Québec’s Law 25: A Deep Dive into Canada’s Most Stringent Privacy Law (and What It Means for Your Business)
Privacy laws around the world are tightening, but one of the most ambitious and broad-reaching regulations in North America isn’t U.S. federal law — it’s Law 25, the province of Québec’s modernized privacy regime. Originally introduced as Bill 64, Law 25 represents a fundamental shift in how organizations must collect, manage, and protect personal information — not just in Quebec, but for any business that handles the data of Québec residents.
If your company operates in Canada or serves customers in Québec, understanding Law 25 is critical — because its requirements touch governance, consent, accountability, data transfers, and even individual legal rights.
What Is Québec’s Law 25?
Law 25 is Québec’s modern privacy statute, designed to bring provincial protections in line with global data privacy standards like the General Data Protection Regulation (GDPR). It applies to both public and private organizations that collect, use, disclose, store, or transfer personal information of individuals in Québec. Importantly, its reach isn’t limited to Québec-based companies — any organization handling Québec residents’ data is in scope.
The law has been rolling out since September 2022, with the most significant provisions in effect since September 22, 2023 and additional rights (like data portability) coming into force in 2024
Key Principles and Requirements
Law 25 introduces a set of privacy obligations that go far beyond traditional consent mechanics, emphasizing accountability and individual right.
1. Governance and Accountability
Every organization must:
- Designate a privacy officer (or equivalent) responsible for compliance.
- Maintain documented policies and procedures governing personal information.
- Ensure personnel are trained and aware of privacy responsibilities.
Law 25 even assumes the CEO as the default privacy officer if no one is formally appointed.
2. Consent and Transparency
Consent must be clear, informed, specific, and given freely for each purpose — much like GDPR’s standards. Organizations must also disclose:
- What they collect
- Why it’s collected
- Who it’s shared with
- How long it’s kept
For individuals under 14, parental consent is specially required.
3. Privacy by Default
Law 25 mandates confidentiality by default, meaning systems and services must be configured in the most privacy-protective settings without any action by the data subject.
4. Privacy Impact Assessments (PIAs)
Organizations must conduct Privacy Impact Assessments when:
- Implementing new technologies or systems
- Transferring personal information outside of Québec
- Introducing services that pose heightened privacy risk
PIAs help identify and mitigate risks before the processing begins.
5. Data Subject Rights
Québec residents gain robust data subject rights under Law 25, including:
- Right to access personal information
- Right to correction
- Right to deletion (“right to be forgotten”)
- Right to data portability (effective September 2024)
- Right to object to automated decision-making
- Right to be informed about third-party sharing
These rights closely mirror global privacy norms but are unique in some aspects — like data portability implementation specifics under Québec law.
6. Breach Notification
Confidentiality incidents that pose a risk of serious harm must be reported to both the Commission d’accès à l’information (CAI) and affected individuals. Processes for logging and responding to incidents are required.
7. Cross-Border Data Transfers
If personal data is transferred outside Québec (including international transfers), organizations must:
- Assess whether the destination provides a similar level of protection
- Conduct a PIA
- Put contractual safeguards in place
- Inform the data subject
This mimics GDPR’s approach to international transfers, reflecting Québec’s emphasis on protecting data regardless of geography.
Penalties and Enforcement
Law 25 empowers both administrative and judicial enforcement:
- Administration penalties up to the greater of CAD 10 million or 2% of worldwide turnover for violations such as failure to implement privacy policies, report breaches, or obtain proper consent.
- Judicial penalties for serious offenses can reach CAD 25 million or 4% of worldwide turnover.
- Private right of action allows individuals to seek statutory damages directly — including collective action claims.
These sanctions make Law 25 one of the most consequential privacy laws in North America, outstripping many regional U.S. laws in both scope and enforcement power.
PieEye POV
Whether you’re a Quebec-based company or serve users there, Law 25 requires a privacy-centric operational framework. Here are compliance steps to take now:
- Appoint a privacy officer and publish their contact info.
- Audit personal data collection and ensure purpose-specific consent.
- Implement privacy policies and PIA processes for new initiatives.
- Configure systems for privacy by default — no unnecessary tracking.
- Build workflows for breach reporting and data subject rights.
- Update contracts with third parties to ensure adequate protection and compliance.
Approaching Law 25 with a proactive privacy mindset — rather than a reactive checklist — will help your organization build durable trust with customers and minimize both legal and operational risk.
Law 25 and Your Shopify/BigCommerce Store
If you run a Shopify, BigCommerce, or similar eCommerce platform serving Québec customers, Law 25 compliance starts with your tech stack. Your store collects personal information constantly — email addresses at checkout, phone numbers for shipping, payment card data (handled by payment processors), and behavioral data through tracking pixels and analytics.
Here's what you need to do:
Cookie banners and consent management — Install a consent management platform that lets visitors opt in or out of non-essential cookies before your store loads tracking scripts. This applies to Google Analytics, Meta Pixel, Klaviyo email tracking, and any third-party apps that place cookies. Don't assume app defaults are compliant; audit each integration.
