SMBs and nonprofits: Law 25 applies to you too

"We're too small." "We're a nonprofit, not a multinational." If you have clients, members, donors, or an Excel file with names: the reform applies to you. Team size does not matter.

Who is subject to the law?

Any organization: business, nonprofit, association, professional, self-employed worker with clients: that collects, uses, or discloses personal information in the course of an activity.

You do not need a million clients or a sophisticated website. A volunteer list, a donor CRM, or an online registration form is enough to trigger obligations.

Examples in Quebec

General context: Law 25 in plain language.

Starter mini-checklist

Five realistic actions before you drown in documentation:

  1. Privacy officer appointed and reachable on the website (designation).
  2. Public policy + employee policy: even if short.
  3. Register or list of processing activities (who, what, why).
  4. Incident procedure if an email goes to the wrong recipient (emergency guide).
  5. First scan of your website (free analysis).

Go further: express checklist (15 questions) and 7-step plan.

In brief

Size does not exempt you: it defines where to start. Visible privacy officer, honest policy, simple register, emergency procedure, and a look at the website: that is already ahead of most organizations your size.

Useful references

This text is informational and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.

Check your website

Even a small nonprofit often has a site with a form, cookies, or a newsletter. Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.