Quebec Law 25: What U.S. Businesses Need to Know
Updated: April 2026 Reading time: ~12 minutes
Key Takeaways
- Quebec Law 25 applies to any organization that collects or processes the personal information of Quebec residents — regardless of where the organization is based.
- Compliance obligations rolled out in three phases between September 2022 and September 2024; all phases are now fully in effect.
- Penalties reach up to CAD $25 million or 4% of worldwide revenue — among the highest privacy sanctions in North America.
- Key obligations include designating a Privacy Officer, conducting Privacy Impact Assessments, publishing a compliant privacy policy, obtaining opt-in consent, and honoring data subject rights including portability.
- The law draws heavily from the GDPR model and is more demanding than most existing U.S. state privacy laws.
Introduction: A GDPR-Style Law With North American Reach
When most U.S. companies think about privacy compliance, they think about the California Consumer Privacy Act (CCPA), the growing roster of state-level privacy statutes, or perhaps the EU’s General Data Protection Regulation (GDPR) if they have a European presence. Quebec’s Act to Modernize Legislative Provisions as Regards the Protection of Personal Information — universally known as Law 25 or Loi 25 — rarely appears on that list. It should. Law 25 is one of the most far-reaching and demanding privacy regimes in the Western Hemisphere, and it applies directly to U.S. businesses that interact with Quebec residents, irrespective of where those businesses are incorporated or headquartered.
Enacted as Bill 64 and signed into law in September 2021, Law 25 amends Quebec’s foundational private-sector privacy statute — the Act Respecting the Protection of Personal Information in the Private Sector (LPRPSP) — as well as several other Quebec statutes. Implementation was structured across three distinct phases, the last of which took effect in September 2024. As of today, every substantive obligation under the law is enforceable, and the Commission d’accès à l’information (CAI) — Quebec’s privacy regulator — has made clear that it intends to use its newly expanded enforcement powers actively.
This article is intended to help U.S.-based legal counsel and compliance professionals understand the law’s scope, substance, and enforcement profile so that their organizations can assess exposure and take appropriate action.
Does Law 25 Apply to Your U.S. Business?
The threshold question for any U.S. organization is whether the law applies at all. The answer, for a surprisingly large number of American businesses, is yes. Law 25 follows the same extraterritorial model pioneered by the GDPR: it applies to any person or entity “carrying on an enterprise” that collects, holds, uses, or communicates personal information about individuals located in Quebec — without regard to where that enterprise is situated geographically.
The phrase “carrying on an enterprise” is defined expansively under Quebec civil law. It encompasses any organized economic activity, whether commercial or not, carried on by a natural person, a legal person, a partnership, or any other group. Crucially, this definition extends to nonprofit organizations, professional associations, and healthcare providers, not just for-profit businesses. There is no de minimis threshold based on revenue, employee headcount, or the volume of Quebec residents whose data is processed. A U.S. e-commerce company that ships to customers in Montreal, a SaaS platform that licenses software to a Quebec employer, a healthcare network that treats cross-border patients, and a media company whose subscription service is accessible to Quebec residents can all fall squarely within the law’s ambit.
The practical implication is that any U.S. organization that knowingly or foreseeably interacts with individuals in Quebec — whether through a website, an app, a service agreement, or a commercial transaction — should conduct at minimum a scoping analysis to determine whether it collects or processes personal information about those individuals. If it does, Law 25 obligations likely attach.
Implementation Timeline: Three Phases, Now Fully Effective
One of Law 25’s distinctive features is its phased implementation schedule. Rather than imposing all obligations simultaneously, Quebec staggered the law’s requirements across three annual phases to allow organizations time to build compliance infrastructure. That grace period has now expired; as of September 22, 2024, the full complement of Law 25 obligations is in force.
Phase 1
Sept. 22, 2022
Governance & Incident Response Foundations
Phase 1 required organizations to designate a Privacy Officer, establish an internal governance framework, publish the name and contact details of that officer on their website, and comply with a new confidentiality incident notification regime. Organizations became obligated to keep an incident register and to notify both the CAI and affected individuals whenever a security incident poses a “high risk of serious injury.” Phase 1 also introduced rules on the use of anonymized information and began the process of strengthening the CAI’s investigative and enforcement toolkit.
