While a new federal privacy law keeps stalling in Ottawa, one Canadian privacy law is already fully in force and has real teeth: Quebec's Law 25. The surprise for many owners is that you don't have to be in Quebec for it to apply to you. If you handle the personal information of people in Quebec, customers, leads, even your own employees, it can reach your business.
Who Law 25 actually applies to
Law 25 governs how private-sector organizations collect, use, and share the personal information of people in Quebec, and it tends to follow the data, not your postal code. A business in Toronto, Vancouver, or outside Canada that serves Quebec customers, runs a storefront that takes Quebec orders, or employs people in Quebec can be on the hook. If you're not certain whether you touch Quebec residents' data, the safe assumption is that you might, and the rest of this guide is worth a read.
What it requires (the parts that matter for a small business)
The law is detailed, but for a small business the obligations that matter most are:
- Appoint someone responsible for privacy. By default that's your most senior person, unless you formally designate someone else in writing, and you must publish their title and contact details.
- Get consent the right way. Clear consent to collect and use personal data, and express consent for sensitive information and for profiling or tracking, which includes many website cookies.
- Be transparent. A plain privacy policy, plus telling people when a decision about them is made by automated means.
- Assess before sending data outside Quebec. Transferring personal information out of the province, including to a US cloud provider, requires you to evaluate the privacy risk first.
- Put the right clauses in vendor contracts. If a service provider handles personal data on your behalf, your agreement with them has to address it.
- Report breaches. A confidentiality incident that poses a risk of serious harm must be reported to Quebec's regulator (the Commission d'acces a l'information) and to affected individuals, and logged.
- Honour individual rights. People can ask for their data in a portable format and, in certain cases, to have information de-indexed or deleted.
The penalties are not symbolic
This is the part that separates Law 25 from the privacy rules many businesses have quietly ignored. It carries some of the steepest privacy penalties in North America: penal fines can reach the greater of $25 million or 4% of worldwide turnover, with a separate administrative penalty regime on top. Whether or not a maximum like that ever lands on a small business, the message is unmistakable: this is a law a regulator can actually enforce, unlike the federal framework that keeps dying on the order paper.
A sensible order to comply (you don't have to do it all at once)
For a small business, work through it in this order rather than trying to boil the ocean:
- Name your privacy officer and publish their contact information.
- Write or refresh a plain privacy policy that says what you collect, why, and how to reach that person.
- Map your data: what personal information you hold, where it lives, and which vendors or clouds touch it, especially anything outside Quebec or Canada.
- Fix consent on your website, starting with a cookie banner that genuinely asks before it tracks.
- Make sure you can detect and report a breach, and know who you'd notify.
- Update vendor contracts with the required privacy clauses as they come up for renewal.
None of this requires a law firm on retainer; it requires knowing what data you hold and handling it deliberately. Our broader guide to Canadian compliance maps how Law 25 fits with the other rules that may apply to you.