Financial sanctions under Law 25: what you really risk

A customer writes: "Where is my data?" You reply three months later, after a breach already known internally but never documented. That kind of delay draws the CAI's attention, and it is not just a reputation issue. SMB leadership must understand the real financial risks before an incident forces their hand.

Administrative and penal sanctions

Quebec's Commission d'accès à l'information can investigate, impose corrective measures, and, in some cases, administrative monetary penalties (AMPs). These are civil administrative fines, distinct from penal prosecutions that may also be brought for certain violations.

Key point: caps were raised with modernization: for businesses, amounts can reach several million dollars depending on severity, recurrence, and, for some categories, a percentage of global revenue. Individuals can also be targeted.

Exact amounts depend on the type of violation and applicable regime. Consult the CAI and a lawyer for your situation. However, the real cost almost always exceeds the fine: reputation, halted projects, external audits, and urgent fixes to websites and systems.

Concrete examples of high-risk breaches

Impact on an SMB

A sanction or high-profile complaint can erode customer trust, lose a B2B bid, or raise cyber insurance premiums. For an SMB with limited cash flow, budgeting progressive compliance (privacy officer, registers, training) almost always costs less than emergency remediation.

Situations that attract attention

Pragmatic prevention for an SMB

  1. Visible privacy officer: appoint or identify a responsible person and publish contact details (privacy officer).
  2. Maintained registers: incidents and high-risk processing, including "small" events.
  3. Aligned website: banner, policy, and forms reflect reality (cookies).
  4. PIA on major projects: when processing presents high risk (PIA).

Related articles

Cookie issues documented by the CAI are covered in Law 25 cookie banner: what the CAI expects. For your online policy content, see Law 25 privacy policy template for SMBs.

In brief

Useful references

This text is informational and does not constitute legal advice. For a decision binding your organization, consult the CAI and a legal professional.

Check your website

A site that promises one thing and does another is a classic complaint trigger. Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.