auxlo
Start free assessment
Quebec Privacy Law

Loi 25 compliance, without the legalese.

Quebec's Law 25 fundamentally changed how private-sector organizations handle personal information. We help Canadian and international companies meet every operative requirement, privacy officer designation, PIAs, cross-border transfer assessments, breach response, and consent flows, without slowing your roadmap.

Book a 30-min scoping callRun a free self-assessment
Penalties up to
4% of global turnover
Typical readiness
6–10 weeks
Language
Bilingual EN / FR

What Loi 25 actually requires

An Act to modernize legislative provisions as regards the protection of personal information, better known as Loi 25 or Quebec Law 25, phased in between September 2022 and September 2024. It applies to every private-sector organization handling personal information of Quebec residents, anywhere in the world.

The operative obligations: designate a Person in Charge of the Protection of Personal Information, publish governance policies, run Privacy Impact Assessments before high-risk projects and cross-border transfers, obtain granular consent (separate from terms of service), notify the Commission d'accès à l'information (CAI) and affected individuals of confidentiality incidents posing risk of serious injury, and honour new individual rights, access, rectification, de-indexing, and data portability.

Where most organizations are exposed

After dozens of Loi 25 reviews we keep finding the same gaps:

  • No PIA discipline. New systems, vendor changes, and AI features ship without a documented impact assessment.
  • Cross-border transfers undocumented. Data flowing to US-hosted SaaS or parent companies without the required assessment of legal protections abroad.
  • Consent bundled into terms. Law 25 requires consent to be clear, free, informed, and given separately for each purpose.
  • Breach response on paper only. No tested playbook for the CAI 72-hour notification expectation.
  • Privacy officer in name only. Designated, but without delegated authority, training, or visibility into product changes.

How we run a Loi 25 program

Our work is run by senior practitioners, no junior hand-offs. A typical engagement:

  1. Diagnostic (week 1–2). Data mapping, gap assessment against every Law 25 article, prioritized remediation plan.
  2. Governance build (week 2–4). Privacy officer charter, internal policies, PIA template, vendor due-diligence framework.
  3. Operational fixes (week 3–8). Consent flows, public notices, breach playbook, cross-border transfer assessments, record of processing activities.
  4. Embed (week 8–10). Training for product, engineering and customer teams. Light-touch ongoing review.

Deliverables are bilingual. We work alongside your legal counsel, not in competition with them.

Loi 25 and AI systems

If your product uses AI to make decisions about Quebec residents, credit, hiring, pricing, content moderation, Law 25 adds specific transparency obligations: notify the individual, explain the reasoning, and offer the right to request human review. We pair Loi 25 work with our AI governance practice (NIST AI RMF, ISO/IEC 42001, EU AI Act) so the same controls cover both regimes.

FAQ

Common questions

Who does Loi 25 apply to?
Any private-sector organization that collects, holds, uses or communicates personal information of Quebec residents, regardless of where the company itself is based. That includes Canadian businesses outside Quebec and foreign companies serving Quebec users.
What are the penalties for non-compliance with Law 25?
Administrative monetary penalties can reach the greater of $10 million or 2% of worldwide turnover. Penal fines can reach the greater of $25 million or 4% of worldwide turnover. The CAI may also order corrective measures, and individuals have a private right of action for damages.
Do we need to appoint a privacy officer?
Yes. Every organization must designate a Person in Charge of the Protection of Personal Information (the privacy officer) and publish their title and contact details on the company's website. By default the role falls to the person with the highest authority.
When is a Privacy Impact Assessment (PIA) required?
Before any project to acquire, develop or overhaul an information system or electronic service delivery involving personal information, before transferring personal information outside Quebec, and before any communication of personal information without consent for study, research or statistics.
How long does Loi 25 compliance typically take?
A focused readiness program runs 6 to 10 weeks for small and mid-size organizations: gap assessment, governance setup, PIA framework, breach response, cross-border transfer reviews, and updated public-facing notices. Larger or higher-risk environments take longer.

Your next enterprise contract is waiting on this.

  • Flat fee, total cost known up front
  • Canadian data residency available on paid engagements
Book a free intro call