Law 25 vs GDPR: differences and similarities
"We are already GDPR compliant, so we are fine for Quebec": I hear that often. It is half true. Law 25 and the GDPR share the same philosophy, but they are not photocopies. Your local reference is the CAI, not the CNIL.
Key point: a "GDPR compliant" badge on a SaaS product helps, but does not replace your Quebec obligations: policies, privacy officer, incidents, transfers outside Quebec.
What is similar
If you have already worked on GDPR, you are not starting from zero. The core principles align:
- Accountability: governance, documentation, proof of due diligence.
- Transparency and rights: access, rectification, portability where applicable (portability and erasure).
- Stronger consent: marketing and non-essential cookies (consent).
- Sanctions: significant fines for serious breaches (sanctions).
- Impact assessments: PIA (EFVP) in Quebec, DPIA in Europe (PIA).
Quebec-specific points not to overlook
However, copy-pasting your European policy without adaptation is a red flag in an audit.
- Scope: Law 25 for activities in Quebec; GDPR for EU residents. You can be subject to both.
- Authority: Quebec CAI, local guides and decisions.
- Language: policies and notices understandable for the Quebec public; French is the norm for most organizations here.
- Transfers outside Quebec: regime to document; distinct from EU adequacy decisions.
- Privacy officer (PRP): designation and publication strongly expected in Quebec (privacy officer).
Already aligned on GDPR? Close these gaps
- Visible privacy officer: contact details published for the Quebec market, not only a European DPO in fine print.
- CAI-ready website: policy, cookies, and forms aligned with reality (web privacy policy, cookie banner).
- Vendor contracts: Law 25 / Quebec clauses, not GDPR only (vendor clauses).
- Incidents: confirmed notification rules to the CAI (incident procedure).
- Humility test: if your only proof of compliance is a GDPR logo on the CRM website, you are not done.
In brief
GDPR gave you a head start on "privacy by design" culture. Use it, then adjust for Quebec. Your express checklist remains the honest mirror.
Useful references
- CAI, Protection of personal information: Quebec reference (not the CNIL).
- Act P-39.1 (private sector): local framework to document alongside GDPR.
- Express Law 25 checklist: yes/no self-assessment for an SMB.
This text is informational and does not constitute legal advice. For a decision binding your organization, consult the CAI and a legal professional.
Check your website
Several Law 25 obligations show up on your public site (policy, cookies, privacy officer contact). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.