Québec’s Law 25:
Is your organization prepared?

What is Law 25?

Law 25 is Québec’s strict new privacy legislation that came into effect in September 2022. Many requirements of Law 25 vary greatly and are much stricter than the federal Personal Information Protection and Electronic Documents Act — and will impact both Québec-based organizations as well as those who do business with people who live in Québec or operate in the province.

What should you expect?
Law 25 obligations come into effect September 2023
Transparency Obligation Icon
Transparency Obligation
  • The company handling personal data is required by law to inform individuals about the purposes, collection methods, and rights to access and correct their data.

  • It should also reveal the sources of information and the parties with whom the data may be shared.

  • Individuals must be informed about the possible transfer of their personal information outside of Quebec.
Obligation for Consent Icon
Obligation for Consent

Individuals are required to give their consent to:

  • Utilize their personal information for the specific purposes stated by the Data Protection Office.

  • Share their personal information with a third party for the aforementioned purposes upon prior identification.
Financial Penalties Icon
Financial Penalties
  • Private-sector companies face potential fines of up to 10,000,000 Canadian dollars or 2% of global turnover from previous fiscal year.

  • 4% of global sales — or between $15,000 and $25 million — for private organizations with more serious offences.
What is the digital impact of Law 25?
Consent is mandatory for all triggering or trackers
Law 25 Metrics
Impact on Analytics
Consent plays a crucial role in measuring analytics performance, as it is the foundation for data collection. Without obtaining consent from users, sharing data with your MarTech ecosystem becomes prohibited. It’s important to note that even server-side tracking is not exempt from the requirement of collecting consent, emphasizing the significance of obtaining permission before engaging in any data-related activities.
Loi 25 Metrics - Impact on Analytics
Loi 25 Marketing - Impact on Media Performance
Law 25 Marketing
Impact on Media Performance
Running remarketing campaigns without consent is not permissible as it violates privacy regulations. This restriction not only hinders tracking conversions, resulting in decreased in-platform performance and limited data points for AI optimization, but it also adversely affects site publishers who are unable to maximize their advertising revenue through targeted advertising.
Law 25 User Experience (UX)
Impact on User Experience
Failure to respect user choice and complex access to user data can have consequences, affecting trust in an organization. For instance, when a user declines tracking but is still subjected to targeted advertisements, their trust is compromised. Furthermore, a poor consent management system can result in users abandoning a website, mistakenly believing they have navigated to an incorrect destination. These issues highlight the importance of prioritizing user preferences and implementing user-friendly systems to maintain trust and retain website visitors.
Loi 25 User Experience (UX) - Impact on User Experience
Obligations of Law 25
What are the obligations for your organization?

Since September 22, 2022, Law 25 enforces certain obligations on private businesses operating in Québec, irrespective of their scale. On September 22, 2023, additional provisions of Law 25 will be implemented. One of these provisions is the requirement to have defined policies and procedures pertaining to the management of personal information.

September 22, 2022 obligations
Designate a privacy officer. If no privacy officer is designated, the default position will be assigned to the CEO or the highest-ranking director of the company.
Inform the Commission d’accès à l’information (CAI) as well as the individuals impacted by any privacy breaches that pose a significant risk of harm. To notify the CAI, please fill out the Declaration of Incident Form (available exclusively in French) on the CAI website and send it via email, fax, or traditional mail.
Record all security incidents. Keep those records on hand for five years.
Coordinate with your internal legal team, including IT, marketing, and other relevant parties, to create a strategy and guarantee adherence to regulations.
September 23, 2022 obligations

This marks the moment when the core of the legislation takes effect. The implementation of these requirements entails numerous significant changes, making it crucial to establish new policies promptly to ensure your organization can adapt effectively and meet the obligations set forth by Law 25.

Create and enforce internal privacy protocols to oversee and safeguard individuals’ personal data. This entails examining agreements with external service providers and their handling of personal information. It is crucial to verify that they will promptly notify you of any privacy breaches involving personal data.
Publish the company privacy policy on the company website. It should be in a clear, concise and easy-to-understand format and include the privacy officer’s name, title, and contact details alongside it. Ensure that any automated decision making processes are mentioned, and provide information on how individuals can request access to their personal information. Also, clearly state their rights to appeal any information or request erasure.
Review your current process for obtaining consent for collecting personal information. Consent must be obtained individually for each distinct purpose, implying that if you collect someone’s name and email for event registration, you must also solicit separate consent for sending a newsletter. It is crucial to express consent clauses using straightforward and easily understandable language.
Update your subscription forms to incorporate the precise purpose for gathering personal information and the user’s entitlement to amend or revoke consent whenever desired.
Disable any default data collection devices that gather information automatically.
Secure explicit consent from the user prior to activating any data collection device, such as presenting a cookie warning that allows opting out.
Maintain records of obtained consent in storage.
Perform a privacy impact evaluation for all projects that involve personal data. This includes those that involve the acquisition, development, or renovation of an information system or electronic service delivery system.
Conduct a privacy impact assessment for any data transfer outside the province of Québec. This entails initially identifying each instance of personal information being transferred outside the province. Subsequently, categorize the various types of cross-border data transfers by determining the specific personal information involved and its destination. Each distinct cross-border transfer type should then undergo a privacy impact assessment, evaluating whether the data will be safeguarded to the same degree in the new jurisdiction and identifying any potential risks.
Facilitate the right of erasure. Enable the implementation of the right to erasure by providing clients with the option to be forgotten. Make sure you possess the capability to recognize all personal data pertaining to a client, and verify that you have established procedures to completely delete a client’s information upon their request.
Trusted technology Partners

Preparing for Law 25 is a process that requires governance strategy roadmaps. Meet the technology partner we collaborate with to ensure you have the right platforms set up for your company.

Microsoft Logo
IBM Logo
Collibra Logo
Informatica Logo
Need help getting ready for Law 25?
Schedule a meeting with our data experts to learn how we can tailor a governance program to your organization.
Fill out the form below and a member of our team will reach out to schedule your consultation.

    From time to time, we would like to contact you about our solutions, as well as other content that may be of interest to you. KPI Digital is committed to protecting your privacy, if you have questions about the information being collected, please review our Privacy Policy. You may unsubscribe at any time.

    * Indicates a required field