You've heard of Bill 25. You've probably nodded along when someone mentioned it at a networking event or skimmed a headline about it in your inbox. You may have even told yourself you'd look into it properly, sometime in the next few weeks, when things slow down.
Here's the thing: it never slows down. Things are still coming up. Bill 25, Quebec's landmark privacy legislation — is fully in force, actively enforced, and carrying fines that would make any business owner put down their coffee and pay attention.
If you run a business in Montreal and you collect, use, or store personal information about clients, employees, or anyone else, this law applies to you. All of it. Right now. The question isn't whether Bill 25 is your problem — it's whether you're ready for it.
Not sure where your business stands on Bill 25? Book a free consultation with Resitek and we'll walk you through your compliance gaps. Call us at 514-447-7840.
Bill 25 — formally known as Law 25 or Loi 25, and officially titled An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information — is Quebec's comprehensive privacy legislation. It came into force in three phases between September 2022 and September 2023, and it is now fully active.
It was designed to bring Quebec's privacy standards in line with international frameworks like the GDPR in Europe, and it applies to any private sector organization that collects, uses, or discloses personal information about Quebec residents. That includes businesses based in Montreal, businesses based elsewhere that serve Quebec residents, and organizations of every size, from a 5-person accounting firm to a multi-location construction company.
Personal information under Law 25 is defined broadly. It includes names, email addresses, phone numbers, financial information, health data, IP addresses, browsing behaviour, employee records, and anything else that could reasonably be used to identify a person. If your business touches any of that, and virtually every business does — Law 25 applies to you.
What makes Law 25 different from the vague privacy policies most Canadian businesses had in place before is the specificity of its requirements. It doesn't just say "protect your data." It tells you exactly how, by when, and what happens if you don't.
This is where most Montreal business owners start to feel the weight of it. Let's break it down in plain terms.
Appoint a Privacy Officer. Every organization subject to Law 25 must designate a person responsible for the protection of personal information. In a larger organization this might be a dedicated role. In a 30-person engineering firm or real estate brokerage, it's typically the CEO, COO, or a senior manager. The name and contact information of this person must be published on your website.
Conduct a Privacy Impact Assessment (PIA). Before launching any new project, system, or process that involves collecting or using personal information, you must conduct a formal PIA. This applies to new software tools, CRM systems, HR platforms, client portals, anything that handles personal data.
Publish a clear privacy policy. Your privacy policy must be written in plain language, easy to find on your website, and specific about what information you collect, why you collect it, how long you keep it, and who you share it with. A generic template buried in your footer does not cut it.
Obtain meaningful consent. Collecting personal information requires clear, informed consent. Pre-checked boxes and buried consent clauses don't meet the standard. Consent must be specific, informed, and freely given — and it must be as easy to withdraw as it was to give.
Implement data minimization. You can only collect the personal information you actually need for a specific, stated purpose. Collecting data just in case it's useful later is not compliant.
Establish data retention and destruction policies. You need documented policies for how long you keep personal information and how you securely destroy it when it's no longer needed. That means actual secure deletion, not just moving files to a recycling bin.
Enable the right to access and correction. Individuals have the right to request access to their personal information and to have inaccuracies corrected. You must have a process in place to respond to these requests within 30 days.
Manage third-party vendors. If you share personal information with any third party, a cloud provider, a payroll processor, a marketing platform, you are responsible for ensuring they handle that data in compliance with Law 25. You cannot outsource the liability by outsourcing the data.
This is the practical part most compliance articles skip over. Here's what actually needs to happen, step by step.
Step 1 — Do a data audit. Map out every type of personal information your business collects. Where does it come from? Where is it stored? Who has access to it? How long do you keep it? You can't protect what you haven't identified. This is the foundation of everything else.
Step 2 — Appoint your Privacy Officer and publish their contact information. Pick the right person, give them clear ownership of privacy compliance, and update your website. This is one of the most visible and easily verified requirements under Law 25, and regulators will look for it.
Step 3 — Update or create your privacy policy. If your current privacy policy is a copy-paste template from 2018, it needs to be rewritten. It needs to reflect what your business actually does with personal data, in plain language that a client or employee could actually understand.
Step 4 — Review your consent mechanisms. Look at every place your business collects personal information, contact forms, booking systems, email sign-ups, client onboarding packages — and make sure the consent you're collecting is explicit, informed, and documented.
Step 5 — Implement a data breach response plan. Law 25 requires you to notify both the Commission d'accès à l'information (CAI) and affected individuals when a breach creates a risk of serious injury. You need a documented process for detecting, containing, and reporting a breach — before one happens, not during.
Step 6 — Audit your third-party vendors. Review every software platform, cloud service, and external provider that touches your client or employee data. Confirm they are compliant with Law 25 requirements, and document those agreements. If a vendor can't demonstrate compliance, that's your problem too.
Step 7 — Train your team. Compliance isn't just a policy document, it's a practice. Your employees need to understand what personal information is, how to handle it properly, and what to do if something goes wrong. Annual training is a reasonable minimum.
Step 8 — Work with your IT provider. A significant portion of Law 25 compliance is technical — encryption, access controls, secure data storage, backup management, and breach detection all live in your IT environment. If your IT setup isn't built for privacy by design, your compliance plan has a significant gap. This is exactly where a managed IT provider becomes a critical compliance partner, not just a technical resource.
Yes, and this surprises a lot of Montreal business owners.
Law 25 applies to all personal information collected by private sector organizations, including information about employees and job candidates. Your employees' personnel files, performance reviews, health information, SIN numbers, banking details for payroll, and even the data collected during the hiring process are all subject to Law 25 protections.
