Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64) applies to any business handling data about Quebec residents. It is stricter than PIPEDA — and fully in force since September 2023.
Check your Law 25 compliance free →Required before any new project involving personal information, especially technology projects. Must evaluate risks and document mitigations.
Maintain a written register of all personal information your business holds — what it is, where it is stored, who can access it, and how long you keep it.
Sensitive personal information (health, financial, biometric, etc.) requires explicit and specific consent — implied consent is not sufficient.
Individuals can request their personal information in a structured, commonly-used technological format. You must be able to provide it.
Individuals can request deletion of their personal information when no longer necessary for its original purpose.
Written agreements required with every third party that handles personal information on your behalf — including cloud providers, accountants, and IT vendors.
Notify the Commission d'accès à l'information du Québec (CAI) within 72 hours of discovering a breach involving personal information.
Privacy policies and notices must be available in French for Quebec residents and customers.