Are you ready for Law 25?

Phase 2 of Law 25 has been deployed on September 22nd. It aims to modernize the legislative provisions governing personal information. The purpose of this law is to protect, respect and defend the personal information of individuals and preserve their rights and freedoms. 

What exactly is Law 25?

Law 25 was assented to on September 22, 2021. Quebec became the first Canadian province to modernize the obligations of businesses with regard to the protection of personal information and to extend the rights of individuals. It has been adapted to meet current and future technological realities.  

The law requires companies that collect personal data from Quebec citizens to protect this information appropriately. The use of personal data must comply with your privacy policy.

This law applies to all organizations that collect, use, communicate or retain personal information about Quebecers.

For Quebecers, it means clear rights and better protection of their personal information.  

What personal information means

Any information that directly or indirectly identifies a person is considered personal information. The information may be written, graphic, recorded, filmed, computerized or other. For example, one of your customers could be identified by cross-referencing his or her occupation with his or her postal code, or by referring to his or her employee number. It is important to collect only the information required for the purposes for which it is intended.  

Does this apply to me as a company?

The law applies to all types and sizes of businesses that handle personal information. Self-employed workers, SMEs, NPOs, large organizations or public bodies are all concerned by this law.

It doesn’t just happen to other people. The risk of personal information leakage is very real. In Canada, in 2021, nearly 1 in 5 companies reported having been the victim of a cyber-attack. But the law also affects your company’s operations. It may lead to changes in the way you do business.  

Between September 22, 2022 and March 31, 2023, the Commission received 218 reports of confidentiality breaches.  


3-stage deployment

The new Act is being phased in over 3 stages, from September 22, 2022 to September 22, 2024.  Each phase contains a series of measures to be deployed in terms of compliance, governance, and obligations.  

What if I don’t comply?

The Commission d’accès à l’information can impose administrative or penal sanctions on offenders. For your company, the penalties could be as high as: 

  • 2% of worldwide sales or $10 million in administrative penalties for private companies that fail to apply the regulations.
  • 4% of sales or between $15,000 and $25 million in criminal penalties for gross negligence or malicious intent. 
  • Public institutions are exposed to 2 categories of penalties: 
  • From 3 000$ to 30 000$
  • From 15 000$ to 150 000$
  • For individuals, penalties range from $500 to $100,000.

Beyond the penalties, an incident can incur costs, damage your reputation and reduce the confidence of your customers and employees. It can also lead to lost sales and higher insurance premiums. 

The 3 benefits of compliance

Law 25 brings peace of mind to an organization’s employees and managers. An organization that complies with the law reduces its reputational risk by implementing market-standard practices. It is also a vote of confidence for its managers and customers.    

It’s not too late to act 

Several steps and activities must be carried out to comply with Law 25. The requirements vary from one company to the next, as the solution must be adapted to the organization’s activities. 

At GFT, we have carried out several projects and interventions to help organizations achieve peace of mind and compliance. We work hand in hand with your legal representatives and those responsible for activities that handle personal information to ensure proper and proportionate application of the law. 

See what GFT can offer you here: Did you apply Law 25? (


The Commission d’accès à l’information du Québec defines consent as a reflexive act. Consent must be:  

Manifest: obvious, certain and indisputable; 
Free: without constraints; 
Enlightened: precise, rigorous and specific; 
Given for specific purposes with a duration: i.e. they cannot be used in other cases. The duration is not necessarily linked to a number of days, months or years. It may refer to a specific event or situation.  

As of September 22, 2023, a valid consent will also have to be: 

Granular: required for each specific purpose; 
Understandable: asked in clear, simple terms;
Distinct: requested separately from any other information, when the request is made in writing. 




Le consentement à la communication des renseignements personnels | Commission d’accès à l’information du Québec ( 
Déclarations d’incidents de confidentialité | Commission d’accès à l’information du Québec ( 
Doing business in Quebec | Privacy legislation | Canada | Cabinet juridique mondial | Norton Rose Fulbright 
Le Quotidien — L’incidence du cybercrime sur les entreprises canadiennes, 2021 ( 
Loi 25 : tout sur la protection des renseignements personnels ( 
Loi 25 : les entreprises sont-elles prêtes? – Corporation des concessionnaires automobiles du Québec ( 
Présentation PowerPoint (  

Hybrid and multicloud

Learn how cloud and multicloud drive transformation!

Download now