Skip to main content

As rich in possibilities as it may be, the online world has no shortage of risk. And that’s especially true when it comes to data privacy. Individuals use their information to access services and platforms online without a conscious awareness of where it goes, who it’s handled by, and whether those managing it have their best interests at heart.


There’s the risk of first-party wrongdoing, such as when a company uses personal information in an unethical way, as well as the emerging risk of exposure and loss to third parties, whether they be affiliate organizations or cyber criminals. Both cases present a threat to the privacy, identity, peace of mind, and sometimes even the safety of internet users.

In a bid to protect its own citizens, the Canadian province of Quebec recently signed and has begun adopting a new regional law on data privacy, Quebec Law 25. This article will dive deep into the context and reasoning behind it, as well as what implications it will have for organizations that do business in one of the largest French-speaking regions outside of France.

Quebec law 25 compliance and cookie consent

Quebec law 25 compliance and cookie consent

Quebec Law 25: A Timeline of Events

The Quebec government, like most other jurisdictions in the world, has long been aware of its responsibility to protect citizens’ data from this kind of misuse. That’s why it’s implemented several laws on the matter over the years, the most prominent up until now being the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, and the Act Respecting the Protection of Personal Information in the Private Sector. Established in 1982 and 1994 respectively, these provincial-level laws set out guidelines on how companies and public sector organizations may handle individuals’ personal information. They follow the same basic principles as other major privacy laws – putting in place responsibilities for proper data management practices and establishing measures of accountability that applicable organizations must follow.

These laws have been updated several times over the years, with Legis Quebec’s official publication showing timestamps for amendments and additional provisions that run back as far as the 1990s. Of course, a lot has changed over that 30-some-year period of time – different government administrations, increasing levels of digital accessibility… Google wasn’t even founded until 1998.

The piecemeal approach taken to date leaves a lot of room for ambiguity and interpretation, something neither citizens nor businesses want when it comes to an issue as sensitive as data privacy. That’s why the Quebec government has responded by launching the new initiative we’re discussing today, Law 25.

Originally known as Quebec Bill 64: An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, this law is intended to revitalize the province’s existing framework on data privacy. It’s gone through several changes since it was first announced in June 2020 and became officially adopted as of September 2021.

The primary objective of Law 25 is two-fold: to update Quebec’s existing data protection laws in a way that reflects technological advances since the turn of the millennium, and to align them with standards established by other countries and international agreements.

It addresses key blank spaces relating to data subject rights, consent requirements, and enforcement mechanisms. Some already existed, but experts agree that they were nowhere near comprehensive enough to protect people from the prolific risks of data misuse in today’s advanced landscape.

How Quebec Law 25 Works In the Grander Scheme of Canadian Privacy Law

On a national level, Canada is known for one big, almost all-encompassing data privacy law: The Personal Information Protection and Electronic Documents Act (PIPEDA). Established in the year 2000, it outlines consent rules that private organizations must follow when collecting, using, or disclosing Canadians’ personal information.

PIPEDA also requires organizations to keep personal information accurate, secure, and open to scrutiny. Organizations collect individuals’ personal data for specific purposes only—which must be disclosed – and the individual can request access to their data or corrections at any time. This is very similar to other data privacy legislation around the world, such as the GDPR in Europe.

In addition to PIPEDA, each of Canada’s provinces and territories have its own laws on how organizations can handle personal information (with some exceptions). Quebec is unique from other provinces in that it is partially sovereign with the ability to break away from the mold in creating domestic law.

To date, it has enforced standards of data handling and privacy through both PIPEDA and the aforementioned Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, and the Act Respecting the Protection of Personal Information in the Private Sector.

Everything There Is to Know About Quebec Law 25

Quebec’s Law 25 applies quite broadly, protecting the personal data of anyone whose data is being managed under its jurisdiction. This includes those living in Quebec, Canadians from other provinces, and citizens from abroad. Its scope also extends to individuals who have passed away – their records are safeguarded up to 20 years after death.

