Quebec Law 25
Quebec Law 25 is a provincial privacy law in Canada that modernizes Quebec’s data protection framework and establishes new requirements for how organizations collect, use, store, and disclose personal information.
What is Quebec Law 25?
Quebec Law 25—formerly known as Bill 64—is a comprehensive privacy reform that strengthens protections for the personal information of individuals in Quebec. The law introduces requirements for consent, transparency, governance, automated decision-making, and breach notification.
It applies to both private-sector and public-sector organizations operating in Quebec or processing the personal information of individuals located in the province.
Law 25 aligns with global privacy principles and includes elements similar to the General Data Protection Regulation (GDPR, including privacy-by-design, data subject rights, and enhanced accountability obligations.
Why Quebec Law 25 matters
Law 25 gives individuals in Quebec expanded rights over their personal information, including the right to access, correct, and request deletion. It also introduces new rules around consent, profiling, biometrics, and disclosures outside Quebec.
For organizations, Law 25 introduces significant compliance requirements, including mandatory privacy impact assessments, governance policies, designated privacy officers, vendor oversight, and clear retention practices.
Non-compliance may result in substantial penalties and reputational harm, making adherence to Law 25 essential for any organization handling Quebec residents’ data.
How Quebec Law 25 is used in practice
- Ensuring consent is clear, informed, and compliant with provincial requirements
- Completing privacy impact assessments for projects involving personal information
- Publishing transparent policies and privacy notices
- Responding to access, deletion, and correction requests
- Managing cross-border data transfers and ensuring adequate safeguards
- Implementing breach notification requirements and internal governance controls
Related laws & standards
- General Data Protection Regulation (GDPR)
- California Privacy Rights Act (CPRA)
- Digital Operational Resilience Act (DORA)
- SOC 2
- India DPDPA
How OneTrust helps with Quebec Law 25
OneTrust helps organizations comply with Quebec Law 25 through automated assessments, centralized data mapping, rights request workflows, and governance reporting. The platform enables teams to manage consent, document PIAs, evaluate vendors, and maintain comprehensive records to meet evolving privacy obligations.
[Explore Solutions →]
FAQs about Quebec Law 25
Law 25 shares concepts with GDPR—including privacy-by-design and expanded rights—but applies specifically to Quebec and includes unique requirements for automated processing, profiling, and cross-border transfers.
Any organization operating in Quebec or processing personal information about individuals located in Quebec must comply, including organizations based outside Canada.
Yes. Organizations must notify both the regulator and affected individuals when a breach poses a risk of serious injury.
