← All insights Insights

Quebec's Law 25: What Businesses Outside Quebec Still Need to Know

May 15, 2026 · Kapa Canada

Quebec has overhauled its private-sector privacy law, and the change — known as Law 25 — is one of the most significant privacy developments in Canada in years. A common misconception is that it only matters to Quebec-based companies. It doesn’t.

This is a general overview, not legal advice — confirm your specific obligations with a qualified professional.

When Law 25 reaches beyond Quebec

Law 25 protects the personal information of people in Quebec. If your business handles the personal information of Quebec residents — customers, users, or employees — it can apply to you even if you’re based in Ontario, Alberta, or anywhere else. In a digital economy, plenty of businesses do without realizing it.

What Law 25 requires

The law was phased in over several years and raises the bar considerably. Key obligations include:

  • A designated privacy officer. Someone must be accountable for privacy. By default it is the person with the highest authority in the organization, though the role can be delegated.
  • Breach reporting. Confidentiality incidents that present a risk of serious injury must be reported to Quebec’s privacy regulator and to affected individuals, and recorded in a register.
  • Privacy impact assessments. Certain projects — particularly those involving new technology or transfers of information — require a formal assessment.
  • Transparency and consent. Clear privacy information, and stricter rules on how consent is obtained, especially for sensitive information.
  • Stronger individual rights. Including access, correction, and — newer to Canadian privacy law — a degree of data portability.
  • Rules on data leaving Quebec. Transfers of personal information outside Quebec call for an assessment of the privacy protections in place.
  • Privacy by default. Where you offer a product or service to the public with privacy settings, the most protective settings should apply automatically.

The penalties got serious

This is the part that changes the calculation. Law 25 introduced steep administrative monetary penalties and fines that can climb into the millions or a percentage of worldwide turnover. Privacy is no longer a low-stakes box-ticking exercise.

What to do about it

You don’t need to panic, but you should find out where you stand:

  1. Determine if it applies. Do you hold personal information about people in Quebec?
  2. Assign accountability. Make sure a privacy officer is named.
  3. Review consent and transparency. Check that your notices and consent practices meet the higher bar.
  4. Get your breach process in order. You need to be able to detect, assess, report, and log incidents.
  5. Tighten your safeguards. Strong security is the foundation that makes everything else credible.

Where security fits

Several Law 25 obligations — breach detection and reporting, safeguarding information, assessing risk — depend directly on your security posture. You cannot report breaches quickly if you cannot detect them, and you cannot promise protection you haven’t actually implemented.

If you’re not sure whether Law 25 affects you, or how to close the gaps, get in touch. Our compliance and risk advisory team can help you make sense of it.

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us