Comply with Quebec’s Law 25 – The New GDPR of Canada

Yes. Quebec’s Law 25 applies to any organization that collects, uses, or processes personal information of individuals located in Quebec, even if the company itself is based elsewhere. If your website or mobile app targets Quebec residents, offers them products or services, or monitors their behavior, the law may apply.

Penalties can be significant. Administrative monetary penalties can reach up to CAD $10 million or 2% of worldwide turnover, whichever is greater. Penal fines for more serious violations can rise to CAD $25 million or 4% of worldwide turnover, whichever is greater. The law also introduces a private right of action in certain cases, allowing individuals to seek damages for unlawful handling of their personal information.

It is similar, but not identical. Like the GDPR, Law 25 includes strong consent requirements, enhanced transparency, data minimization, privacy-by-design, impact assessments, and significant monetary penalties. However, Law 25 applies specifically to organizations’ handling of personal information of individuals in Québec, and some procedural requirements differ from the GDPR’s framework in their specifics.

Yes,  accountability is a core requirement under Law 25. You must be able to demonstrate that consent was obtained in a clear, free, informed, and specific manner. While the law does not prescribe a single technical method, you should maintain records showing when consent was collected, what disclosures were presented, and what the user agreed to. In practice, that means maintaining defensible consent logs and being able to produce evidence if the CAI regulator requests it.

Under Law 25, personal information is considered “sensitive” when, due to its nature or context of use, it carries a high expectation of privacy. This can include health information, biometric data, financial details, government identifiers, precise geolocation, and information about minors. Data revealing racial or ethnic origin, religious beliefs, or sexual orientation may also be considered sensitive, depending on context, and may require clear, explicit consent and heightened safeguards before it is collected, used, or disclosed.

You don’t need a completely separate policy, but Law 25 requires that privacy notices be clear, accessible, and provided in French. In practice, many organizations either maintain a bilingual (French/English) privacy policy or create a Québec-specific version that reflects Law 25 disclosures and rights. You must also include required elements, such as the identity of the person responsible for personal information, user rights (access, rectification, and withdrawal of consent), data retention practices, and disclosures for cross-border transfers.

Vault simulates user access from Quebec to confirm that privacy notices, consent banners, and key disclosures are presented in French as required under Law 25. Vault verifies that French-language content loads appropriately based on location and user experience and compares the French disclosures to observed tracking and data behavior, helping ensure that what is stated in French accurately reflects real-world practices, reducing language-based compliance risk.

Quebec’s Law 25 requires organizations to designate a person responsible for personal information, often referred to as a privacy officer. By default, this responsibility rests with the CEO unless formally delegated in writing. Vault does not replace the privacy officer role, but it supports it. Our platform provides visibility into data flows, consent enforcement, and tracking behavior, along with audit-ready documentation and compliance evidence. The designated officer can demonstrate oversight, monitor ongoing compliance, and respond to regulatory inquiries from Quebec’s privacy authority.

Yes. Under Quebec’s Law 25, you must obtain valid consent before placing most non-essential cookies and similar tracking technologies on a user’s device. Law 25 strengthens consent requirements for the collection and use of personal information, and courts and regulators interpreting the law view cookies that collect identifiable or behaviorally linked data as subject to those rules. That means users must be presented with clear, informed choices that are not buried in a policy about tracking before it begins. So, if your site uses non-essential cookies for analytics, advertising, or behavioral tracking, you should obtain and document consent from Quebec visitors before activating them.

Under Quebec’s Law 25, individuals have the right to access their personal information, request correction, withdraw consent, request deletion in certain circumstances, and obtain information about how their data is used or transferred outside Quebec. The law also introduces a right to data portability and stronger protections around automated decision-making.

Vault supports these obligations by mapping real-time data flows to documented disclosures, identifying where personal information is collected or shared, and maintaining audit-ready evidence. This visibility helps your teams respond accurately to access or deletion requests, validate consent status, and demonstrate accountability if regulators inquire.

Law 25 imposes additional and more stringent requirements than PIPEDA (Personal Information Protection and Electronic Documents Act) does. These include mandatory appointment of a privacy officer, privacy impact assessments for certain projects, data portability rights, explicit consent standards for sensitive information, French-language obligations, and significantly higher penalties.

The CAI, or the Commission d’accès à l’information du Québec, is Quebec’s privacy regulator. It oversees compliance with Quebec’s private- and public-sector privacy laws, including Law 25. The CAI can investigate complaints, initiate audits, issue binding orders, and impose administrative monetary penalties. For more serious violations, it may recommend penal prosecutions that can result in significant fines. In short, the CAI has both investigative authority and real enforcement power under Law 25.