Phase 2
Sept. 22, 2023
Consent, Transparency & Individual Rights
Phase 2 brought the broadest and most operationally demanding obligations. It introduced mandatory Privacy Impact Assessments (PIAs) for new technology projects and cross-border data transfers, enhanced consent standards requiring opt-in consent for most data collection, comprehensive privacy policy requirements, data minimization obligations, retention and destruction schedules, and a robust set of individual rights — including rights of access, rectification, restriction of processing, withdrawal of consent, and the right to de-indexation (often described as the “right to be forgotten”). The obligations around profiling, automated decision-making, and cookie consent also took effect at this stage.
Phase 3
Sept. 22, 2024
Data Portability
Phase 3 completed the framework by activating the right to data portability. Under this obligation, any individual whose personal information is held in a computerized format may request that the organization provide it in a structured, commonly used technological format — and may request that it be transmitted directly to a third party or another enterprise. Organizations must be able to fulfill these requests in a manner that is accessible and intelligible. This right applies to information collected directly from the individual in the course of providing products or services.
Core Compliance Obligations in Detail
1. Privacy Officer Designation
Every organization subject to Law 25 must designate a person responsible for the protection of personal information. By statutory default, this responsibility falls to the highest-ranking officer of the enterprise — typically the CEO or equivalent. That individual may, however, delegate the role in writing to another person inside or outside the organization. The name and contact information of the designated Privacy Officer must be published on the organization’s website. The Privacy Officer is responsible for overseeing data subject rights requests, managing the confidentiality incident register, conducting Privacy Impact Assessments, and ensuring overall compliance with the law. U.S. businesses should note that the law does not require the Privacy Officer to be a Quebec resident, a Canadian national, or even physically located in Canada.
2. Privacy Impact Assessments (PIAs)
Privacy Impact Assessments are a cornerstone of the Law 25 compliance framework. Organizations must conduct a PIA before undertaking any project involving the acquisition, development, or overhaul of an information system or electronic service delivery system, and before any cross-border transfer of personal information outside Quebec. The PIA must assess the privacy risks associated with the project and identify the measures that will be taken to mitigate those risks. For cross-border transfers specifically, the PIA must evaluate the legal framework of the destination jurisdiction and the data protection practices of the receiving party. If the PIA reveals that the receiving jurisdiction does not offer an “adequate” level of protection equivalent to Quebec’s standards, additional contractual or technical safeguards must be implemented before the transfer may proceed. The CAI has published detailed guidance on what a compliant PIA must contain, including an assessment methodology and documentation standards.
For U.S. businesses, this cross-border transfer obligation has immediate practical significance. Any transfer of personal information from a Quebec-based entity (or a Quebec resident’s data held by a foreign entity) back to infrastructure or processors located in the United States triggers a PIA requirement. Given widespread use of U.S.-based cloud services, analytics platforms, and SaaS solutions, many organizations have needed to build cross-border transfer governance programs from scratch.
3. Consent Standards
Law 25 significantly raises the bar for consent. Consent must be manifest — meaning it must be given by a clear affirmative act — as well as free, informed, and given for specific purposes. Pre-ticked checkboxes, bundled consents, and implied consent mechanisms are generally insufficient. Where the purpose of collection is sensitive, consent must be explicit. Consent must also be granular: an individual must be able to give or withhold consent for each distinct purpose of collection, and the organization must be able to demonstrate that consent was validly obtained.
The law also addresses technological means of collecting personal information — including cookies and similar trackers. Technologies that identify, locate, or profile an individual may only be activated after the individual has been informed of their use and has consented to them. In practice, this means that organizations must deploy opt-in consent mechanisms for non-essential cookies and tracking technologies in Quebec, a requirement that goes meaningfully further than the opt-out model that prevails under U.S. law.
4. Privacy Policy Requirements
Organizations must publish a privacy policy that is written in clear and simple language and that sets out the governing rules for the retention and destruction of personal information, as well as the roles and responsibilities of staff in respect of personal information handling. The policy must be accessible to any person whose personal information is collected. Additional transparency obligations require that, at or before the time of collection, individuals be informed of: the purposes for which the information is collected; the means by which it is collected; the rights they have in respect of the information; and, if the information will be communicated outside Quebec, the identity of recipient countries and the applicable legal framework.
