Law 25 vs GDPR: differences and similarities

"We are already GDPR compliant, so we are fine for Quebec": I hear that often. It is half true. Law 25 and the GDPR share the same philosophy, but they are not photocopies. Your local reference is the CAI, not the CNIL.

Key point: a "GDPR compliant" badge on a SaaS product helps, but does not replace your Quebec obligations: policies, privacy officer, incidents, transfers outside Quebec.

What is similar

If you have already worked on GDPR, you are not starting from zero. The core principles align:

Quebec-specific points not to overlook

However, copy-pasting your European policy without adaptation is a red flag in an audit.

Already aligned on GDPR? Close these gaps

  1. Visible privacy officer: contact details published for the Quebec market, not only a European DPO in fine print.
  2. CAI-ready website: policy, cookies, and forms aligned with reality (web privacy policy, cookie banner).
  3. Vendor contracts: Law 25 / Quebec clauses, not GDPR only (vendor clauses).
  4. Incidents: confirmed notification rules to the CAI (incident procedure).
  5. Humility test: if your only proof of compliance is a GDPR logo on the CRM website, you are not done.

In brief

GDPR gave you a head start on "privacy by design" culture. Use it, then adjust for Quebec. Your express checklist remains the honest mirror.

Useful references

This text is informational and does not constitute legal advice. For a decision binding your organization, consult the CAI and a legal professional.

Check your website

Several Law 25 obligations show up on your public site (policy, cookies, privacy officer contact). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.