Privacy-proof your website for Quebec Law 25 compliance
Automate consent management and align your business with Law 25’s new compliance obligations with the most trusted cookie consent solution.
The #1 cookie consent solution, trusted by 1.5 Million+ websites
Quebec Law 25, is a legislative act that aims to transform the rules governing the collection, use, and disclosure of personal data in Quebec, Canada. It was adopted into law in September 2021 and has a three-year roll-out period starting in 2022, with the second phase coming into effect on September 22, 2023.
Quebec Law 25 Checklist for Websites
- Conduct a Privacy Impact Assessment
- Obtain user consent for cookies
- Allow users to easily withdraw consent
- Include a clear and up-to-date privacy policy
- Implement privacy by default
- Notify data breach to regulatory authority and users
Comply with Quebec Law 25 using CookieYes
Display cookie consent banner for visitors
Law 25 requires businesses to obtain consent prior to the collection, use, or disclosure of personal information(including data collected through cookies).
With CookieYes you can
Automate consent management
Ensure up-to-date and ongoing compliance with Law 25’s requirements for consent by automating your consent management.
With CookieYes you can
Generate a compliant privacy policy
Under Quebec Law 25, businesses should demonstrate transparency and inform how they collect, use, or disclose users’ personal information.
With CookieYes you can
Achieve regulatory compliance with ease
with our no-code cookie consent solution
Learn more about Quebec Law 25 and take
the next step towards compliance
What is Quebec Law 25?
Quebec Law 25 is a privacy legislation that governs the protection of personal information in Quebec. Officially known as “The Act to modernize legislative provisions as regards the protection of personal information”, it updates the existing framework, enhancing the data protection rights of individuals and introducing new obligations for both public and private entities in the province.
Introduced as Bill 64, Law 25 was in September 2021, with provisions coming into effect in three phases – in September 2022, September 2023 and September 2024.
Who does Quebec Law 25 apply to?
Quebec’s Law 25 applies to persons who collect, store, use or share personal information for an economic activity, commercial or non-commercial. It pertains to any organization, including government bodies and non-profit organizations that conducts commercial activities catering to Quebec residents.
Law 25 applies to an organization based in Quebec as well as to organizations located outside the province.
What are consumer rights in Quebec Law 25?
Right to be informed
The right to be informed what information is collected, how it’s used, and the reasons for processing, except in specific circumstances where consent isn’t required.
Right to access
Individuals have the right to access their personal information held by organizations, subject to legal requirements and time limits.
Right to correct
The right to rectify information that is inaccurate, incomplete, or processed unlawfully.
Right to erasure
The right to require an organization to cease distributing their personal information.
Right to opt-out
Individuals have the right to withdraw their consent for the processing of their personal data at any time.
Right to data portability
The right to obtain a copy of their personal data in structured, commonly used, and machine-readable format and transfer it to another organization.
Rights related to automated decision-making
Right to be informed about any decision based on automated processing of personal information.
What is the penalty for non-compliance?
Under Law 25, the Quebec Commission on Access to Information (CAI) can impose administrative fines for non-compliance. Private-sector organizations may face administrative fines up to $10 million CAD, or an amount equivalent to 2% of their global turnover for the previous fiscal year, whichever is higher. Individuals can be subject to fines of up to $50,000 CAD.
The CAI may institute criminal proceedings for more serious breaches of the law. The fines for penal offences can go between CAD 15,000 to CAD 25 million, or 4% of an entity’s worldwide turnover from the preceding fiscal year, whichever is greater. Repeat violations can result in doubled fines.
FAQ on Quebec Law 25
Quebec’s Law 25, officially known as “An Act to modernize legislative provisions as regards the protection of personal information,” is the new Quebec privacy law. It governs the handling of personal information in Quebec. It introduces a set of new requirements for businesses operating in the province, including new obligations to safeguard the personal data of residents, the appointment of Privacy Officers, the establishment of a private right to take legal action, and the conduct of privacy impact assessments (PIAs).
The new Quebec Law 25 was enacted on September 22, 2021, and its provisions are being rolled out in phases over a three-year timeline. Some of the provisions have been in effect since September 2022, while additional sections of the law come into effect on September 22, 2023, and the third phase will be effective from September 2024.
Quebec’s data protection authority the Commission d’accès à l’information (CAI) du Québec is the enforcement agency for Law 25.
Under Quebec’s Law 25, “Personal information concerns a physical person and allows that person to be identified. It is confidential. Barring exceptions, it cannot be communicated without the consent of the person concerned.”
This can include a wide range of information such as name, address, gender, government identification numbers, email address, username, password, financial information, or other online identifiers.
Law 25 and Quebec Bill 64 are one and the same. In Canada’s legal system, a Bill officially becomes Law once it’s approved by the Lieutenant-Governor. Quebec introduced Bill 64 in 2020 and on September 22, 2021, it was officially adopted as Law 25.
The Personal Information Protection and Electronic Documents Act or PIPEDA is a federal law that governs how private sector organizations collect, use, and disclose personal information for commercial activities.
Quebec’s Law 25 governs how public and private organizations handle the personal information of Quebec’s residents. The law is applicable to both nonprofit and for-profit organizations. Law 25 is notably more comprehensive and stringent in its obligations and enforcement of data privacy rights.
On September 22, 2023, the second phase of regulatory changes for Law 25 will take effect. The new Quebec Law 25 requirements are:
- Accessible privacy policies
- Privacy governance and program development
- New consumer rights – right to restrict processing and right to erasure
- Privacy impact assessments
- Enhanced consent requirements and exceptions to consent
- Privacy by design
Law 25 requires organizations to obtain free and informed consent for the collection and use of personal information, including the use of online identifiers such as cookies.
Consent must be obtained for a specific purpose and it should be a clear indication of the individual’s agreement (i.e. opt-in consent). Consent requests should also be provided separately from any other information i.e. it cannot be bundled with the website’s privacy policy or terms of use.
Quebec cookie consent
As a website publisher, if you are collecting consent for the use of cookies, you should ask for consent via a consent banner and also provide information about the objective of the collection, how the information will be used and shared, where it will be stored and the user’s right to withdraw consent.
According to Quebec Law 25, organizations must inform individuals if their personal information will be used to make a decision based solely on the automated processing of that information. They must be informed either during data collection or before the commencement of automated processing.
The individual must also be informed of:
- the personal information used to reach the automated decision
- the reasons and the main factors and parameters that led to the decision and
- their right to correct any personal information used to make the decision
According to Quebec Law 25, individuals have the right to request an organisation to cease disseminating personal information about them. This includes de-indexing any hyperlinks that provide access to the individual’s information or re-indexing any hyperlink that provides access to that information (when certain conditions are met).
Fast-track your Quebec Law 25 compliance in minutes
Set up an opt-out banner in 3 simple steps and automate your compliance.