Who Must Comply with Law 25?

Applicability Across Sectors and Jurisdictions

Law 25 applies to any organization that collects, uses, holds, or discloses personal information about individuals in Quebec — regardless of whether that organization is based in Quebec or elsewhere.

Entities That Must Comply:

• Private Sector Businesses: Any business operating in Quebec or offering goods/services to Quebec residents.
• Nonprofits and Cooperatives: Nonprofit status does not exempt organizations if they process personal data.
• Public Bodies: Including municipalities, school boards, and healthcare institutions.
• Out-of-Province Companies: Subject if they collect data from Quebecers or use cookies/analytics to track them.
• Third-Party Vendors and Contractors: Service providers working with Quebec data are required to follow updated contract terms and assessments.

Examples:

• A U.S.-based SaaS company with customers in Quebec
• A nonprofit based in Ontario collecting donations from Quebec residents
• A marketing agency providing services to Quebec-based businesses

---

Clarifying the Scope

If your organization touches personal data belonging to a Quebec resident — directly or indirectly — Law 25 likely applies to you.

This wide scope means many organizations across North America and beyond must now rethink their data governance practices to include Law 25 compliance requirements.

---

Need More Personalized Professional Help?

If you’d like tailored guidance or expert review of your ISO 27001 project, we’re here for you.

• ✅ Law 25 Readiness Assessment
• ✅ Free 30-minute Consultation with an Law 25 Specialist

📅 Schedule Your FREE Consultation NOW!