In practical terms, this means your HR processes need to meet the same standard as your client-facing data practices. Employees have the right to access their own personal information, request corrections, and in some cases, request that their data be deleted. You need consent processes for collecting employee data that goes beyond what's strictly necessary for the employment relationship, and you need policies for how long you retain records after someone leaves the organization.
For Montreal businesses in professional services, construction, and real estate, where employee turnover can be high and HR data is often managed informally, this is a meaningful area of exposure that most haven't fully addressed.
This is one of the most important and least understood aspects of Law 25, and it affects a lot of Canadian businesses that don't even realize they're in scope.
If your business is based in Quebec but serves clients outside Quebec, Law 25 still applies to how you handle all personal information — including the data of your Ontario, British Columbia, or international clients. Resitek is a good example of this. We are headquartered in Montreal, but we serve clients across Canada. Law 25 governs how we collect, store, and protect the personal information of every client we work with, regardless of where that client is located. Being a Quebec-based business doesn't limit your Law 25 obligations to Quebec residents only, it means your entire data handling practice must meet the Law 25 standard.
If your business is based outside Quebec but serves Quebec residents, Law 25 still applies to you. An Ontario-based company with clients in Montreal is subject to Law 25 for any personal information it collects from those Quebec residents. This is one of the most common compliance gaps we see, businesses outside the province assuming that because they're not physically in Quebec, the law doesn't apply to them. It does.
If you're a Quebec consumer using a business based outside Quebec, your protections under Law 25 technically apply — but enforcement becomes more complex. Quebec's Commission d'accès à l'information has jurisdiction over organizations collecting the personal information of Quebec residents, but pursuing a complaint against an out-of-province business involves cross-jurisdictional coordination. At the federal level, PIPEDA — Canada's federal privacy law — provides a baseline of protection for Canadians in interprovincial transactions. Quebec residents dealing with businesses outside the province can file complaints under PIPEDA through the Office of the Privacy Commissioner of Canada. Law 25 and PIPEDA are separate frameworks, but they overlap in ways that provide layered protection for Quebec consumers.
The practical takeaway for Montreal businesses: if your clients or employees are anywhere in Canada, your data handling practices need to be solid. Law 25 sets a high bar — and meeting it means you're in good shape regardless of where your clients are located.
Here's the number that tends to focus minds, and there are actually two tiers.
For less serious violations, the CAI can issue administrative monetary penalties of up to $10 million CAD or 2% of worldwide turnover, whichever is greater. For serious offences brought before the Court of Quebec, fines climb to $25 million CAD or 4% of worldwide turnover, whichever is greater.
These are not hypothetical fines sitting in a policy document. These are not hypothetical fines sitting in a policy document, the Commission d'accès à l'information actively investigates complaints, conducts audits, and has the authority to impose significant penalties on organizations that fail to comply.
Beyond administrative penalties, Law 25 also introduces the right of individuals to seek damages for privacy violations, meaning non-compliant businesses face potential civil liability on top of regulatory fines. For a Montreal law firm, real estate brokerage, or engineering company, the reputational and legal exposure from a publicized privacy complaint could easily dwarf the cost of getting compliant in the first place.
Smaller violations, like failing to publish your Privacy Officer's contact information or having an inadequate privacy policy, carry lower penalties, but they're still on the enforcement radar. The CAI has been clear that it expects organizations to take compliance seriously, and it has the tools to verify that they do.
If a privacy breach occurs and it creates a risk of serious injury to an individual, Law 25 requires you to take two immediate steps.
First, you must notify the Commission d'accès à l'information as soon as you become aware of the breach. Second, you must notify every affected individual whose personal information was compromised. Both notifications must include what happened, what information was involved, what steps you are taking to contain the breach, and what the affected person can do to protect themselves.
The phrase "risk of serious injury" is defined broadly and includes risks to physical or psychological wellbeing, reputation, financial situation, and employment. In practice, most meaningful data breaches — an exposed client database, a ransomware attack that encrypts personnel files, an email sent to the wrong recipient containing financial information — will trigger the notification requirement.
This is why having a documented incident response plan and a managed IT partner capable of detecting and containing breaches quickly is not optional under Law 25. The faster you detect a breach, the faster you can contain it, the smaller the notification obligation, and the more control you have over the outcome. Businesses that discover a breach months after it happened — which is common without proactive monitoring — face a much harder conversation with both regulators and clients.
For more on how to build the kind of IT security posture that supports Law 25 compliance, read our blog on why Montreal businesses are the new target for ransomware attacks in 2026 and what proactive cybersecurity actually looks like for a growing business.
Ready to get serious about Bill 25 compliance? Explore Resitek's cybersecurity and managed IT services for Montreal businesses, or book a free consultation with our team today. Call us at 514-447-7840.
Bill 25 is not going away, and the enforcement window for "we're still figuring it out" has closed. If your Montreal business is collecting personal information, and it almost certainly is, the compliance obligations are real, the penalties are significant, and the technical requirements are not something you can manage with a policy document alone.
The good news is that Law 25 compliance and good IT security practice are largely the same thing. Encryption, access controls, breach detection, secure backups, vendor management, a well-run managed IT environment gets you most of the way there. The rest is documentation, training, and making sure the right people own the right responsibilities.
Resitek works with Montreal businesses across professional services, construction, real estate, and engineering to build IT environments that support privacy compliance from the ground up. If you want to know where your gaps are, we'll tell you honestly — and we'll help you close them.
Book your free consultation today or call 514-447-7840.
___________________________________________________________________________________________________________________
Sources and references
2026 Resitek Information Technologies Inc. All rights reserved. resitek.com | (514) 447-7840