDA still governs federally regulated businesses, such as banks and telecommunications companies, plus any personal information that crosses provincial or international borders.

How Is Law 25 Different from the GDPR?

Law 25 was modeled in part on Europe's GDPR. The two frameworks are closely aligned on individual rights, but they diverge on a few specific points.

AttributeLaw 25GDPR
Age requiring parental consentUnder 14Typically 16 (varies by EU member state, as low as 13)
Privacy impact assessmentsRequired proactively for technology projects and cross-border transfersRequired only when processing is likely to pose a "high risk"
Private right of actionIndependent right to punitive damages, minimum $1,000Compensation available, but no equivalent statutory minimum

Both laws give individuals rights to access, correct, and port their data. Both hold organizations accountable through active regulatory enforcement rather than self-certification.

A business that already runs GDPR cookie consent workflows has a head start on Law 25's explicit-consent bar. Still, the two laws are not interchangeable compliance programs.

How Consently Helps You Meet Law 25's Consent Requirements

Consently supports the consent and disclosure side of Law 25 with an explicit opt-in consent banner and automatic cookie blocking. Non-essential trackers wait for a Quebec visitor's clear consent before they load.

The banner uses the same GDPR-style opt-in model that matches Law 25's express-consent standard. Consently's cookie consent solution blocks scripts, cookies, and iframes until a visitor actively agrees.

Two features back the paper trail Law 25 expects. Consent logs with export give you a timestamped record of who consented and when, useful evidence if the CAI ever asks. The cookie, privacy, and terms and conditions policy generators produce the plain-language privacy notice the law requires. Multi-language banners help too, since a Quebec-facing site often serves visitors in both French and English.

Consently supports Law 25 consent workflows; it does not make your site "Law 25 compliant" on its own. Appointing a privacy officer, running privacy impact assessments, and responding to data-portability or right-to-be-forgotten requests are obligations your business meets through its own processes. The policy generators provide compliance assistance, not legal advice.

Try Consently free with a 14-day trial, no credit card required, and set up a Law 25-ready consent banner before your next Quebec visitor arrives.

FAQs

What is Quebec Law 25 in simple terms?

Quebec Law 25 is a provincial privacy law, formerly Bill 64, that modernizes the rules for handling personal data. It requires clear, explicit consent for most data collection in Quebec.

When did Law 25 come into effect?

Law 25 was adopted on September 22, 2021, and rolled out in three phases: September 22, 2022, September 22, 2023, and September 22, 2024.

Who has to comply with Quebec Law 25?

Any public body or private business that handles the personal information of people in Quebec has to comply, including out-of-province and foreign companies. It covers both customers and employees.

Does Law 25 require explicit consent for cookies?

Yes. Non-essential cookies and trackers need explicit opt-in consent before they load. Implied consent or pre-checked boxes do not meet Law 25's standard.

What are the penalties for violating Law 25?

The CAI enforces two tiers. Administrative monetary penalties reach $10 million or 2% of worldwide turnover. Penal fines reach $25 million or 4% of worldwide turnover. A private right of action for punitive damages exists as well.

Is Law 25 the same as PIPEDA?

No. PIPEDA is Canada's federal baseline and often allows implied consent, while Law 25 is Quebec's stricter provincial law that generally requires express, purpose-specific consent.

Is Law 25 the same as the GDPR?

No, but it is closely modeled on the GDPR. Key differences: the age requiring parental consent is under 14 in Quebec, and Quebec's privacy impact assessment requirements run broader and more proactive.

Does Law 25 apply to businesses outside Quebec?

Yes. A business based elsewhere that collects, uses, or shares Quebec residents' personal information is in scope, such as an online store with Quebec customers.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.