Skip to content

Quebec's Law 25 (Bill 64)

An overview of Quebec's Law 25 modernizing privacy protection for organizations in the province.

Apidly TeamFebruary 19, 2026
quebeccanadalaw-25

Overview

Quebec's Law 25, originally introduced as Bill 64, is a comprehensive modernization of the province's privacy framework. Passed in September 2021, it amends both the Act Respecting the Protection of Personal Information in the Private Sector and the Act Respecting Access to Documents Held by Public Bodies. The law was implemented in three phases, with full enforcement effective September 2024.

Law 25 brings Quebec's privacy regime closer to the standards set by GDPR while maintaining distinctly Canadian characteristics. It significantly strengthens individual rights, introduces mandatory breach notification, and imposes substantial penalties for non-compliance.

Who Does It Apply To?

Law 25 applies to:

  • All private-sector organizations that collect, hold, use, or communicate personal information in Quebec, regardless of their size
  • Public bodies and government agencies operating in Quebec
  • Organizations outside Quebec that collect or process personal information of Quebec residents
  • Any entity that uses technology to profile, track, or identify Quebec residents

Unlike some privacy laws that include revenue or data volume thresholds, Law 25 applies broadly to all organizations with no minimum size exemption. Even small businesses operating in Quebec must comply.

Key Requirements

Privacy Officer Designation

Every organization must designate a person responsible for the protection of personal information. By default, this responsibility falls on the highest-ranking person in the organization. The title and contact information of the privacy officer must be published on the organization's website.

Privacy Impact Assessments

Organizations must conduct privacy impact assessments (PIAs) before:

  • Launching any project involving the collection, use, or disclosure of personal information
  • Transferring personal information outside Quebec
  • Implementing new information systems or electronic service delivery

Consent Requirements

Law 25 introduces strict consent standards:

  • Consent must be requested for each specific purpose, separately from any other information
  • Consent requests must be presented in clear, simple language
  • Express consent is required for sensitive personal information
  • Consent must be obtained before collecting personal information from minors under 14

Breach Notification

Organizations must notify the Commission d'accès à l'information (CAI) and affected individuals when a confidentiality incident presents a risk of serious injury. A register of all incidents must be maintained.

Automated Decision-Making

When decisions are made exclusively by automated processing, organizations must:

  • Inform the individual that the decision was made by automated means
  • Provide an opportunity for the individual to submit observations to a human decision-maker
  • Allow the individual to request a review of the automated decision

Individual Rights

Law 25 grants Quebec residents the following rights:

  • Right to access: Individuals can request access to all personal information held about them
  • Right to rectification: Individuals can request correction of inaccurate or incomplete personal information
  • Right to deletion: Individuals can request the destruction or anonymization of their personal information when it is no longer necessary for the purposes of collection
  • Right to data portability: Individuals can request a copy of their personal information in a structured, commonly used technological format
  • Right to withdraw consent: Individuals can withdraw consent at any time
  • Right to be informed about automated decisions: Individuals must be told when automated decision-making is being used and can request human review

Enforcement and Penalties

The Commission d'accès à l'information (CAI) oversees enforcement of Law 25 with expanded powers:

  • Administrative monetary penalties: Up to $10 million CAD or 2% of worldwide turnover, whichever is greater
  • Penal fines: Up to $25 million CAD or 4% of worldwide turnover for the most serious violations
  • Private right of action: Individuals can sue for damages resulting from privacy violations
  • Order-making power: The CAI can issue orders requiring organizations to comply with specific obligations

These penalties represent a dramatic increase from the previous regime and place Quebec among the strictest privacy jurisdictions in North America.

How Apidly Helps

Apidly provides targeted support for Law 25 compliance:

  • Privacy impact assessment templates guide you through the required PIA process for new projects and data transfers outside Quebec
  • Consent management ensures consent is collected separately for each purpose with clear, simple language as required by Law 25
  • Automated decision-making transparency helps you document and disclose when automated processing is used in decision-making, and manage requests for human review
  • Breach incident management streamlines notification to the CAI and affected individuals, and maintains the required incident register
  • Data portability tools enable you to respond to portability requests by exporting personal information in structured, machine-readable formats