S3 logo
514.284.6262

What Quebec SMBs Need to Know About Law 25 in 2025

May 8, 2025

Law 25 is modernizing how personal data is protected in Quebec. Its implementation is phased, but September 2025 marks the deadline for its final and most demanding obligations. For SMBs, now is the time to act.

At S3, we’ve been helping our clients prepare. Here’s what your business needs to know.

What Is Law 25?

Law 25 updates Quebec’s private-sector privacy law to align more closely with global standards like the European GDPR. It imposes new obligations on any organization that collects, uses, or stores personal data.

It applies to all businesses operating in Quebec, regardless of size.

What’s Already in Effect (Since 2022–2023)

  • Appointing a person responsible for personal data protection
  • Notifying the CAI (Commission d’accès à l’information du Québec) and affected individuals in case of a privacy breach
  • Maintaining a registry of incidents
  • Deleting data that is no longer needed
  • Publishing your privacy policies on your website

What Comes Into Force in September 2025

  • Conducting Privacy Impact Assessments (PIAs) before collecting or sharing sensitive data
  • Managing data transfers abroad with documented safeguards
  • Allowing data portability (users can request their data in a readable format)
  • Enabling the right to erasure (“right to be forgotten”)
  • Documenting all internal policies and practices related to personal data

These requirements may sound technical, but they are crucial to avoid major penalties.

What Happens If You Don’t Comply?

Law 25 comes with serious consequences:

  • Fines of up to $10 million or 2% of worldwide revenue for serious breaches
  • Risk of lawsuits, including class actions for moral or punitive damages

The CAI (Commission d’accès à l’information du Québec) has already started conducting audits. Compliance is no longer optional.

What Should SMBs Do by 2025?

Here’s a simple roadmap to get compliant:

  1. Appoint a responsible person (usually a manager or IT partner)
  2. Inventory the personal data you collect and store
  3. Update your privacy policies (website, HR, marketing, etc.)
  4. Review contracts with vendors and partners (add data protection clauses)
  5. Train employees on data privacy best practices
  6. Set up an incident response process (for breaches, misdirected emails, etc.)
  7. Maintain clear documentation in case of an audit by the CAI

Need help getting compliant? Let’s talk.

Simon Marcil

President

Other articles

April 24, 2025 Inbox zero isn’t a myth! Find out how with Outlook and Microsoft To Do I've always done a decent job managing my emails. I stayed organized enough, but my inbox was never truly empty.
April 28, 2025 Cyberinsurance in 2025: What Quebec SMBs Need to Know Cyberattacks are rising and insurers are tightening requirements. Here’s what Quebec SMBs should know about getting cyberinsurance in 2025 and how to prepare.
January 10, 2023 Installing Updates… Do not turn off your computer! Sometimes it seems like your computer decides to install updates at the worst possible time. You’ve got a potential new client about to join your Zoom call and suddenly “Your computer must restart to finish installing updates”. Noooooooo!!!
All articles

Looking for a new IT Partner?

Book a 30-minute call with Marc, co-founder of S3 and VP of client success.

  • Talk through your IT setup and challenges
  • Share what you’re looking for in a partner
  • See if there’s a good fit between your needs and what we offer
  • If it feels like a fit, the next step is a more detailed assessment of your needs and IT environment

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Plan an exploratory call

Plan a 30-minute call with Marc, co-founder of S3, to explore if our services meet your expectations before an in-depth analysis of your needs.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Vous pouvez également nous contacter au 514-284-6262 ou à ventes@s3tech.ca