Financial sanctions under Law 25: what you really risk
A customer writes: "Where is my data?" You reply three months later, after a breach already known internally but never documented. That kind of delay draws the CAI's attention, and it is not just a reputation issue. SMB leadership must understand the real financial risks before an incident forces their hand.
Administrative and penal sanctions
Quebec's Commission d'accès à l'information can investigate, impose corrective measures, and, in some cases, administrative monetary penalties (AMPs). These are civil administrative fines, distinct from penal prosecutions that may also be brought for certain violations.
Key point: caps were raised with modernization: for businesses, amounts can reach several million dollars depending on severity, recurrence, and, for some categories, a percentage of global revenue. Individuals can also be targeted.
Exact amounts depend on the type of violation and applicable regime. Consult the CAI and a lawyer for your situation. However, the real cost almost always exceeds the fine: reputation, halted projects, external audits, and urgent fixes to websites and systems.
Concrete examples of high-risk breaches
- Insufficient security: lack of reasonable measures (MFA, backups, encryption) leading to a breach.
- Undeclared incident: risk of serious harm without notification to the CAI or affected individuals.
- Non-compliant collection: forms or trackers without valid consent, vague purposes (consent).
- Ignored rights: access or deletion requests not handled within deadlines.
Impact on an SMB
A sanction or high-profile complaint can erode customer trust, lose a B2B bid, or raise cyber insurance premiums. For an SMB with limited cash flow, budgeting progressive compliance (privacy officer, registers, training) almost always costs less than emergency remediation.
Situations that attract attention
- Excessive or non-transparent collection via forms and trackers.
- No response to access or rectification requests within deadlines.
- Poorly documented or unreported privacy incident (incident procedure).
- Public site contradicting internal policy (cookies active despite displayed refusal, outdated policy).
Pragmatic prevention for an SMB
- Visible privacy officer: appoint or identify a responsible person and publish contact details (privacy officer).
- Maintained registers: incidents and high-risk processing, including "small" events.
- Aligned website: banner, policy, and forms reflect reality (cookies).
- PIA on major projects: when processing presents high risk (PIA).
Related articles
Cookie issues documented by the CAI are covered in Law 25 cookie banner: what the CAI expects. For your online policy content, see Law 25 privacy policy template for SMBs.
In brief
- The CAI can impose corrective measures, AMPs, and penal prosecutions depending on the case.
- Indirect cost (reputation, halted projects, remediation) often exceeds the fine itself.
- Breaches, delayed rights responses, unreported incidents, and inconsistent sites: frequent warning signs.
- Privacy officer, registers, aligned site, and targeted PIA: realistic prevention for an SMB.
Useful references
- CAI, Sanctions and powers: framework for administrative sanctions and measures.
- Act P-39.1 (private sector): provisions on offences and remedies.
- 7-step action plan: progressive roadmap to reduce exposure.
This text is informational and does not constitute legal advice. For a decision binding your organization, consult the CAI and a legal professional.
Check your website
A site that promises one thing and does another is a classic complaint trigger. Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.