Here’s a high-level breakdown of what rights protected people are afforded under Law 25:

The Right to Consent | Quebec Law 25

A key tenet of any data privacy regulation, Law 25 gives individuals it protects the ‘right to consent’.  This means that they have control over whether their personal information is processed in the first place, and that businesses seeking it must ask before doing so.

Quebec’s provisions specifically state that consent must be ‘informed, specific, and given freely’ for it to be legally valid. Individuals must be at least 14 years of age in order to provide consent – younger children are privy to an enhanced set of requirements.

Try our consent management platform and create your custom cookie banner to manage your cookies and third-party scripts on your website compliant with Quebec’s Law 25 and other privacy laws. CookieFirst offers a comprehensive cookie policy generator and a cookie scanner to generate a list of all the third-party cookies and local storage items that you use on your website.

The Right to be Forgotten

The ‘right to be forgotten’ is a popularizing concept in the realm of data privacy, due in part to the internet’s rapid expansion and evidently permanent storage of personal data. People don’t want to always be associated with the information they’ve shared in the past, and so have a right to request its deletion.

Under the GDPR’s “right to erasure” provision, data controllers must erase all personal data related to an individual if it is no longer needed, or upon individual request. They must also inform any third parties to whom the data has been disclosed of its erasure. This right applies only when certain conditions are met and can be limited under specific circumstances, such as when the data is needed for research or legal purposes.

Quebec’s Law 25 follows similar footsteps in establishing the same basic rights, as well as by outlining specific mechanisms through which individuals can request hyperlinks that lead to their information be de-indexed in search engines like Google.

The Right to Access and Correction

Similarly to the right to be forgotten, the right to access and correction gives people a say over how they are seen both online and by data controllers. It stipulates that individuals can request access to the personal data that a controller holds about them, as well as information regarding why it is being used and who has been given access. They may also request to have their personal data amended if it is in any way inaccurate, ambiguous, incomplete, or obtained in violation of the law.

The Right to Data Portability

‘Data portability’ refers to the ability of information and data to be transferred from one system or controller to another. This right is meant to give people more control over their personal information, as well as allow them greater freedom of choice when it comes to the services they use. For example, if an individual wanted to switch from one email provider to another, data portability would allow them to do so without having to manually enter all their contacts and other information.

Law 25 provides subjects with entitlements to portability, as well as the ability to request that their data be directly transferred to a third-party provider. In every case, the information must be moved in a format that’s both easy to understand and that can be readily accessed by receiving services.

Right to Anonymity

Law 25 stipulates that individuals should be able to access services anonymously or pseudonymously whenever possible. This is especially important in the digital age, as companies are increasingly trying to track users and their behavior. The right to anonymity helps protect individuals from unwanted surveillance or manipulation by third parties, allowing them greater privacy and control over their data.

Rights Over Automated Decisions

With Artificial Intelligence becoming less of a matter of science fiction and more of a reality every day, jurisdictions like Quebec are weary of the implications its widespread use could have for data privacy.

Law 25 states that no person shall be subject to any decision based solely on the automated processing of their personal data unless they have previously consented to it. This means that, like regular data processing, organizations must obtain permission before actually giving the reins to their AI applications.

On top of this, subjects must also be informed of the logic and purpose behind an automated decision before consenting to it. They have the right to request human intervention in the event of incorrect decisions, or to challenge the automated decision altogether. This ties in with the right to correct, but specifically applies to the potential mistakes made by automated technology.

Privacy by Default

Privacy by Default, sometimes equated as Privacy by Design, is a world-renowned concept that uncoincidentally finds its roots in Canada. The framework was developed by the Information and Privacy Commissioner of Ontario, Canada, Dr. Ann Cavoukian in the 1990s and has since been adopted by a number of regulatory bodies around the world.

At its core, Privacy by Default aims to ensure that the data organizations collect from users or customers is always safeguarded with appropriate security measures as a top priority. The key to this lies in the name; by default, organizations should be using the highest levels of security for all customer data, without any need to opt-in or additional steps necessary.

Quebec’s Law 25 embraces the principles of Privacy by Default and requires organizations to adhere to the concept of “privacy by design” in their operations. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) also recognizes this standard, requiring businesses to include appropriate safeguards when collecting, using or disclosing personal data.

