Skip to content

Law 25: You're Not Exempt And The Fines Will Sting

Law 25 on the protection of personal information affects businesses of all sizes, and fines for non-compliance can run up to 2% – even 4% – of your annual worldwide revenue if you do business in Quebec.

September 19, 2023

Laurence Biron & Joëlle Boutin

To little fanfare, Law 25 to modernize the protection of personal information came into effect in 2022. It is now set to enter a new implementation phase as of September 22, 2023, that affects all businesses, organizations, and municipalities – and even the Quebec government. Sooner or later, no matter the size of your organization, you will have to comply or face stiff penalties.

Law 25 overview

Law 25 is a major update to the laws that protect Quebecers’ digital personal information. Drawing heavily upon European legislation, it directly addresses people’s growing concerns about how their data is used. It requires organizations to implement specific measures to ensure that data is protected

Exactly what data does Law 25 protect?

The Commission d’accès à l’information (CAI) defines personal information as information which relates to a natural person and allows that person to be identified. Personally identifiable information must therefore be handled with care to protect privacy. It may not be collected or shared without consent from the person affected, with some exceptions.

For businesses, personal information includes any data that can identify clients, suppliers, partners, employees and even prospective job candidates. Any chance you have a large bank of resumes? Identifiable information includes a person’s full name, social insurance and driver’s licence numbers, personal email address and telephone number, home address, biometric data (like their fingerprint) and credit card number, to list only a few.

You also have to consider information that, when combined, can indirectly identify a person, such as age, gender, profession, level of education, location data, consumer preferences and other demographic and behavioural data.

At this point, you should be asking yourself what kinds of personal information you have stored on workstations, in filing cabinets and in the cloud. Do you know where that data is? And crucially, is that data secure?

Until you become the victim of a data leak or cyberattack, securing sensitive personal information is probably not your priority. But when it happens, the risk to your business extends far beyond the fines imposed by Law 25, which can range from 2% to 4% of your worldwide revenue. While those penalties will sting, the impact to your credibility and reputation in the eyes of your clients, suppliers and employees will be far worse.

What causes personal information leaks?

Cybersecurity incidents and data breaches are often caused by very simple mistakes, like making accidental or unauthorized disclosures, falling prey to phishing (clicking a link in an email that appears to be legitimate), a cyberattack (viruses or spyware) or ransomware, or suffering a technical failure. What’s more, with phishing and cyberattack techniques constantly evolving and becoming more sophisticated, you will need to redouble your efforts to protect against them.

And by the time it’s detected, it’s very hard to put the data breach genie back in the bottle. Would’ve, could’ve, should’ve won’t save you.

Now is the time to act – not only to comply with Law 25 and avoid fines that can cost you millions, but also and most importantly to strengthen your bond of trust with key partners and protect your reputation. Not to mention maintaining control over your information assets.

Now what?

In the short term, you should seek compliance with Law 25. There are several steps to this, which we can help you with (including by steering you toward available funding). You can also complete a self-diagnostic on

By now, you should have appointed a privacy officer who is in charge of notifying those affected by a confidentiality incident (breach). By September 22, you have to take the next step, which means adopting policies and practices on personal data handling, publishing detailed information about these practices on the company website, conducting a privacy impact assessment and complying with new rules around consent to collection. To know all the steps to follow, access our checklist.



*By clicking on "Access", you consent to the collection of the following data by LEVIO in order to process and track your request to access its checklist. (For more information, please visit the following link:

Is being compliant enough?

Complying with Law 25 helps shield your data to a degree, but it can’t protect your company from cyberattacks.

To help you detect potential leaks and mitigate risk, we highly recommend implementing solutions to identify and classify the data you own and monitor for attacks in real time. This is far more affordable than you’d think, and definitely less expensive than the penalties and reputational damage that result from a breach. By taking these steps, you’ll also position yourself as a leader and bolster your partners’ confidence in you.

After all, your success depends on your client’s, supplier’s and employees’ hard-earned trust.