Quebec’s Law 25 Regulation (Bill 64)


This Law represents a step change for how businesses in Quebec will need to manage and protect personal information. Some key requirements to have the highest operational impact on businesses include:

  • Higher fines: The Law introduces new penal offences with significant fines of upwards of 4% of annual revenue.
  • Stricter privacy requirements: This includes, among other requirements, mandatory assessment of privacy-related factors, assessments for sharing of personal information outside of Quebec to ensure adequate protection, “separate” and “granular” consent and new individual rights.


Want to learn more about how SecuPi helps comply with Quebec’s Law 25?

Download Whitepaper



Quebec’s act to modernize legislative provisions regarding the protection of personal information, also known as Law 25, first came into effect in September 2022 for its phase 1, with additional data handling requirements will go into effect in September 2023 and additional requirements in 2024.


This regulation, originating from the Quebec province, introduces privacy legislation which is part of Canada’s wider privacy reform.

Law 25 introduces new set of obligations and requirements for businesses, related to data protection and data security of Quebec residents. These new requirements include individual’s privacy rights, data breach notification, DPO appointment and other.

With the full law in effect, organizations will be expected to fully comply with the privacy requirements or face penalties of $25,000,000 or 4% of worldwide turnover for the previous year, whichever is greater.

Quebec’s Law 25 applies to Quebec-based businesses as well as to external businesses processing the personal information of any number of Quebec residents, this means there is no minimum threshold to meet before the law’s requirements apply.



Several new requirements were introduced in September 2023. These obligations require organizations to reassess their data protection and privacy program and capabilities, develop new policies and capabilities and introduce new controls in order to comply.



Subject rights under Law 25 are similar to the ones defined in the EU General Data Protection Regulation (GDPR). The following new subject rights will be effective by September 2023, with other rights, such as the right to data portability becoming effective in September 2024.

  • Right to be informed
  • Right to access collected information
  • Right to privacy be default
  • Right to rectification
  • Right to erasure (Right to be Forgotten)
  • Right to withdraw consent
  • Right to restrict processing
  • Right to data portability (effective September 2024)

Privacy officers should respond to requests within 30 days of receipt, with the possibility of an extension



The new additions to the law defines certain enhanced rules relating to individuals’ consent required prior to the collection, use, or distribution of personal information. Like the GDPR and other data privacy laws, Quebec’s data privacy law requires businesses to give consumers the choice of activating any technologies that may be used to track their personal information.

Requests consent must be done independently from any other information provided to the individual. Consent for some uses or disclosures of sensitive personal information must be given expressly. Parental approval must be obtained before collecting, using, or disclosing personal information about a minor under the age of 14.

Key requirements related to consent under Law 25 include:

  • Free and informed
  • Given for specific purposes
  • Requested for each purpose
  • Presented in clear and simple language
  • Requested separately from any other information
  • Given expressly for sensitive personal information
  • Right to withdraw consent (applies within private sector only)



Under the new requirements stipulated in Law 25, organizations must report data breach to Le Commission d’accès à l’information du Quebec, and to any affected individuals. The organization is required to notify about a breach when unauthorized access of personal information is likely to cause a “risk of serious injury” to the individual as soon as possible after an incident occurs, and to maintain a full record of all security incidents.



A Data Protection Office (DPO) must be assigned by businesses in order to comply with Law 25. The law further specifies the responsibility of overseeing compliance to the highest senior employee. Organizations must publish the name, title, and contact information of the individual responsible on their website.



Organizations are required to conduct a Privacy Impact Assessment in certain events, such as when acquiring, developing, or overhauling an information system or electronic service delivery system that involves the collection, use, release, keeping, or destruction of personal information. The Privacy Impact Assessment is required for all activities where personal information will be shared outside of Quebec. An assessment should include information relating to:

  • The sensitivity of the information
  • The purposes for which it is to be used
  • The protection measures, including contractual ones, that would apply
  • The legal framework applicable in the jurisdiction that the information is shared



Law 25 covers a wide range of topics related to data protection and digital operational resilience. It sets uniform requirements for the security of personal information and applies to organizations operating in Quebec or serving any number Quebec resident.

SecuPi offers a technology-agnostic data-centric security platform, specifically designed to address regulated organizations compliance, governance privacy and data-security requirements and regulations, offering a superset of capabilities, consistently enforced over on-premises, hybrid and cross-cloud platforms:

  • Real-time visibility and user behavior analysis
  • Fine-grained access control (ABAC)
  • Deidentification of data, at rest & in-use

In the last years, SecuPi data security platform has been deployed at dozens of Global 2000 organizations, serving data-protection, security, privacy, governance and sovereignty requirements and use cases.

Download our whitepaper to help learn more about how SecuPi can help your company comply with Quebec’s Law 25.

Your Page Title

Want to see our product in action? Join us for a Demo!
Apply for this Job

    Or send your resume at
    Thank for you applying
    We will be in touch shortly.