Question 1

Does Law 25 apply to my small business?

Accepted Answer

Yes. Law 25 applies to any person operating an enterprise in Quebec who collects, uses, or communicates personal information, regardless of the organization's size. A 3-employee business collecting customer email addresses, processing candidate resumes, or storing payment information is fully bound to comply. The only exemptions apply to individuals collecting personal info for strictly personal purposes unrelated to commercial activity. Basic obligations—designating a privacy officer, drafting a privacy policy, managing incidents—apply to all businesses without exception, starting from the very first piece of personal data collected.

Question 2

What are the penalties under Law 25?

Accepted Answer

Law 25 introduces two types of penalties. Penal sanctions, imposed by the Commission d'accès à l'information (CAI) or the Attorney General, can reach up to $25 million CAD or 4% of worldwide turnover, whichever is greater. Administrative monetary penalties (AMPs), imposed explicitly by the CAI, can reach up to $10 million or 2% of worldwide turnover. These amounts apply per offense. An organization failing to designate a privacy officer AND lacking a privacy policy AND failing to report an incident could face cumulative sanctions. The CAI can also order a halt on data collection operations, effectively paralyzing any data-dependent business.

Question 3

What is a PIA (Privacy Impact Assessment) and when is it mandatory?

Accepted Answer

A PIA is a formal, documented analysis that evaluates privacy risks before implementing a project involving personal information. It is mandatory in three main situations in Quebec: First, when transferring personal data outside Quebec—which includes using cloud services like Microsoft Azure, Google Workspace, Salesforce, or HubSpot. Second, before any new technological project that significantly collects, uses, or communicates personal data. Third, before outsourcing personal data processing to a third party (e.g., external payroll firm, marketing agency accessing your CRM). The PIA must be documented and available for CAI review upon request. It is not submitted to the CAI proactively, but you must be able to produce it during an inspection.

Question 4

Is my data in Microsoft 365 subject to Law 25?

Accepted Answer

Yes, entirely. Any personal information stored in your Microsoft 365 environment falls under Law 25: emails and attachments (Exchange / Outlook), files containing personal data (OneDrive, SharePoint), chats and records (Teams), forms, and other M365 services. Two issues require attention: First, Microsoft 365 data is processed in data centers commonly located outside Quebec (mostly elsewhere in Canada or in the US), triggering the obligation to conduct a PIA. Second, you must ensure your Data Processing Agreement (DPA) with Microsoft is valid and compliant. ABCnumérique performs a complete audit of your Microsoft 365 environment during the compliance mandate, including configuring Microsoft Purview for data governance and retention.

Question 5

How long does it take to become compliant with Law 25?

Accepted Answer

For an SMB under 50 employees with standard IT infrastructure, a realistic timeframe is 4 to 8 weeks to achieve substantial compliance. This includes: 1-2 weeks for diagnosis and data mapping; 2-3 weeks for drafting policies, registries, and the PIA; 1-2 weeks for technical implementation (cookie banners, M365 access, encryption); and 1 week for training and final validation. Medium-sized organizations (50 to 200 employees) or those with complex environments (ERP, CRM, multiple databases, third-party APIs) usually require 3 to 6 months. It is important to note: compliance is not a one-time project. It must be maintained over time through policy updates, onboarding new hires, managing incidents, and monitoring upcoming legislative changes (e.g., federal Bill C-27).

Question 6

Does Law 25 apply to my website?

Accepted Answer

Yes, as soon as it collects any personal information, even indirectly. A contact form taking a name and email, an online booking system, an authenticated customer portal, a Meta/Facebook pixel, or simply Google Analytics—they all collect personal information. Your website obligations include: displaying a clear privacy policy accessible from every page; implementing explicit consent mechanisms before activating non-essential cookies (a compliant consent banner); configuring Google Analytics 4 in "consent mode v2"; and allowing users to withdraw consent as easily as they provided it. ABCnumérique integrates all these requirements directly into the design or redesign of your website, guaranteeing native compliance.

Question 7

What is the difference between Law 25 and the GDPR?

Accepted Answer

Law 25 is Quebec's provincial data protection act. It draws heavy inspiration from the European GDPR but adapts to the Quebec and Canadian context. The GDPR (General Data Protection Regulation) applies to any organization processing data of EU residents, regardless of where the organization is based. If you have European clients, GDPR applies to you even from Quebec. Thus, both laws can apply simultaneously. Practical differences include: GDPR requires incident reporting within 72 hours, whereas Law 25 demands notification "promptly" to the CAI and affected individuals. GDPR mandates appointing a Data Protection Officer (DPO) in specific cases, while Law 25 requires a Privacy Officer for ALL businesses. Penalty calculations also differ. ABCnumérique can help you navigate both frameworks simultaneously if you have an international client base.

Question 8

Does Law 25 apply to NPOs and Not-For-Profit organizations?

Accepted Answer

Yes, fully. Law 25 applies to any entity operating an enterprise in Quebec, whether for profit or not. NPOs (Non-Profit Organizations), cooperatives, foundations, professional associations, and community groups are all bound. An organization managing member lists, processing event registrations, collecting online donations, receiving volunteer resumes, or employing staff is fully subject to Law 25. ABCnumérique has designed a specific offering for NPOs considering their unique budgetary realities. Our Comprehensive NPO Package integrates free Microsoft 365 configuration (Microsoft's NPO program) with complete Law 25 compliance, ensuring top-tier support at an accessible cost.

Law 25 Compliance - Turnkey Solution for Quebec SMBs

Your business collects data. Do you know if you are compliant?

A one-stop shop. All 3 dimensions covered.

Compliance Assessment (Weeks 1–2)

Data Mapping & Policies (Weeks 2–4)

Technical Implementation (Weeks 4–6)

Training & Validation (Weeks 6–8)

What you get at the end of the mandate

Legal Documents and Policies

Technical Implementation

Training and Maintenance

Questions fréquentes

This service pairs perfectly with

Cybersecurity & Protection

Data Governance & Organization

Web Analytics (GA4 & GTM)

Prêt à passer à l'action avec ABCnumérique ?