Key compliance steps 2022, 2023 and 2024
"We still have until 2024, right?": I still hear that in meetings. No. All three September waves are in force. The question is no longer "when," but "are we staying on track?"
Key point: the Law 25 reform rolled out in stages to give SMBs time to get organized: not to postpone concrete action indefinitely.
September 2022: Foundations
The first wave set the framework. Without it, the rest does not hold.
- Privacy officer: official designation and publication of contact details (often on the website and in the policy). See privacy officer responsibilities.
- Governance and incidents: internal policies, incident register, procedure when a breach occurs (incident procedure).
- CAI powers: stronger investigations and more dissuasive sanctions (fines and sanctions).
September 2023: Transparency and consent
Second wave: fewer grey zones for employees and marketing.
- Employee policy: distinct from the customer policy; what you collect in HR must be explained properly.
- Stronger consent: pre-checked boxes and vague wording no longer suffice for several uses (newsletter, non-essential cookies). See consent.
- PIA and transfers: privacy impact assessment (PIA) for certain projects; disclosure of information outside Quebec better regulated.
September 2024: Stronger rights
The third wave mainly affects what your systems must deliver to individuals.
- Portability: structured export (CSV, JSON, CRM export) when technically feasible.
- Cessation of dissemination and de-indexing: removal of content on your site; de-indexing with Google remains a separate process (portability and erasure).
- Privacy by default: most protective settings from the moment a public service is activated (privacy by default).
- Automated decisions: greater transparency when decisions about you rely on automated processing.
Where is your organization?
In practice, ten minutes is enough for an honest first diagnosis:
- Express checklist: fifteen yes/no questions (run the checklist).
- Action plan: compare your gaps to the 7-step plan.
- Public website: policy, cookies, privacy officer contact details visible? A technical scan often spots obvious gaps.
In brief
We are no longer in a transition period. If a 2022 or 2023 obligation is still pending, fix it at the same time as 2024 requirements: the CAI does not split your operational reality by phase. Need broader context? Law 25 in plain language for SMBs.
Useful references
- CAI, Personal privacy protection: calendar and compliance guides.
- P-39.1 Act (private sector): official text on LégisQuébec.
- Law 25 in plain language for SMBs: context and scope of the reform.
This text is informational and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.
Check your website
Several obligations show up on your public site (policy, cookies, privacy officer contact details). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.