Skip to main content

What every business needs to know about Law 25

On September 22, 2022, a series of personal information protection obligations for business comes into force. See what you need to do to avoid harsh penalties.

First of all, it is important to recognize that Law 25, An Act to modernize legislative provisions as regards the protection of personal information provides for the coming into force of an initial series of obligations for businesses on September 22, 2022.

All organizations in Quebec, whether large or small, private or public, that hold, process and disclose the personal information of their clients, employees and suppliers must comply with this law.

As such, this brief reminder of the main features of this new regulation is timely for you and your business. 

Legislation adapted to today’s technological realities

By assenting to Law 25 in September 2021, the National Assembly ensured that Quebec became the first Canadian province to modernize its privacy regime to adapt to today’s technological realities, and harmonize it with Canadian and international jurisdictions.

The purpose of this legislation is to better protect Quebeckers’ personal information by making private businesses and public bodies more accountable for the valuable data they hold. The new legislation will:

  • give individuals more control and information;
  • enhance the rules for information sharing consent;
  • require companies to adopt and implement practices to ensure the protection of personal information. 

A significant shift for privacy

Law 25 marks an important shift in how organizations in Quebec will collect and manage personal data. Three main areas of change have been addressed.


It marks a new era in the governance of personal information for companies that will need to adjust their privacy policies and processes.


Companies will have to adapt the consents requested and the information disclosed to consumers so that they have greater transparency and control over their personal information.


The powers of the regulator, the Commission de l’accès à l’information (CAI), will be strengthened, and companies that fail to comply with the new obligations will face severe penalties. 

Three phases and three dates to remember 

To allow all companies the time to make the necessary changes, three phases that specify the obligations and the deadline for making these changes have been identified. Remember this date, September 22, since it is the date in 2022, 2023 and 2024 that the provisions of Law 25 will gradually come into force.

Let’s take a look at what the rules will be for your company in the first phase.

As of September 22, 2022, all businesses will be required to meet the following three key obligations.

1.      The obligation to appoint the person with the highest level of authority in the company as the Privacy Officer or to delegate this function in writing to another person.

2.      The obligation to have a plan to manage confidentiality incidents and to keep a record of them, whether the incident concerns unauthorized access to, use or disclosure of personal information that is prohibited by law, or the loss of any other breach of such information.

3.      The obligation to disclose any incident that jeopardizes confidentiality of personal information and to notify all affected individuals and organizations and the CAI if the incident poses a risk of serious injury.