Quebec Law 25 Compliance Checklist: What Your Business Actually Has to Do in 2026

Three years into Law 25, the most common question I still hear from Quebec business owners isn't "what is Law 25?" — they know it exists, they know the fines are eye-watering. It's a quieter, more anxious question: *"Are we actually compliant, or do we just think we are?"*

That gap — between feeling covered and being covered — is where most of the risk lives. So let's close it. Here is what Law 25 actually requires of a typical Quebec business in 2026, in the order you should tackle it.

First, confirm Law 25 even applies to you

It almost certainly does. Law 25 (formerly Bill 64) governs any private-sector organization that collects, uses, or discloses the personal information of people in Quebec — regardless of where your business is located. A SaaS company in Toronto with Quebec users is on the hook. A retailer in Calgary shipping to Montreal is on the hook.

If you have customers, users, or employees in Quebec, assume it applies and move on. The businesses that get caught are usually the ones that assumed they were "too small" to matter. Law 25 has no small-business exemption.

The checklist

1. Appoint a Privacy Officer. By default, this responsibility falls to the person with the highest authority in your organization — your CEO — until you formally delegate it. You must designate someone, document the appointment, and publish their title and contact information on your website. This is the single most-missed requirement, and it's the easiest one for a regulator to spot from the outside.

2. Know what personal information you hold. You can't protect or account for data you haven't mapped. Inventory what you collect, why you collect it, where it lives, who can access it, and how long you keep it. This record (often called a ROPA) is the foundation everything else sits on.

3. Fix your consent. Law 25 raised the bar on consent considerably. It must be clear, free, and informed — requested for *specific* purposes, in plain language, separately from your other terms. Consent for sensitive information (health, financial, biometric) must be express. If you're still relying on a buried line in a 4,000-word privacy policy, that's a gap.

4. Update your privacy policy and notices. Your external privacy policy needs to reflect Law 25's transparency requirements: what you collect, the purposes, the third parties involved, how long you retain it, and how people can exercise their rights. It must be drafted in clear terms and made readily available.

5. Build a process for individual rights. Quebec residents can request access to their information, ask for corrections, withdraw consent, and — newer under Law 25 — request data portability (their data in a structured, commonly used technological format). You need a repeatable process to receive, verify, and fulfill these requests within the legal timelines, not a scramble each time one lands.

6. Run Privacy Impact Assessments where required. This is the requirement that catches growing companies off guard. Law 25 mandates a PIA before you acquire, develop, or overhaul an information system project involving personal information — and before you transfer personal information outside Quebec. A PIA isn't a formality; it's the documented proof that you thought about the risk before you took it.

7. Have a breach-response plan. When a "confidentiality incident" creates a risk of serious injury, you must notify both the *Commission d'accès à l'information* (CAI) and the affected individuals, and keep a register of all incidents — even the ones that didn't meet the notification threshold. The time to build this workflow is now, not at 9 p.m. on the day you discover a breach.

8. Assess your cross-border transfers. If personal information leaves Quebec — which, in practice, means almost any business using US-based cloud tools — you must assess whether it will receive adequate protection where it's going. This is a real, documented analysis, not an assumption.

What the penalties actually look like

This is where Law 25 stops being theoretical. Administrative monetary penalties reach up to $10 million or 2% of worldwide turnover. Penal fines go up to $25 million or 4% of worldwide turnover — whichever is higher. And Law 25 created a private right of action, meaning individuals can sue for damages directly.

For context: that 4%-of-global-revenue structure is deliberately modelled on Europe's GDPR. Quebec did not build a gentle law.

The honest part: nobody is ever "100% done"

Here's what the compliance-product industry won't tell you, because it doesn't sell: privacy compliance is a posture, not a finish line. You don't earn a certificate from the CAI and retire. Regulations shift, your business changes, you add a new tool that touches personal data, and the checklist quietly grows a new line.

What separates the businesses that sleep well from the ones that don't isn't a one-time project — it's having the eight items above *operating continuously*, with the documentation to prove it if the CAI ever asks.

Where to start

If you read that checklist and felt the familiar mix of "we've got some of this" and "we definitely don't have all of it" — that's normal, and it's exactly the gap worth closing first.

Valdra was built for the 95% of Canadian businesses that need Law 25 compliance but can't justify a $500,000 enterprise consultant. The free Law 25 assessment walks you through every obligation above, scores where you actually stand, and hands you a prioritized remediation plan — in plain language, in English and French, with your data hosted in Canada. It's the fastest way to turn "we think we're compliant" into "here's the proof."

Start with the assessment. Find the gaps before a regulator — or a customer's lawyer — finds them for you.