Insights · Law 25

Quebec Law 25, explained for SMBs

Law 25 applies to nearly every Quebec private-sector business, no matter its size. Here is what it actually requires, in plain language.

In plain terms

If you run a business in Quebec and hold personal information, Law 25 already applies to you. The rest of this article walks through the details; here is the core of it.

  • The law covers virtually every private-sector business in Quebec, whatever its size — there is no small-business exemption.
  • Everything is in force: the first wave since September 2022, the core obligations since September 2023.
  • The penalties are real — administrative penalties up to $10 million or 2% of worldwide turnover, and penal fines up to $25 million or 4%.

Does Law 25 apply to my business?

Almost certainly, yes. Law 25 (formerly Bill 64) applies to virtually every private-sector enterprise in Quebec that collects, holds or uses personal information, regardless of size. There’s no employee-count exemption: a five-person firm in Gatineau answers to the same core obligations as a large enterprise, scaled to its reality.

The law modernized Quebec’s private-sector privacy regime and rolled out in stages from 2022 through 2024. The obligations that matter most for an SMB took effect in September 2023 and are fully in force today — this isn’t a future deadline to plan around. If you keep customer lists, employee files, client records, or anything that can identify a person, the law speaks to you.

What trips up smaller businesses is that Law 25 is principle-based, not a checklist. It doesn’t hand you a fixed set of tasks; it sets out outcomes you have to reach. Knowing the obligations behind those principles is the first step to a realistic plan.

What are the core Law 25 requirements for a small business?

First, you have to formally name someone in charge of protecting personal information — a privacy officer, the Responsable de la protection des renseignements personnels (RPRP) — and publish their title and contact details so the public can reach them. Second, you need written governance: internal policies for handling personal information, retention and destruction schedules, and a plain-language privacy policy people can actually read.

Third, you have to run an évaluation des facteurs relatifs à la vie privée (EFVP) — a privacy impact assessment — before you acquire, build or overhaul a system that handles personal information, and before you transfer personal information outside Quebec. Fourth, when a confidentiality incident creates a risk of serious injury, you must notify the Commission d’accès à l’information and the people affected — and keep a register of incidents, reportable or not.

Fifth, you need consent that’s clear, free and informed, asked for each specific purpose, and you have to honour the rights the law created: access, correction, de-indexing and data portability. Those five obligations are the backbone of Law 25 for a small business.

Where should I actually start?

Start by naming your RPRP and publishing the role. It’s the obligation the law states most plainly, you can do it quickly, and it gives every later step a clear owner. If you’d rather not hand the role to someone internally, it can be outsourced.

Then map the personal information you hold: what you collect, why, where it lives, and who can get at it. That inventory is what everything else stands on — you can’t write honest governance, assess a transfer, or handle an incident if you don’t know what data you’ve got. From there, draft the governance documents — internal practices, retention and destruction, the public privacy policy — and build the breach process before you need it: the notification path, the templates, the incident register.

Work in that order — officer, inventory, governance, breach process — and a principle-based law turns into a short, prioritized plan. If you want to see where you stand before committing to any of it, our free two-minute self-check walks through ten of the core obligations and gives you a score and clear next steps. Nothing is saved or sent.

What about funding to help with the cost?

The program people ask about most, MaLoi25, ended in 2025, so it’s no longer on the table. We say so plainly because the question still comes up constantly.

More broadly, subsidized cybersecurity and Law 25 support has reached Quebec SMBs through the province’s network of college technology-transfer centres (CCTT) — CyberQuébec, affiliated with Cégep de l’Outaouais and funded by the Government of Quebec, is one example. These programs come and go, so check what’s actually open and whether you qualify before counting on any specific grant.

Either way, the foundational steps — naming a privacy officer, publishing a clear policy, building a data inventory — are quick wins that don’t depend on a dollar of funding. Funding, where it exists, helps with the deeper work. It shouldn’t be your reason to put off the basics. And if you’re in the region, our Law 25 help in the Outaouais is delivered on-site, in French or English.

Where does Law 25 stand in 2026?

Every wave of Law 25 is now in force. The September 2022 obligations came first — a named privacy officer and mandatory reporting of confidentiality incidents that pose a risk of serious injury. The core wave followed in September 2023, with written governance, privacy impact assessments, stricter consent rules and the penalty regime; data portability, the last piece, took effect in September 2024. There is nothing left to phase in.

That changes the posture question. For years the honest answer to “are we compliant?” could be “we’re getting there” — the law itself was still arriving in stages. In 2026 that narrative is gone: the Commission d’accès à l’information can impose administrative penalties of up to $10 million or 2% of worldwide turnover, penal fines can reach $25 million or 4%, and individuals hold a private right of action. The practical risk for an SMB isn’t an inspector at the door; it’s a complaint or a reported incident that exposes governance you never put in place.

FAQ

Frequently asked questions

Does Law 25 really apply to a small business?

Yes. Law 25 applies to virtually every private-sector enterprise in Quebec that collects, holds or uses personal information, regardless of size — there is no employee-count exemption. The core obligations have been in force since September 2023 — and the first wave, including naming a privacy officer and reporting serious confidentiality incidents, since September 2022. Smaller businesses simply need to scope the effort to their size.

What are the penalties for not complying?

Law 25 carries some of the toughest privacy penalties in Canada, and the law also created a private right of action for damages. For an SMB, the practical risk is usually a complaint or a reported breach that exposes missing governance, which is why having the basics in place matters. Our Law 25 service page covers the specific penalty figures in detail.

What is an EFVP and do we need one?

An EFVP — évaluation des facteurs relatifs à la vie privée, or privacy impact assessment — is a structured review of the privacy risks of a project. Under Law 25 you must conduct one before acquiring, developing or overhauling an information system that handles personal information, and before transferring personal information outside Quebec. The assessment is scaled to the project: a small initiative warrants a proportionate, documented review, not a heavy report.

Can someone act as our privacy officer (RPRP) for us?

Yes. If you’d rather not assign the role internally, the privacy officer function can be outsourced — handling requests, incident assessments, the incident register and ongoing governance. For a small business without a full-time privacy team, this gives you a named, accountable RPRP at a fraction of a full-time hire, in French and English.

Continue reading

Where do you stand on Law 25?

Take the free 2-minute self-check, or talk to a local, bilingual firm in Ottawa and Gatineau.