.

Law 25 Free Resources Center

Law 25 Readiness: What is Law 25?

Whether you’re starting your Law 25 project or enhancing existing compliance, STANDARD ONE provides essential templates, tools, and guides to empower your success — all at no cost.

What is Quebec’s Law 25?

Modernizing Privacy Protection for a Digital Age

Quebec’s Law 25 (formerly Bill 64) is a transformative privacy law that updates the province’s data protection framework to meet modern digital and regulatory expectations. Enacted in 2021, it represents a significant step toward aligning Quebec with global privacy regulations such as the EU’s GDPR and California’s CCPA.

📊 According to the Office of Consumer Protection, 72% of Quebecers are concerned about the protection of their personal data.

Law 25 directly responds to that concern. It mandates how organizations collect, use, disclose, retain, and protect personal information.

Why Was It Created?

The law was designed to:

  • Strengthen transparency and user control over personal data
  • Modernize outdated privacy statutes
  • Address the rapid growth of digital data sharing and tracking technologies
  • Introduce robust governance and enforcement standards

Law 25 aims to embed privacy into the DNA of how businesses operate in Quebec.

From Bill 64 to Law 25: A Legislative Journey

When it was first tabled in the National Assembly, it was referred to as Bill 64. Once passed on September 22, 2021, it officially became Law 25, or more formally, the “Act to modernize legislative provisions as regards the protection of personal information.”

Key Implementation Dates

Date Requirement
Sept 22, 2022 Appointment of privacy officer, breach reporting rules begin
Sept 22, 2023 Consent reforms, privacy policies, DPIAs, automated decision-making transparency
Sept 22, 2024 Data portability rights become enforceable

Who Enforces Law 25?

The Commission d’accès à l’information (CAI) is the regulatory body that oversees enforcement. It has the authority to:

  • Investigate complaints
  • Conduct audits
  • Issue orders and recommendations
  • Impose administrative and criminal penalties

Penalties range from $5,000 to $25 million, or up to 4% of worldwide revenue for businesses, with double penalties for repeat offenses.

Why It Matters for Your Business

Law 25 goes beyond checkboxes. It requires:

  • Organizational accountability
  • System-level visibility into data use
  • Clear consent mechanisms
  • Proactive risk management

This isn’t just legal hygiene. It’s about building trust with Quebec consumers and future-proofing your organization against upcoming federal privacy regulations.

Need More Personalized Professional Help?

If you’d like tailored guidance or expert review of your ISO 27001 project, we’re here for you.

Law 25 Readiness Assessment
Free 30-minute Consultation with an Law 25 Specialist

📅 Schedule Your FREE Consultation NOW!

Get In Touch

Navigation

Contact us

We were founded by the partnership of senior IT, Telecom, and Cybersecurity executives with decades of collective experience leading global and enterprise-scale organizations. United by a shared vision, we set out to solve the complex security and operational challenges modern businesses face through a standardized, validated, and outcome-driven approach.

info@standardone.tech

Ask our team to reach out to you

    .