Law 25, formerly known as Bill 64, is a major reform of Quebec’s Act Respecting the Protection of Personal Information in the Private Sector. Phased in between 2022 and 2024, it modernizes privacy requirements and strengthens individual rights. It introduces stricter consent rules, new obligations for businesses, and significant penalties for non-compliance.
If your website uses cookies that track user behavior or collect identifiers like IP addresses, you are obligated to notify users and secure their consent before activating non-essential cookies. This includes implementing clear cookie banners and privacy policies that outline what data is collected and why.
To comply with Law 25, take these actions:
Update privacy policy:
Maintain clear, up-to-date privacy policies.
Implement consent management:
Implement cookie consent banners, opt-out mechanisms, and means for consumers to withdraw consent
Data governance:
Appoint a privacy officer, a person responsible for personal information protection, and conduct privacy impact assessments where required
Data subject handling:
Establishing processes for handling data subject requests.
Data security:
Ensuring data security measures are in place and put measures in place for mandatory breach reporting
Law 25 applies to:
All private sector organizations operating in Quebec or handling the personal data of Quebec residents.
Businesses based outside Quebec if they offer goods/services to people in the province or monitor their behavior.
This includes SMEs, e-commerce businesses, service providers, nonprofits, and more.
Law 25 grants Quebec residents a wide range of rights over their personal data:
Know how and why their data is being collected.
Request a copy of their personal data.
Consumers can correct inaccurate or incomplete data.
Consumers can opt out of data processing at any time.
Consumers can request that their data be deleted.
Consumers can receive personal data in a structured, commonly used format.
Consumers can limit how their data is used under certain conditions.
Consumers have the right to be informed when there is a security breach involving their data.
Cookies that collect data linked to an identifiable individual—such as IP addresses, browser history, or geolocation—are considered personal information under Law 25. This means:
Users must actively agree to the use of such cookies.
Your site must offer clear choices (opt-in, opt-out).
Consent cannot be bundled or hidden in terms and conditions.
Cookie banners must be in place that:
Clearly state what types of cookies are being used and why.
Allow users to accept or reject non-essential cookies.
Not assume consent through continued browsing (no more pre-checked boxes or implied consent).
You must also update your privacy policy to reflect cookie use and purposes.
Organizations that fail to comply with Law 25 may face:
Administrative monetary penalties of up to 10 million CAD or 2% of global turnover, whichever is higher.
Penal fines up to 25 million CAD or 4% of global turnover, for more serious offenses.
Public reporting of violations by the Commission d'accès à l'information (CAI), Quebec's privacy authority.
To check your compliance with the Quebec’s Law 25, organizations should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
Law 25 applies to all private-sector organizations that collect, use, or disclose personal information about Quebec residents, regardless of the organization's physical location.
Personal data refers to any information that directly or indirectly identifies an individual, such as names, email addresses, IP addresses, and demographic or behavioral information.
Sensitive data includes information that, due to its nature or context, poses a higher risk to privacy—such as health data, financial data, biometric data, and data revealing racial or ethnic origin.
The Commission d'accès à l'information du Québec (CAI) is responsible for enforcing Law 25 and handling complaints, investigations, and penalties.
Public bodies are subject to different legislation (Access to Information Act), and purely personal or domestic data processing is exempt.
Visit the Commission d'accès à l'information (CAI) website for official documentation, compliance guidance, and updates.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
