Monday to Saturday, 7 a.m. to 6 p.m.

96 Montee sagala, ile perrot QC J7V 3B9

438-940-4955

What is Law 25?

Law 25, officially called the Act to modernize legislative provisions as regards the protection of personal information, came into effect in Québec in September 2022. It strengthens the protection of personal information for Québec residents and imposes strict obligations on organizations, including websites collecting user data.

Main Obligations for Websites

  1. Explicit and Informed Consent
     Websites must obtain clear, informed consent before collecting any personal information (e.g., name, email, IP address). This includes consent for cookies and tracking technologies.
  2. Accessible Privacy Policy
     A clear and accessible privacy policy must be available on the website. It should detail:
    • Types of data collected
    • Purpose of data use
    • Security measures in place
    • Users’ rights (access, correction, deletion)
  3. Appoint a Privacy Officer
     Organizations must designate a person responsible for data protection, with their name and contact information publicly available on the website.
  4. Privacy Impact Assessments (PIA)
     Before sharing personal information outside Québec, a privacy impact assessment must be conducted to evaluate associated risks.
  5. User Rights
     Users must be able to access, correct, or delete their personal data easily.
  6. Breach Notification
     In case of a data breach posing serious risk, the organization must notify both the Québec Commission d’accès à l’information and the affected individuals.
  7. Data Security Measures
     Appropriate technical and organizational measures must be implemented to protect personal information against unauthorized access, disclosure, alteration, or destruction.

Penalties for Non-Compliance

Organizations that fail to comply with Law 25 may face fines of up to CAD 10 million or 2% of global revenue, whichever is higher.

Key Takeaways for Website Owners

If your website collects, uses, or shares personal information from Québec residents, compliance with Law 25 is mandatory. This involves implementing technical and organizational measures to safeguard personal data and respect user rights.

Tools like CookieYes can help manage cookie consent to ensure compliance with Law 25.

If you want, I can also draft a short, website-friendly version of this for your privacy policy page in English that’s fully Law 25 compliant. Do you want me to do that?