Law 25 in plain language for Quebec SMBs
You keep an Excel list of clients, run payroll in the cloud, and your website has a contact form? You already handle personal information. The reform known as Law 25 is not just for multinationals: it applies to a five-person team in Quebec too, and it puts individual rights at the centre, not only internal policies.
"Law 25": what exactly are we talking about?
It is not the short name of a single page of legislation to memorize. In practice, we say Law 25 for the major 2021 reform (Act to modernize legislative provisions as regards the protection of personal information). Other Quebec statutes have carried the number 25; in business, HR, and the Web, we almost always mean this reform.
Key point: for a private-sector SMB, the day-to-day statute is the Act respecting the protection of personal information in the private sector (P-39.1 on LégisQuébec), as modernized, not a separate "Law 25 regulation." The CAI (Commission d'accÚs à l'information) publishes guides and handles complaints.
Brief history
For years, people talked mainly about Bill 64. Adopted in 2021, the reform became the law nicknamed Law 25. New rules rolled out in stages (September 2022, 2023, and 2024): deadlines, governance, incidents, then stronger rights, to give SMBs time to get organized.
Goals of the reform
Quebec wanted to strengthen public trust in the digital economy: online commerce, cloud services, targeted marketing, data breaches. The law restates a simple idea: personal information belongs to the individuals concerned. Organizations must handle it transparently, fairly, and securely, and respond when someone exercises their rights.
Concretely for an SMB: inform before collecting, secure files, appoint a privacy officer, respond to incidents, and handle customer requests on time. We do not need a legal department to start; we need clarity and consistency.
Individual rights: what your customers can demand
If you remember only one pillar of Law 25 as an SMB, make it this one: anyone whose information you hold can exercise rights against your organization. This is not reserved for large accounts: a customer who writes "What do you have on me?" triggers the same rules at your company as at a bank.
- Right of access: know what information you hold and get a copy.
- Rectification: correct inaccurate or incomplete information.
- Withdrawal of consent: when processing relies on consent (newsletter, certain trackers).
- Portability: receive certain information in a structured, commonly used format (since September 2024).
- Cessation of dissemination and de-indexing: in the cases provided by law (often called the "right to be forgotten").
- Complaint to the CAI: if the person believes their rights are not respected.
Silence is not a strategy. Ignoring a request or burying it in an unmonitored generic inbox is one of the most common traps, and often the costliest in reputation.
In practice: a dedicated email address (often that of the privacy officer), a response deadline of 30 days as a general rule, and a privacy policy that explains how to exercise these rights. For step-by-step guidance, response templates, and pitfalls: individual rights for clients under Law 25 and portability and de-indexing.
Who is covered?
- Private businesses that collect, use, or disclose personal information in the course of an enterprise.
- Nonprofits, associations, professional firms, and cooperatives, depending on their activities.
- Very small organizations: as soon as there is a file of clients, employees, or suppliers, obligations apply (sometimes with nuances by size and sector).
The criterion is not "having a large IT department," but processing personal information.
Key dates to remember
Obligations rolled out in September 2022, 2023, and 2024. Today, all phases are in force: the focus is on consolidating your practices (registers, policies, training), not waiting for the next deadline.
Detail by phase: key compliance steps 2022, 2023, and 2024.
Where to start in an SMB?
- Understand individual rights: know what to do when a customer writes (access, rectification, withdrawal). See our client rights guide.
- Identify the privacy officer: who plays the role of person in charge of the protection of personal information and publish their contact details (monitored email, not a generic inbox).
- Follow a realistic plan: our 7-step action plan avoids trying to do everything in one week.
- Align the website: policy (with a rights section), cookies, forms. See SMB privacy policy, web privacy policy, and cookie banner.
In brief
- Law 25 refers to the 2021 reform; day to day, a private SMB mainly lives under modernized P-39.1.
- Individual rights (access, rectification, portability, CAI complaint) are at the heart of the framework, not a detail for large companies only.
- If you have clients, employees, or a website, you are probably covered.
- The 2022â2024 deadlines have passed: consolidate, document, and respond to requests on time.
- Four quick levers: rights understood, privacy officer published, 7-step plan, website aligned with your practices.
Useful references
- Act respecting the protection of personal information in the private sector (P-39.1): official text on LégisQuébec.
- CAI, Citizens' rights: official view of rights and remedies.
- CAI, Personal privacy protection: guides and tools for organizations.
- Individual rights for clients: receiving requests and deadlines in an SMB.
- Compliance steps 2022, 2023, and 2024: calendar of rollout phases.
This text is informational and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.
Check your website
Several Law 25 obligations show up on your public site: policy (including rights), cookies, privacy officer contact details. Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program or your responses to individual requests.