Law 25 for small businesses: The five obligations that actually apply to you

Quebec's Law 25 applies to any business collecting personal information, regardless of size. If you have customers, employees, or vendors, you're likely covered. Five core obligations matter most for small businesses: getting consent before collection, having a privacy policy, securing the data you collect, reporting breaches to authorities, and responding to access requests within 30 days. The penalties start at $15,000 per violation for businesses under sections 89.1-89.2, but compliance doesn't require a legal department.

Most small business owners assume privacy laws only apply to large corporations. That assumption costs Quebec businesses thousands in penalties each year when the Commission d'accès à l'information (CAI) investigates complaints.

Law 25 modernized Quebec's private sector privacy rules in 2021, with most provisions taking effect September 2022. Unlike PIPEDA, which focuses on commercial activities, Law 25 casts a wider net covering all enterprise activities within Quebec.

---

Who Law 25 actually covers

Law 25 applies to "any person carrying on an enterprise who collects, uses, communicates or keeps personal information in the course of that enterprise" under section 1. The definition of "enterprise" under section 1.1 includes sole proprietorships, partnerships, and corporations.

You're covered if you collect information about customers, employees, contractors, or suppliers. The law doesn't set employee thresholds or revenue minimums like some federal regulations.

The key exemption is section 11: purely personal or domestic activities. Running a hobby blog about your garden probably doesn't count as an enterprise. Selling products through that blog probably does.

Law 25 covers any enterprise that handles personal information in Quebec under section 1, regardless of business size or revenue. The focus is on the activity, not the scale. This broad application means even sole proprietorships collecting customer emails fall under Quebec's privacy regime.

---

Obligation 1: Get consent before collection

Section 14 requires consent before collecting personal information. For most small businesses, this means being clear about what you're collecting and why before someone gives you their information.

Express consent works best for sensitive information or marketing purposes under section 12.1. A checkbox on your contact form stating "I agree to receive marketing emails" meets this standard. Pre-checked boxes don't count as valid consent under section 14's requirement for "clear, free and informed" consent.

Implied consent applies when collection serves an obvious purpose under section 14. If someone calls requesting a quote, you can collect their contact information to provide that quote. You can't use those details for unrelated marketing without additional consent.

Document your consent mechanisms. The CAI expects businesses to demonstrate valid consent during investigations under section 17. Screenshots of your forms and copies of your scripts matter if someone files a complaint.

---

Obligation 2: Create a privacy policy that explains your practices

Section 8 requires you to inform people about collection purposes before gathering their information. Most businesses meet this through a privacy policy posted on their website and referenced during collection.

Your policy needs specific details under section 8:

• What personal information you collect
• Why you collect it (business purposes)
• Who might receive copies (vendors, partners)
• How long you keep it
• Contact information for privacy questions

Generic templates often miss Quebec-specific requirements. Your policy should reference Law 25, explain rights under sections 27-41 of Quebec privacy law, and provide contact details for the CAI if someone wants to file a complaint under section 72.

Small businesses often overlook employee information. If you have staff, your policy should cover payroll data, performance reviews, and any monitoring systems you use under section 46.

A privacy policy under section 8 isn't just a legal checkbox. It's your roadmap for handling personal information consistently and your first line of defense during CAI investigations under sections 70-72, demonstrating proactive compliance with Quebec's information transparency requirements.

---

Obligation 3: Implement reasonable security measures

Section 10 requires "security measures appropriate to the sensitivity of the information" you handle. For small businesses, this typically means basic cybersecurity hygiene plus some documentation.

Essential security measures under section 10 include:

• Password requirements for systems containing personal information
• Regular software updates on computers handling customer data
• Encrypted storage for sensitive information (Social Insurance Numbers, payment details)
• Limited access to personal information on a need-to-know basis

Document your security measures in writing. A simple policy outlining password requirements, backup procedures, and who can access what information demonstrates reasonable care under section 10's proportionality requirements.

Physical security matters too. Customer files shouldn't sit on reception desks where visitors can read them. Lock filing cabinets containing employee records. Secure disposal means shredding or wiping data, not just throwing papers in regular trash.

Consider your vendors' security practices under section 21. If you use cloud services or third-party processors, their security failures become your compliance problems. Canadian platforms like Augure help maintain data sovereignty by keeping information within Canadian borders, avoiding US CLOUD Act exposure that can compromise Quebec privacy protections.

---

Obligation 4: Report privacy breaches within 72 hours

Section 68 requires breach notification to the CAI within 72 hours if the incident creates "a risk of serious harm" to affected individuals. Section 67 defines serious harm as injury to reputation, dignity, honour, loss of employment opportunities, financial loss, identity theft, or negative effects on credit record.