5. Data Minimization and Retention
Law 25 codifies principles of data minimization and purpose limitation. Personal information may only be collected to the extent necessary for the purpose for which it is collected. Organizations must establish and follow a retention schedule, and personal information must be destroyed or anonymized — using industry-standard techniques — once the purposes of collection have been fulfilled and no legal retention obligation requires it to be kept. The law is explicit that anonymization must be “reasonable” and “proportional” given the available technology, and that re-identification must not be technically feasible. Mere pseudonymization does not satisfy the standard.
6. Individual Rights
Law 25 grants Quebec residents a comprehensive set of rights that U.S.-based legal counsel will recognize as broadly analogous to those in the GDPR. Individuals have the right to be informed about the collection of their personal information; the right to access information held about them and to receive it in an intelligible form; the right to correct inaccurate, incomplete, or ambiguous information; the right to withdraw consent at any time, subject to legal or contractual restrictions; and the right to request the de-indexation of hyperlinks disseminating personal information or sensitive content. The right to data portability, activated in September 2024, allows individuals to receive a copy of their personal information in a structured, commonly used technological format and to have that information transmitted to another organization. Organizations must respond to rights requests within 30 calendar days, with a possible extension of 10 additional days where the volume or complexity of the request warrants it.
7. Automated Decision-Making
Law 25 contains provisions specifically targeting automated decision-making — a domain of increasing importance as organizations deploy AI and algorithmic systems. Where a decision based exclusively on the automated processing of personal information significantly affects an individual, that individual has the right to be informed that such a decision has been made, to be given reasons for it, and to have the opportunity to submit observations to a person in a position to review it. Organizations using automated scoring, credit assessment, profiling, or similar technologies to make decisions that affect Quebec residents must build meaningful human review mechanisms into their processes.
Penalties and Enforcement
Quebec’s enforcement framework under Law 25 is among the most robust in North America, and the penalty levels are designed to make non-compliance economically irrational even for large global organizations.
| Category | Maximum Penalty | Notes |
| Administrative Monetary Penalties (CAI) | Greater of CAD $10 million or 2% of worldwide turnover | Issued by the CAI for less severe violations; assessed on a sliding scale based on seriousness, sensitivity of information, number of individuals affected, and degree of cooperation. |
| Penal (Criminal) Fines (Court of Quebec) | Greater of CAD $25 million or 4% of worldwide turnover | Prosecuted before the Court of Quebec; minimum fine of CAD $15,000 for corporations; doubled for repeat offenses within five years. Reserved for the most serious violations. |
| Statutory Punitive Damages (Private Action) | Minimum CAD $1,000 per claimant | Available where an infringement causes injury resulting from an intentional fault or gross negligence. Class actions are expressly available to Quebec residents. |
The CAI has been granted expanded investigative powers, including the authority to require the production of documents and information, to order organizations to implement protective measures, and to publish its decisions publicly — creating significant reputational risk in addition to financial exposure. The CAI has signaled that it will prioritize systemic violations, cross-border data transfers that fail to meet PIA requirements, and failures in the incident notification process. U.S. businesses should not assume that geographic distance provides a practical shield from enforcement; the CAI has indicated willingness to coordinate with foreign counterparts and has the legal authority to pursue organizations operating outside Quebec.
How Law 25 Compares to Other Privacy Regimes
U.S. legal counsel and compliance professionals will benefit from placing Law 25 in comparative context. In many respects, Law 25 is more demanding than either the CCPA/CPRA framework or Canada’s federal privacy statute, the Personal Information Protection and Electronic Documents Act (PIPEDA). Unlike the CCPA, Law 25 does not limit its principal obligations to businesses meeting size or revenue thresholds; it applies to every enterprise, regardless of scale. Unlike PIPEDA, Law 25 imposes opt-in rather than opt-out consent as the default standard, requires PIAs for cross-border transfers, and mandates affirmative consent for non-essential technologies of identification or profiling.
The closest analogue globally is the GDPR. Both instruments share a common architecture: purpose limitation, data minimization, privacy by design and by default, mandatory DPIAs (called PIAs under Law 25), comprehensive individual rights, mandatory breach notification, cross-border transfer controls, and substantial administrative penalties. U.S. companies that already have a mature GDPR compliance program will find Law 25 familiar in structure, though there are important Quebec-specific nuances — particularly in the areas of language and transparency requirements (documents must be understandable to a Quebec-resident audience), the scope of the right to de-indexation, and the statutory right to punitive damages in private litigation.
