Skip to main content

Privacy-proof your website for Quebec Law 25 compliance

Automate consent management and align your business with Law 25’s new compliance obligations with the most trusted cookie consent solution.

Become Quebec Law 25 Compliant

14-day free trial Cancel anytime

The #1 cookie consent solution, trusted by 1.5 Million+ websites

Brand logos of global companies that are CookieYes customers.
Quebec effective date

Quebec Law 25, is a legislative act that aims to transform the rules governing the collection, use, and disclosure of personal data in Quebec, Canada. It was adopted into law in September 2021 and has a three-year roll-out period starting in 2022, with the second phase coming into effect on September 22, 2023.

Quebec Law 25 Checklist for Websites

  • Conduct a Privacy Impact Assessment
  • Obtain user consent for cookies
  • Allow users to easily withdraw consent
  • Include a clear and up-to-date privacy policy
  • Implement privacy by default
  • Notify data breach to regulatory authority and users

Comply with Quebec Law 25 using CookieYes

Display cookie consent banner for visitors

Law 25 requires businesses to obtain consent prior to the collection, use, or disclosure of personal information(including data collected through cookies).

With CookieYes you can

  • Scan your website against a 100,000+ cookie database
  • Display a custom cookie banner to get opt-in consent
  • Show a consent revisit widget for users to withdraw consent

Automate consent management

Ensure up-to-date and ongoing compliance with Law 25’s requirements for consent by automating your consent management.

With CookieYes you can

  • Auto-block all third-party cookies before user consent
  • Schedule cookie scanning for continuous compliance
  • Document consent logs for regulatory audits

Generate a compliant privacy policy

Under Quebec Law 25, businesses should demonstrate transparency and inform how they collect, use, or disclose users’ personal information.

With CookieYes you can

  • Use our pre-built, legally compliant policy templates
  • Generate your privacy policy and cookie policy in minutes
  • Simply copy-paste the legal policies to your website

Achieve regulatory compliance with ease
with our no-code cookie consent solution

Become Quebec Law 25 Compliant

14-day free trial Cancel anytime

Learn more about Quebec Law 25 and take
the next step towards compliance

What is Quebec Law 25?

Quebec Law 25 is a privacy legislation that governs the protection of personal information in Quebec. Officially known as “The Act to modernize legislative provisions as regards the protection of personal information”, it updates the existing framework, enhancing the data protection rights of individuals and introducing new obligations for both public and private entities in the province.  

Introduced as Bill 64, Law 25 was in September 2021, with provisions coming into effect in three phases – in September 2022, September 2023 and September 2024.

Who does Quebec Law 25 apply to?

Quebec’s Law 25 applies to persons who collect, store, use or share personal information for an economic activity, commercial or non-commercial. It pertains to any organization, including government bodies and non-profit organizations that conducts commercial activities catering to Quebec residents.

Law 25 applies to an organization based in Quebec as well as to organizations located outside the province.

What are consumer rights in Quebec Law 25?

Right to be informed

The right to be informed what information is collected, how it’s used, and the reasons for processing, except in specific circumstances where consent isn’t required.

Right to access

Individuals have the right to access their personal information held by organizations, subject to legal requirements and time limits.

Right to correct

The right to rectify information that is inaccurate, incomplete, or processed unlawfully.

Right to erasure

The right to require an organization to cease distributing their personal information.

Right to opt-out

Individuals have the right to withdraw their consent for the processing of their personal data at any time.

Right to data portability

The right to obtain a copy of their personal data in structured, commonly used, and machine-readable format and transfer it to another organization.

Rights related to automated decision-making

Right to be informed about any decision based on automated processing of personal information.

What is the penalty for non-compliance?

Under Law 25, the Quebec Commission on Access to Information (CAI) can impose administrative fines for non-compliance. Private-sector organizations may face administrative fines up to $10 million CAD, or an amount equivalent to 2% of their global turnover for the previous fiscal year, whichever is higher. Individuals can be subject to fines of up to $50,000 CAD.

The CAI may institute criminal proceedings for more serious breaches of the law. The fines for penal offences can go between CAD 15,000 to CAD 25 million, or 4% of an entity’s worldwide turnover from the preceding fiscal year, whichever is greater. Repeat violations can result in doubled fines.

FAQ on Quebec Law 25

Quebec’s Law 25, officially known as “An Act to modernize legislative provisions as regards the protection of personal information,” is the new Quebec privacy law. It governs the handling of personal information in Quebec. It introduces a set of new requirements for businesses operating in the province, including new obligations to safeguard the personal data of residents, the appointment of Privacy Officers, the establishment of a private right to take legal action, and the conduct of privacy impact assessments (PIAs).

The new Quebec Law 25 was enacted on September 22, 2021, and its provisions are being rolled out in phases over a three-year timeline. Some of the provisions have been in effect since September 2022, while additional sections of the law come into effect on September 22, 2023, and the third phase will be effective from September 2024.

Quebec’s data protection authority the Commission d’accès à l’information (CAI) du Québec is the enforcement agency for Law 25. 

Under Quebec’s Law 25, “Personal information concerns a physical person and allows that person to be identified. It is confidential. Barring exceptions, it cannot be communicated without the consent of the person concerned.”

This can include a wide range of information such as name, address, gender, government identification numbers, email address, username, password, financial information, or other online identifiers.

Law 25 and Quebec Bill 64 are one and the same. In Canada’s legal system, a Bill officially becomes Law once it’s approved by the Lieutenant-Governor. Quebec introduced Bill 64 in 2020 and on September 22, 2021, it was officially adopted as Law 25.

The Personal Information Protection and Electronic Documents Act or PIPEDA is a federal law that governs how private sector organizations collect, use, and disclose personal information for commercial activities. 

Quebec’s Law 25 governs how public and private organizations handle the personal information of Quebec’s residents. The law is applicable to both nonprofit and for-profit organizations. Law 25 is notably more comprehensive and stringent in its obligations and enforcement of data privacy rights.

On September 22, 2023, the second phase of regulatory changes for Law 25 will take effect. The new Quebec Law 25 requirements are: 

  • Accessible privacy policies 
  • Privacy governance and program development
  • New consumer rights – right to restrict processing and right to erasure 
  • Privacy impact assessments
  • Enhanced consent requirements and exceptions to consent
  • Privacy by design

Law 25 requires organizations to obtain free and informed consent for the collection and use of personal information, including the use of online identifiers such as cookies. 

Consent must be obtained for a specific purpose and it should be a clear indication of the individual’s agreement (i.e. opt-in consent). Consent requests should also be provided separately from any other information i.e. it cannot be bundled with the website’s privacy policy or terms of use.

Quebec cookie consent

As a website publisher, if you are collecting consent for the use of cookies, you should ask for consent via a consent banner and also provide information about the objective of the collection, how the information will be used and shared, where it will be stored and the user’s right to withdraw consent.

According to Quebec Law 25, organizations must inform individuals if their personal information will be used to make a decision based solely on the automated processing of that information. They must be informed either during data collection or before the commencement of automated processing.

The individual must also be informed of:

  • the personal information used to reach the automated decision
  • the reasons and the main factors and parameters that led to the decision and
  • their right to correct any personal information used to make the decision 

According to Quebec Law 25, individuals have the right to request an organisation to cease disseminating personal information about them. This includes de-indexing any hyperlinks that provide access to the individual’s information or re-indexing any hyperlink that provides access to that information (when certain conditions are met).

Fast-track your Quebec Law 25 compliance in minutes

Set up an opt-out banner in 3 simple steps and automate your compliance.

Become Quebec Law 25 Compliant

14-day free trial Cancel anytime