Law 25 is a major overhaul of the Act respecting the protection of personal information in the private sector (PPIPSA, CQLR c. P-39.1). It imposes obligations on Quebec businesses that are comparable to — and sometimes stricter than — the European GDPR.
Who does Law 25 apply to?
The PPIPSA applies to any person who carries on an enterprise within the meaning of article 1525 of the Civil Code of Québec and who, in the course of that enterprise, collects, holds, uses or communicates personal information, whether on paper or in digital form (s. 1 PPIPSA).
In practice, this covers:
- all private businesses established in Quebec (inc., enr., private cooperatives, NPOs engaged in economic activity);
- out-of-province businesses that collect personal information from Quebec residents in the course of an economic activity (e-commerce, cloud services, digital platforms);
- regulated professionals (lawyers, accountants, physicians, notaries) for their practice, on top of their own deontological obligations.
Public bodies (ministries, municipalities, schools, hospitals) are subject to the Act respecting Access to documents (CQLR c. A-2.1), a separate statute. This guide does not cover it.
When did Law 25 come into force?
The Act was passed in September 2021 (Bill 64) and came into force in phases:
| Date | Obligations activated |
|---|---|
| September 22, 2022 | Designation of a privacy officer · Mandatory breach notification to the CAI and affected individuals · Incident register |
| September 22, 2023 | Strengthened consent · Right to information · Privacy impact assessments (PIA) · Personal information governance policy · Communication of personal information for study, research or statistics · Limits on automated decision-making without human intervention |
| September 22, 2024 | Right to data portability — on request, in a structured and commonly used technological format |
As of today (April 2026), all provisions are in force. A business that has not started its compliance journey is therefore nearly two years behind on the most demanding obligations.
Key definitions
Personal information
Personal information is any information that relates to a natural person and that allows, directly or indirectly, that person to be identified (s. 2 PPIPSA).
Typical examples:
- name, address, phone number, email;
- social insurance number, health insurance number, driver's licence;
- IP address when it can be linked to an identifiable individual;
- device identifiers, persistent tracking cookies;
- HR files, payroll, performance reviews;
- customer records (purchases, invoices, correspondence);
- biometric data (fingerprints, facial recognition, voice).
Remember: information does not need to be sensitive to be protected. An employee's family name and work email are already personal information.
Sensitive personal information
Information is sensitive if, due to its nature (notably medical, biometric or intimate) or the context in which it is used, it warrants a high degree of reasonable expectation of privacy (s. 59 PPIPSA).
Sensitive categories include:
- health information (diagnoses, medical records, test results);
- biometric and genetic data;
- detailed financial information (card numbers, account details, creditworthiness);
- information of a sexual nature or relating to intimate life;
- information revealing ethnic origin, religious or political opinions, or union activity.
Sensitive information requires a higher level of protection (explicit consent, encryption, access logging, shorter retention periods).
The person concerned
The person concerned is the individual to whom the information relates. They hold the rights provided by the Act (access, rectification, portability, de-indexing, withdrawal of consent).
Privacy officer
The person in charge of the protection of personal information (often shortened to privacy officer) is the natural person designated by the enterprise to oversee compliance with the Act (s. 3.1 PPIPSA). By default, this role belongs to the person with the highest authority in the enterprise — but it can (and should) be delegated in writing to an executive or an external mandatary.
Their contact information must be published and accessible, notably on the enterprise's website.
At Hilo Tech, Pascal Dupuis holds this role internally (public details). For clients, we support their designated privacy officer on the IT side: tooling, technical controls, data-flow mapping, operational training of the internal team. Legal analysis and the drafting of official policies are handled by a lawyer appointed by the client — we do not replace legal counsel.
Collection, use, communication, retention
The Act distinguishes four life-cycle stages of personal information:
- Collection — obtaining the information from the person concerned or a third party (s. 5 and following).
- Use — leveraging the information inside the enterprise for a specific purpose (s. 12).
- Communication — transmitting the information to a third party, with or without a contract (s. 17 and following, 18.3).
- Retention — storing the information for as long as necessary, then destroying or anonymizing it (s. 23).
Each stage has its own rules and consent constraints. See the Consent chapter for detail.
What Law 25 does NOT cover
The Act does not apply to:
- information used solely for personal purposes (e.g. a personal address book, a private journal);
- information collected in the context of journalistic, artistic or literary activities (s. 1 para. 2);
- public bodies, which are subject to the Act respecting Access to documents (CQLR c. A-2.1);
- information that has been made public by the person concerned (e.g. a public profile on social media), subject to use that remains consistent with the purpose for which it was made public.
Be careful: these exclusions are narrow. A CRM that holds business contacts scraped from LinkedIn remains subject to the PPIPSA.
Quick checklist
- We've confirmed that at least some of our activities fall under the PPIPSA.
- We've designated a privacy officer and published their contact information.
- We know what personal information we collect, from whom and for what purpose.
- We've classified our data between ordinary and sensitive.
- We've documented the life-cycle stages (collection → use → communication → retention → destruction).
Common mistakes we see in the field
- "We're too small to worry about it." — The PPIPSA has no size or revenue threshold. A 3-employee business is subject to the same regime as a 3,000-employee one.
- Designating the CEO without training. — The privacy officer must understand their obligations. An ill-informed CEO exposes the whole enterprise when an incident happens.
- Confusing personal information with technical data. — A website visitor's IP address can be personal information when it can be linked to an identifiable individual (notably in combination with other data).
Questions to ask your legal counsel
- Do we have operations outside Quebec that trigger other laws (federal PIPEDA, European GDPR, California CCPA/CPRA)?
- Is our NPO subject to the PPIPSA because of its economic activity?
- Does our group structure (parent company, subsidiaries) require a privacy officer per entity or a single officer for the group?
Question about this guide?
Pascal and Jérémie can answer directly by email or during a discovery call.
Get in touch