Practical Steps for U.S. Businesses
Given that all Law 25 obligations are now fully in effect, organizations that have not yet assessed their compliance posture face enforcement exposure today. The following framework outlines the key actions U.S. organizations should take.
Law 25 Compliance Action Plan for U.S. Organizations
- Conduct a Scoping Analysis. Determine whether your organization collects or processes personal information about Quebec residents. If your products, services, or operations interact with Quebec residents in any meaningful way, assume Law 25 applies and proceed accordingly.
- Designate a Privacy Officer. Formally designate a Privacy Officer with appropriate authority and document the appointment in writing. Publish the officer’s name and contact information on your website in a manner accessible to Quebec residents.
- Map Your Data. Conduct a comprehensive data inventory to identify what personal information is collected from Quebec residents, the purposes of collection, where the data is stored, and how it flows within and outside your organization.
- Review and Update Consent Mechanisms. Audit all points of data collection to ensure that consent is manifestly and affirmatively obtained, specific to the purpose, and capable of being documented. Replace opt-out or implied consent mechanisms with opt-in alternatives.
- Audit Cookie and Tracking Practices. Conduct a cookie audit and deploy a consent management platform that captures affirmative opt-in consent for non-essential cookies and tracking technologies before they are activated for Quebec-resident users.
- Conduct Privacy Impact Assessments for Cross-Border Transfers. Identify all transfers of personal information from Quebec operations (or transfers of Quebec-resident data) to U.S. infrastructure or processors. Conduct the required PIAs, evaluate adequacy, and implement contractual safeguards where necessary.
- Publish a Compliant Privacy Policy. Review your existing privacy policy and ensure it addresses all Law 25 disclosure requirements. The policy must be written in clear and simple language and must cover retention schedules, individual rights, cross-border transfer practices, and staff responsibilities.
- Build a Rights-Request Fulfillment Process. Establish documented procedures for receiving, authenticating, and responding to data subject rights requests — including access, correction, de-indexation, and portability — within the 30-day statutory deadline.
- Implement Incident Notification Procedures. Create or update your incident response plan to reflect Law 25’s notification obligations, including the requirement to assess whether an incident poses a “high risk of serious injury,” to notify the CAI and affected individuals promptly, and to maintain an incident register.
- Review Automated Decision-Making Systems. Identify any systems that make decisions based exclusively on automated processing that could significantly affect individuals. Ensure that individuals subject to such decisions are informed, that reasons are provided upon request, and that human review mechanisms exist.
Conclusion
Quebec Law 25 represents a significant shift in the North American privacy landscape. For the first time, a Canadian province has adopted a comprehensive, GDPR-style privacy regime with explicitly extraterritorial reach, robust individual rights, mandatory PIAs, and a penalty structure calibrated to the scale of global enterprises. The law is not a theoretical future risk — it is fully in force, the CAI is actively exercising its enforcement mandate, and class action litigation exposure for statutory punitive damages is real.
U.S. businesses that operate in the digital economy, serve Canadian consumers, or process data flows through Quebec-based entities can no longer treat Law 25 as a peripheral concern. The compliance investment required is substantial, but it is substantially lower than the cost of an enforcement action, a regulatory fine measured in millions of dollars, or a class action from Quebec residents whose rights have been infringed.
Organizations that have invested in GDPR compliance programs are well-positioned to adapt those programs to Law 25, as the conceptual frameworks are closely aligned. Organizations without such programs should treat Law 25 as both a compliance obligation and an opportunity to build a scalable privacy governance structure that will serve them across multiple jurisdictions as privacy law continues to expand globally.
If your organization requires legal advice regarding the applicability of Quebec Law 25 to your operations, the adequacy of your current compliance program, or the development of a remediation roadmap, we encourage you to contact our data protection team.
Speak with a Data Protection Lawyer
Our team advises U.S. and multinational clients on Canadian and international privacy compliance, including Quebec Law 25, GDPR, and U.S. state privacy laws. We offer targeted compliance gap assessments and full-scope program development.
