You must comply with the new Law 25, but you don’t know how?

To make your life easier, we took the time to demystify this law, which may seem complicated because of certain gray areas. First, be aware that the new responsibilities and obligations relating to this law will be introduced gradually, until September 2024.

A list of definitions for certain terms used in this law can be found at the end of this page.

Summary of the main obligations applying to private businesses

Since September 22, 2022:

  • Designate a person in charge of the protection of personal information.
  • In the event of a confidentiality incident involving personal information:
    1. Take reasonable measures to reduce the risk of injury being caused to the persons concerned, and to prevent new incidents of the same nature from occurring;
    2. Notify the Commission d’accès à l’information du Québec (CAI) and the person concerned, by completing this form (in French);
    3. Keep a register of confidentiality incidents, which a copy of it must be sent to the Commission at its request.
  • Respect the new rules for the communication of personal information without the consent of the person concerned (in French) for study, research or statistical purposes, and in the context of a commercial transaction.
  • Conduct a Privacy Impact Assessment (in French) before communicating personal information without the consent of the person concerned, for study, research or statistical purposes.
  • Notify the Commission before carrying out an identity verification or confirmation by using biometric characteristics or measurements, by completing this form (in French).

Effective on September 22, 2023:

  • Develop a policy on practices that regulates the business governance on the protection of personal information.
    This policy must provide:
    1. Rules applicable to the retention and destruction of personal information;
    2. The roles and responsibilities of staff members throughout the life cycle of personal information;
    3. A privacy complaints process.
  • Respect the new transparency obligations.
  • Obtain, in advance, the person’s free and informed consent to collect, communicate and use their personal information and comply with the new consent rules.
  • Destroy personal information when the purpose of its collection is accomplished or make it anonymous to use it for serious and legitimate purposes, subject to the conditions and retention period provided for by law.
  • Conduct a privacy impact assessment when required by the law, for example, before disclosing personal information outside Quebec*.
    *The communication of personal information outside Quebec can only take place if the evaluation shows that the information benefits from adequate protection.
  • Respect the right to de-indexation and the cessation of dissemination, meaning that individuals will be able to ask companies to stop disseminating their personal information or to de-index any hyperlink attached to their name that provides access to the information if this dissemination causes them injury or contravenes the law or court order (right to be forgotten).
  • Comply with the new rules for the communication of personal information facilitating the grieving process, that is to say, an organization may release personal information concerning a deceased person to the spouse or a close relative of the person if knowledge of this information is likely to help this person in his grieving process unless the deceased person has recorded in writing his refusal to grant such a right of access.
  • Respect the new rules regarding the collection of personal information concerning a minor under the age of 14, stating that personal information concerning a minor under the age of 14 can no longer be collected from him, without the consent of the person having parental authority or of the tutor.
  • Obligation to provide, by default, the parameters ensuring the highest level of confidentiality of a technological product or service offered to the public*.
    *This provision does not apply to privacy settings for browser cookies.

To be implemented as of September 22, 2024:

Respond to requests for the portability of personal information [i.e., to communicate, at the request of a person concerned, his or her personal information].


Personal Information

“Personal information concerns a physical person and allows that person to be identified. It is confidential. Barring exceptions, it cannot be communicated without the consent of the person concerned.”

Please note that the definition does not refer to information relating to a legal person (i.e. information concerning a business).

Confidentiality incident

“Confidentiality incident” means:

  • access not authorized by law to personal information;
  • unauthorized use by law of personal information;
  • communication of personal information not authorized by law;
  • loss of personal information or any other breach of the protection of such information.

Biometric characteristics and measurements

These are unique characteristics, resulting from biometric analysis, which make it possible to identify or authenticate a person.

There are 3 main categories of biometrics:

  1. Morphological biometrics - based on the identification of specific physical traits. It includes the recognition of fingerprints, the shape of the hand, the face, the retina and the iris of the eye;
  2. Behavioural biometrics - based on the analysis of certain behaviours of a person, such as the tracing of his signature, his voice, his way of typing on a keyboard, and so on;
  3. Biological biometrics - based on the analysis of a person's biological traces, such as DNA, blood, saliva, urine, and odours.

To know more about biometrics, see this accompanying guide (French only).