PIA under Law 25: when and how

In Quebec, an EFVP (privacy impact assessment) documents risks before projects that handle sensitive or large-scale personal information—including invasive web tracking or new data-heavy features.

When to start

• Surveillance, geolocation, or biometrics.
• Automated decisions with significant impact.
• Sensitive sharing or transfers outside Quebec.
• Large-scale collection or merged databases.

Typical steps

1. Scope the project and data flows.
2. Assess necessity and risks to individuals.
3. Define mitigations (security, contracts, policy updates).
4. Approve, monitor, and revisit.

After changes, verify the live site matches decisions—policy, cookies.