Cookie Consent Manager | Take a 2 week free trial

Take a 2 week free trial for our paid plans or create a free account …

Create an accountView our plans

Getting Ready for Quebec’s Law 25

Quebec’s Law 25 is already a reality, having been officially implemented in 2021. Lawmakers have opted to introduce it through a phased approach, however, with the most basic changes in place now and a set timeline for when further ones will be enforced.

The biggest one coming down the pike is for September 22nd, 2023, when a new subsection will require companies to fully embrace privacy by default in their data collection and management practices. They will also need to begin following Law 25’s provisions regarding the right to erasure, transparency and consent systems, anonymization, privacy policies, and mandatory Privacy Impact Assessments (PIA).

The remaining Phase 3, currently with a deadline of September 22nd, 2024, will formally institute the right to portability by forcing businesses to create mechanisms for data subjects to access and transmit their personal data.

The concequences for failing to adhere to these oncoming changes – or any that are already in place for that matter – can be quite damaging.

The province of Quebec didn’t hold back when it created the enforcement system for Law 25, with a two-tier structure provisioning the possibilities of both monetary penalty and civil right of action. Financially, organizations that neglect their respopnsibilities of the framework can expect to shell out fines ranging between $15,000 CAD and $25,000,000 CAD, or 4% of their global turnover for the prior fiscal year, whichever is more. Individuals face a maximum fine amount of $100,000, while in either case, legal action can be brought before the court by an individual affected. Law 25 will be enforced by Quebec’s Commission d’accès à l’information (CAI).

Quebec Law 25 – What Can You Do?

The good news about Quebec’s new data privacy law is that it’s not all that different from the many other influential ones already in place around the world. Adhering to its guidelines will simply be a matter of following established best practices, such as:

Implementing Adequate Security Controls

Organizations must implement reasonable security controls that protect personal data in their possession, including measures to detect and prevent unauthorized access.

Obtaining Consent for Data Processing

Any processing of personal data (including collecting, storing, using or disclosing it) must be done only after obtaining valid, informed consent from the individual. A cookie consent tool like CookieFirst can help with this.

There are a lot of different cookies used on the web. If you would like to know more about cookies, read our article: What are cookies ?

Limiting Collection and Retention Periods for Personal Data

A simple but powerful way to protect data privacy is to limit the amount of personal data collected and how long it’s stored. Organizations should only collect what they need, and delete or anonymize any unnecessary information as soon as possible.

Being Proactive About Data Collection Notices

Organizations should be open and honest about how personal data is collected, used and retained. A clear privacy policy should explain the organization’s practices in plain language so that individuals can make informed decisions.

Educating Staff About Data Privacy

Organizations should ensure that all staff are aware of data privacy laws and regulations. They should also be trained on how to handle personal data responsibly, including using secure storage methods and proper disposal techniques.

Monitoring and Auditing Data Practices

Regularly monitoring and auditing data privacy practices can help organizations identify weaknesses in their processes. This can include using automated tools to detect any suspicious activity, as well as conducting regular reviews of data collection, access records, retention policies, and more.

Although it’s just one drop in a global bucket that needs to be filled, Law 25 represents a significant step forward in Canada’s journey towards comprehensive data privacy. It brings about countless welcome changes to regulations that were quickly antiquating, and in doing so, establishes a new level of protection that Quebec citizens can actually trust to protect their personal information in today’s online world. Not only that but by adopting Law 25, Quebec brings itself up to speed with other prominent regulations around the world, such as the EU GDPR. This may make it easier for entities in both regions to collaborate and exchange information with one another, ushering in a new era marked by the benefits of both seamless connectivity and a staunch respect for individuals’ privacy.


Get consent before loading third party tracking scripts

CookieFirst aims to make ePrivacy and GDPR compliance easy and quick to implement. The CookieFirst platform offers third-party script and consent management, statistics, periodic cookie scans, automated cookie declaration, banner customization, multiple language options, and more. Avoid large fines and get consent before loading third-party tracking scripts — try CookieFirst!