Privacy policy and terms — Your Shopify store's privacy policy must explicitly state what data you collect (email, address, browsing behavior), why, who you share it with (payment processors, email platforms, shipping partners), and how long you retain it. Link to this policy in your footer and at checkout.
Third-party vendors — Review your app integrations (email marketing, reviews, SMS, loyalty programs). Each vendor processing Québec customer data must have a data processing agreement in place. Many Shopify apps don't automatically comply with Law 25, so ask vendors directly about their Québec readiness.
Checkout transparency — At the point of collection, tell visitors why you're asking for their information. If you're building an email list, be explicit: "We'll use your email to send marketing messages" rather than burying consent in a checkbox.
Law 25 doesn't prohibit marketing — it just requires clarity and genuine choice upfront.
Handling Data Subject Rights Requests
Québec residents have the right to access, correct, delete, and port their data. For an eCommerce business, this means you need operational processes in place to respond within 30 days.
Access requests — A customer can ask for all personal information you hold about them. You'll need to query your systems (store database, email platform, analytics, support tickets, etc.) and compile a response. If you use Klaviyo, Shopify's customer database, Google Analytics, and a third-party loyalty app, each one may contain data about that person.
Deletion requests — Customers can ask to be forgotten. This is complex for eCommerce because you have legitimate legal reasons to retain some data (payment records for tax/fraud prevention, order history for refunds). Law 25 recognizes exceptions for legal obligations, but you'll need to decide what stays and what goes — and document your reasoning.
Data portability — Starting September 2024, residents can request their data in a portable, machine-readable format (typically CSV or JSON). This means exporting customer records, order history, and communication logs in a structured way.
Correction requests — Customers can ask you to fix incorrect information. Set up a simple process: log the request, verify the inaccuracy, correct it in all systems, and confirm with the customer.
Implement a simple intake form on your website or respond to DSAR emails to a dedicated privacy inbox. Track each request with a log (who, what data, when received, when resolved). Document everything — regulators will ask.
Privacy Impact Assessments for eCommerce Operations
Law 25 requires a Privacy Impact Assessment (PIA) when you introduce new technologies or systems that involve personal data. For eCommerce brands, this isn't a one-time exercise — you'll need PIAs as your business grows.
Common triggers for eCommerce:
- Implementing a new email marketing platform or switching from Klaviyo to Omnisend
- Adding a live chat or chatbot tool that logs conversations
- Launching a loyalty or rewards program that tracks purchase history
- Integrating a third-party analytics tool beyond Google Analytics
- Setting up customer behavior tracking or heatmaps on your Shopify store
- Automating customer segmentation for personalized recommendations
What a PIA includes:
Describe the processing (what data, from whom, for how long). Identify risks (e.g., "we're storing customer email and purchase history; risk is unauthorized access or selling data to third parties"). Propose mitigations (encryption, access controls, vendor agreements). Get sign-off from your privacy officer or leadership.
You don't need a 50-page document — a one-to-two page assessment is often sufficient — but it shows you've thought through privacy before launching. This protects you legally if something goes wrong and helps you avoid expensive retrofitting later.
If you're a growing DTC brand handling thousands of Québec customers, running PIAs for each new tool becomes routine. It's an investment in sustainable compliance, not a box to check once.
International Data Transfers and Your Vendors
Many eCommerce brands use U.S.-based vendors (Shopify, Google Analytics, Meta, Klaviyo, payment processors). Under Law 25, transferring Québec customer data to these companies requires assessment and contractual safeguards.
The transfer rule: Personal data can only leave Québec if the destination country provides "substantially similar" privacy protection. The U.S. doesn't have omnibus federal privacy law like GDPR or Law 25, which means you can't assume it's adequate.
What this means in practice:
- Conduct a PIA for each cross-border transfer (required by Law 25).
- Use data processing agreements with your vendors that include standard contractual clauses or similar legal mechanisms.
- Ensure your vendors commit to protecting data to Law 25 standards, even if they're based in the U.S.
- Document your transfer rationale: "We use Shopify because [reason], and Shopify has committed to protect customer data under [mechanism]."
Vendor examples:
- Shopify — U.S.-based, but has published commitments to GDPR and data protection. Review their Data Processing Addendum (DPA).
- Google Analytics — U.S.-based. Consider using privacy-focused settings (anonymize IP, disable third-party sharing) or switching to a privacy-friendly alternative like Plausible or Fathom.
- Meta Pixel — U.S.-based. Required for Québec customers, but ensure your consent banner captures opt-in before the pixel fires.
- Klaviyo — U.S.-based email platform. Requires a DPA and clear consent for email marketing.
You don't need to stop using these tools, but you do need to document your transfer assessment and ensure contracts reflect Law 25 obligations. Many vendors are now offering Law 25-specific terms.
If