Serious harm under section 67 typically includes:

• Social Insurance Numbers or financial information exposed
• Health records disclosed
• Employee personnel files accessed by unauthorized parties

Minor incidents like sending an email to wrong recipient generally don't trigger reporting requirements unless sensitive information is involved.

Your breach response plan should identify who calls the CAI under section 68, how you investigate incidents, and when you notify affected individuals under section 69. The CAI provides online reporting forms and expects specific details about what happened, how many people were affected, and what you're doing to prevent recurrence.

Keep records of all security incidents, even minor ones. Patterns of small breaches can indicate systemic security problems that require attention under section 10's ongoing security obligations.

---

Obligation 5: Respond to access requests within 30 days

Sections 27-28 give individuals the right to access personal information you hold about them. You have 30 days to respond to written requests under section 30, though you can extend this by an additional 30 days in complex cases under section 31.

Access requests under section 27 typically ask for:

• All personal information you have about the requester
• How you use that information
• Who receives copies of their information

You must provide information in an intelligible form under section 32. Database dumps with technical codes don't meet this standard. Plain language summaries work better for most small businesses.

You can charge reasonable fees for access requests under section 29, but many small businesses provide responses free of charge to avoid fee disputes. Complex requests involving extensive records review justify charging for staff time.

Verify the requester's identity before providing personal information under section 35. Government-issued ID or other reliable identification prevents accidental disclosure to wrong parties.

Access requests under sections 27-28 often reveal gaps in your information management practices. Responding properly within the 30-day deadline requires knowing what personal information you collect, where you store it, and how you use it across all business operations.

---

Practical compliance for small budgets

Law 25 compliance doesn't require expensive software or legal consultants for most small businesses. Start with documenting your current practices, then identify gaps.

Create a simple information inventory listing:

• What personal information you collect (customers, employees, vendors)
• Where you store it (filing cabinets, computer systems, cloud services)
• Who can access it (staff roles, external service providers)
• How long you keep it (retention schedules by information type)

Review your current forms, contracts, and website content. Many compliance issues stem from collecting more information than necessary or failing to explain collection purposes clearly under section 8.

Augure provides Canadian-built privacy tools designed specifically for Quebec's regulatory environment. Unlike US-based alternatives, these platforms avoid CLOUD Act exposure while helping with policy development and breach response planning within Canadian data sovereignty frameworks.

Train your staff on basic privacy practices. Everyone handling personal information should understand consent requirements under section 14, security expectations under section 10, and incident reporting procedures under section 68.

---

Penalties and enforcement trends

The CAI issued 156 administrative monetary penalties totaling $2.3 million in 2023, according to their annual report. Small business penalties typically range from $15,000-$25,000 per violation under sections 89.1-89.2.

Common violations include:

• Collecting information without valid consent (section 14 violations)
• Inadequate security measures (section 10 breaches)
• Failing to respond to access requests (sections 27-30 non-compliance)
• Using personal information beyond collection purposes (section 12 violations)

The CAI prioritizes cases involving sensitive information or systemic non-compliance under section 70. Single complaints about minor issues rarely trigger formal enforcement, but patterns of violations or serious data breaches attract regulatory attention.

Voluntary compliance often resolves investigations before formal penalties apply under section 71. Demonstrating good faith efforts to address problems and prevent recurrence influences enforcement decisions.

---

Integration with federal privacy requirements

Quebec businesses often deal with both Law 25 and PIPEDA requirements. Law 25 applies to provincial matters while PIPEDA covers federal jurisdiction including interprovincial commerce and federally-regulated industries under the Privacy Act.

The laws share similar principles but differ in details. PIPEDA's Principle 3 allows more implied consent situations while Law 25 section 14 requires more explicit consent for secondary uses. Both require reasonable security measures, but Law 25 section 68 provides more specific breach notification timelines than PIPEDA's breach regulations.

When requirements conflict, apply the stricter standard. Law 25's 72-hour breach reporting timeline under section 68 is faster than PIPEDA's requirements, so Quebec businesses should plan for the shorter timeframe.

---

Getting started with Law 25 compliance

Begin with your privacy policy and consent mechanisms under sections 8 and 14. These form the foundation for everything else and directly impact daily business operations.

Review your website forms, intake procedures, and customer onboarding processes. Ensure you're explaining collection purposes clearly and obtaining appropriate consent before gathering personal information.

Document your current security practices under section 10 and identify improvement areas. Basic cybersecurity measures prevent most privacy breaches and demonstrate reasonable care during regulatory reviews.

Establish incident response procedures before you need them. Knowing who to contact and what information to gather helps meet Law 25's tight breach reporting deadlines under section 68.

Ready to build Law 25 compliance into your business operations? Canadian-built privacy tools designed for Quebec's regulatory environment provide resources and templates to help small businesses navigate privacy requirements without breaking their budgets.