Resource · Personal Information Protection
Law 25 Explained: what every Quebec SMB needs to know
Obligations, deadlines, fines of up to $25 million, data hosting: here is the complete picture of Law 25, explained without legal jargon, and how Pratcom Media builds compliance into every project.
In a Nutshell
Law 25 is Quebec’s legislation modernizing the protection of personal information. Adopted in September 2021 and phased in from 2022 to 2024, it requires every business that collects personal information in Quebec, regardless of size, to obtain valid consent, protect data, report incidents, and appoint a privacy officer. Penalties can reach $25 million or 4% of worldwide revenue.
Understanding the Law
What is
Law 25?
Law 25 (officially the Act to modernize legislative provisions as regards the protection of personal information) came into force progressively in three waves: September 2022, September 2023, and September 2024. It applies to any private business that collects, holds, uses, or discloses personal information in Quebec, whether it has 2 or 2,000 employees. A name, email address, phone number, or IP address collected by your website is enough for the law to apply to you.
Since 2022
Privacy Officer and Incidents
Every business must designate a privacy officer and maintain a privacy incident register. Any incident presenting a risk of serious harm must be reported to the Commission d’accès à l’information (CAI) and to the affected individuals.
Since 2023
Consent and Transparency
The bulk of the obligations: clear and granular consent for cookies and marketing, a privacy policy published in plain language, privacy settings enabled by default, and a privacy impact assessment (PIA) for sensitive projects.
Since 2024
Data Portability
Any individual may request to receive their personal information in a structured, commonly used technological format, or to have it transferred to another organization. Your systems must be able to export this data on request.
Ongoing
Minimization and Destruction
Collect only the information necessary for the stated purposes, retain it only for as long as required, then securely destroy or anonymize it. Collecting data “just in case” is no longer permitted.
The Module · Connect Privacy
Connect Privacy: automated compliance.
Connect Privacy is the compliance module within the Pratcom Connect suite. It automates the technical obligations of Law 25 on your website: granular consent banner (analytics, marketing, functional), automatic scanning of cookies and tracking tools, privacy policy generation, and a timestamped consent log, ready to present in the event of an audit. It installs in minutes on WordPress via the Pratcom Connect connector, works in both French and English, and your data remains hosted in Canada, exportable at any time.
Penalties and Fines
The cost of
non-compliance.
Law 25 gave the Commission d’accès à l’information (CAI) real enforcement powers, aligned with the standards of the European GDPR. Three tiers of financial risk apply to businesses.
Administrative penalties
Up to $10M or 2%
The CAI may impose monetary administrative penalties of up to $10 million or 2% of worldwide revenue, whichever is greater. These target common violations: invalid consent, absence of a policy, failure to protect data.
Penal offences
Up to $25M or 4%
Serious offences (obstructing an investigation, failing to report an incident, illegal collection) are liable to penal fines of up to $25 million or 4% of worldwide revenue, whichever is greater. Amounts double for repeat offences.
Civil lawsuits
Punitive damages from $1,000
Any person harmed by an unlawful violation of a right granted by the law may claim damages. Where the violation is intentional or results from gross negligence, punitive damages of at least $1,000 are added, and class actions are possible.
Beyond the fines, the real cost is often the loss of client trust and the time spent managing a crisis. Prevention costs a fraction of the penalty.
Hosting and Canadian Servers
Where does your data sleep at night?
Law 25 does not prohibit hosting data outside Quebec, but it strictly regulates the practice: before any out-of-province transfer, the business must conduct a privacy impact assessment (PIA) and demonstrate that the information receives adequate protection. In practice, hosting on American servers also exposes your data to foreign laws such as the CLOUD Act. That is why Pratcom Media favors Canadian hosting for its clients’ websites and for the Pratcom Connect suite: data sovereignty, simplified compliance, reduced latency for your local visitors, and a concrete trust argument to present to your own clients.
Our Approach
How Pratcom integrates Law 25
into every project.
01
Initial Audit
We scan your site: cookies set, forms, tracking tools, existing policy. You know exactly where you stand.
02
Built-in Compliance
Consent banner, privacy policy, form and newsletter consent: compliance is built into the site from the start, not bolted on afterward.
03
Canadian Hosting
Sites and data hosted in Canada, encrypted communications, controlled access. Your information and your clients’ information stays here.
04
Ongoing Monitoring
The law evolves and so does your site. Tools change, cookies are added: we keep your compliance up to date with Connect Privacy.
Why It Matters
Much more than a legal obligation.
Law 25 is first and foremost a question of trust. Your clients entrust their name, email address, and business needs to your website; they expect that information to be protected. A business that is transparent about data management converts better: the consent banner, the clear policy, and rigorous practices have become signals of professionalism, just like a fast and polished website. Conversely, a poorly handled privacy incident costs clients, a reputation, and, since Law 25, substantial fines. For SMBs, compliance is also a competitive advantage: the majority of Quebec websites are still not compliant.
Frequently Asked Questions
Law 25: your questions.
Does Law 25 apply to my small business?
Yes. Law 25 applies to any private business that collects, holds, uses, or discloses personal information in Quebec, with no minimum size or revenue threshold. If your website has a contact form, a newsletter, or audience measurement tools, you are affected.
What are the fines under Law 25?
Three tiers: administrative penalties of up to $10 million or 2% of worldwide revenue, penal fines of up to $25 million or 4% of worldwide revenue (doubled for repeat offences), and civil lawsuits with punitive damages of at least $1,000 in cases of intentional violation.
Does my data have to be hosted in Canada?
It is not an absolute requirement, but any transfer of personal information outside Quebec requires a privacy impact assessment (PIA) demonstrating adequate protection. Hosting in Canada greatly simplifies compliance and protects your data from foreign laws. That is the practice of Pratcom Media for its clients.
Where do I start to comply with Law 25?
Four priority steps: designate a privacy officer, publish a clear privacy policy, install a granular consent banner for cookies, and take inventory of the personal information you collect. A site audit, such as the free check from Pratcom, quickly identifies the gaps.
Is Google Analytics compliant with Law 25?
Audience measurement tools may be used, but only with the visitor’s prior consent, since they set cookies and may transfer data outside Quebec. That is exactly the role of a compliant consent banner: no non-essential cookie loads before consent is given.
What does Connect Privacy actually do?
Connect Privacy automates the technical obligations of Law 25 on your website: granular consent banner, scanning of cookies and tracking tools, privacy policy generation, and a timestamped consent log. It installs in minutes on WordPress and works in both French and English.
Is your site compliant
with Law 25?
Free, no-obligation check: we scan your site, identify the gaps, and tell you exactly what to fix.