Demystifying Quebec Law 25

Are you curious about the newest stage of Law 25 and how it affects consumer privacy in Quebec? Previously known as Bill 64, Law 25 has sparked numerous debates and discussions around the topic of consumer data privacy. Whether you’re a legal enthusiast or simply interested in understanding the intricacies of Quebec’s unique data protection landscape, this article is designed to be a helpful guide for navigating the complexities of Law 25.

What is Quebec Law 25?

Quebec Law 25 implements significant changes to privacy regulations and data protection in Quebec. As the name suggests, it is a new law that carries weight and implications for individuals and businesses operating within the region.

Understandably, such legislation often leaves people wondering about its purpose and potential impact. Will it enhance privacy rights or inadvertently stifle innovation? How will it affect businesses that heavily rely on consumer data? These questions are valid and becoming increasingly common as we navigate the landscape of modern technology.

One thing is clear: Quebec Law 25 signals an important shift toward strengthening personal privacy rights in the digital age. By implementing stricter rules around the requirements for data collection, usage, and sharing practices, this law seeks to empower individuals and grant them greater control over personal information. It also addresses concerns related to third-party access, and introduces measures designed to safeguard sensitive data from cyber threats. Law 25 is considered to be Quebec’s answer to Europe’s GDPR.

As we delve deeper into Quebec Law 25’s implications for businesses, it becomes evident that various stakeholders must engage in conversations regarding implementation challenges, striking a balance between citizens’ data privacy and business growth.

Key Phases and Dates for Law 25

Law 25 is enacted in a 3-phase rollout. Phase one went into effect on September 22, 2022, phase two starts on September 22, 2023, and the third and final phase is scheduled for September 22, 2024. Law 25 has a few main components that must be followed by private organizations:

Phase 1 – Enacted September 22, 2022

  1. Appointment of a data privacy officer – assignment of an individual to be responsible for enacting data privacy laws
  2. Mandatory breach reporting – must notify individuals and the CAI of data breaches
  3. Biometrics disclosure – must disclose any biometric data collected to the CAI before implementing

Phase 2 – September 22, 2023

  1. Privacy policy – organizations must have a published privacy policy on their websites
  2. Privacy impact assessments (PIA) – assessments must be done to account for the implications of sharing data outside of Quebec
  3. Transparency & consent systems – private organizations must audit and update mechanisms for collecting, storing and sharing consumer data; must have an explicit opt-in mechanism
  4. Anonymization – organizations must ensure data can be destroyed or anonymized, meaning that data can no longer identify a specific individual after the data is no longer needed
  5. Right to erasure – implement systems to erase personal data upon request

Phase 3 – September 22, 2024

  1. Right to portability – private organizations must be able to produce a record of data stored upon request by an individual

Further Reading & Resources

Many great resources exist to ensure that you are equipped with the business insights necessary to navigate these waters effectively. If you are a Direct Impact Solutions client and would like to discuss your specific data handling processes, please contact your account manager to talk through your compliance plan, or leave us a note here.

Additional Sources–25-privacy/

This site is registered on as a development site. Switch to a production site key to remove this banner.