Quebec Law 25: What Ontario Businesses Need to Know

Quebec's Law 25 (formerly Bill 64) reshaped Canadian privacy law in 2022 to 2024 and applies to any business that handles personal information of Quebec residents, regardless of where the business is located. For Ontario businesses with Quebec customers, employees, or vendors, Law 25 is not optional, even if you have never set foot in the province.

This piece covers what Law 25 requires that PIPEDA does not, where the friction sits for Ontario businesses in practice, and the steps to bring compliance up to standard without rebuilding your privacy program from scratch.

Why Ontario Businesses Care About Law 25

Law 25 has extraterritorial reach. Any business collecting, holding, or using personal information of a Quebec resident is subject to its requirements, even if the business operates entirely from Ontario, Alberta, or outside Canada. The triggers are common: a Quebec customer, a Quebec employee, a Quebec vendor whose representative is a resident, or a SaaS product available across Canada.

PIPEDA still applies federally and continues to govern interprovincial commerce. Law 25 is layered on top: where it is stricter than PIPEDA, you have to meet the stricter standard for Quebec personal information. In practice, that often means designing privacy controls to the Quebec floor, because the operational cost of running two privacy regimes for the same dataset is higher than just complying with the stricter one everywhere.

What Law 25 Requires (vs PIPEDA)

The headline differences from PIPEDA, after the staged rollout completed in September 2024:

• Privacy officer designation is mandatory and named. Not just "responsible for compliance" but a specific named individual whose contact information is published.
• Privacy Impact Assessments are required for any system that involves significant personal information or cross-border transfer.
• Explicit consent is required for sensitive personal information and for new uses beyond the original purpose.
• Mandatory breach notificationto the Commission d'accès à l'information and to affected individuals when there is a "risk of serious injury."
• Right to portability in a structured, commonly used technological format (similar to GDPR, not in PIPEDA).
• De-identification rules with specific technical standards.
• Automated decision-making notice when a decision affecting an individual is made exclusively by automated means.

For a side-by-side picture of how Canadian privacy law compares to GDPR for businesses with EU exposure, see our piece on PIPEDA vs GDPR.

The Privacy Officer Requirement

Under Law 25, the head of the enterprise is the default privacy officer unless someone else is designated in writing. The title and contact information must be published and made easily accessible to the public.

For an Ontario SMB with Quebec exposure, the practical implications:

• Pick someone who can do the job in practice (typically a co-owner, COO, or finance lead)
• Publish their contact information on your privacy page
• Give them authority to respond to access requests within 30 days
• Make sure they have a documented breach response process they can execute

The federal PIPEDA equivalent ("designated person responsible for compliance") is less prescriptive. Law 25 makes the role visible and accountable in a way that requires a real person, not a generic "privacy@" email alias.

Cross-Border Data Transfer

Before transferring personal information outside Quebec, you must conduct a Privacy Impact Assessment that considers: the sensitivity of the information, the purposes of the use, the protective measures in place, and the legal framework of the destination jurisdiction.

For Ontario businesses using US-based SaaS (which is most of them), this means documenting why the transfer is necessary, what protective measures exist (contractual, technical, organizational), and what the receiving party's obligations are. A signed Data Processing Addendum from your vendor is usually the core artifact.

Microsoft 365 with Canadian data residency, AWS Canada Central, and other Canadian-region cloud services reduce the friction substantially. They do not eliminate it, because operations and support staff may still be outside Canada, but they take the document burden from "build it yourself" to "rely on the vendor's published documentation."

Breach Notification Differences

PIPEDA requires breach notification when there is a "real risk of significant harm." Law 25 uses "risk of serious injury," which is broadly similar but interpreted by a different regulator (the CAI in Quebec, the OPC federally).

The practical differences:

• Two regulators may need to be notified for the same breach if it affects both Quebec residents and individuals in other provinces.
• The breach register is required. Law 25 requires you maintain a register of every privacy incident, not just the notifiable ones. The CAI can request the register.
• Timing pressure is similar but not identical. Both require notification "as soon as possible," but the CAI has been more aggressive in enforcement timing than the OPC historically.

If you are building or refreshing a breach response plan, our cyber insurance documentation guide covers the artifacts you need for both insurance and regulatory notification, and our PIPEDA self-assessment scores your readiness against the federal floor.

Consent Standards

Law 25 raises the bar on consent quality. Consent must be given separately from any other information (no buried-in-the-terms consent), in clear language, for specific purposes. For sensitive personal information (health, biometric, financial details), express consent is required.

For an Ontario SMB, the consent flow audit usually surfaces:

• Marketing opt-ins bundled with terms acceptance (needs unbundling)
• Pre-ticked boxes (needs to be opt-in, not opt-out)
• Vague "for our business purposes" language (needs specific purposes)
• Cookie banners that imply consent through "continued use" (Quebec wants explicit consent for tracking cookies)
• Employee personal information collected without separate consent for non-employment uses (training videos, photos, references)

None of these are exotic fixes. They are copy edits and form refactors that PIPEDA already recommends and Law 25 makes mandatory.

Enforcement and Fines

Law 25 dramatically raised the penalty ceiling. The CAI can impose administrative monetary penalties up to CAD 10 million or 2 percent of worldwide annual turnover, whichever is greater, for serious violations. Penal sanctions can go up to CAD 25 million or 4 percent of turnover. These numbers are GDPR-class.

For most Canadian SMBs, the realistic risk is not the maximum fine but the cost of a complaint-driven investigation, the reputational damage, and the time spent responding. The CAI's public decisions through 2024 and into 2025 show the regulator is actively investigating, including against businesses based outside Quebec.

Practical Compliance Steps

For an Ontario business with Quebec exposure, the realistic checklist:

1. Designate a named privacy officer and publish their contact information
2. Update your privacy policy to address Law 25 explicitly
3. Inventory which personal information categories touch Quebec residents
4. Conduct Privacy Impact Assessments for any system that transfers Quebec personal information outside Quebec
5. Audit consent flows for separation, clarity, and specificity
6. Establish a breach register and breach response process aligned to both PIPEDA and Law 25 standards
7. Document the technical and organizational safeguards in place
8. Review vendor contracts for Data Processing Addendums and Quebec-specific clauses

Most of this work overlaps with PIPEDA compliance. If you have a solid PIPEDA program, you are 70 percent of the way to Law 25. The remaining 30 percent is documentation, named accountability, and consent refactoring.

For a structured starting point on the Canadian privacy stack, see our compliance guide for Ontario businesses. For the PIPEDA scoring baseline, run the free PIPEDA self-assessment. For managed compliance support across the federal and Quebec layers, see our IT consulting service page.