Quebec Law 25 applies to any organization handling the personal information of Quebec residents — including startups based elsewhere in Canada or abroad that serve Quebec customers.
See also the Quebec Law 25 overview.
Where Quebec Law 25 fits into a Canadian company’s compliance picture, and where Canadian regulators change the calculus.
If Quebec residents use your product, Law 25 applies even if you are headquartered in Toronto or the US.
Penalties reach up to $25 million CAD or 4 percent of worldwide turnover, a real reason to prioritize it.
Law 25 requires informing individuals about decisions based solely on automated processing.
US companies serving Quebec users are in scope too, and US-based, Canadian-market startups often discover Law 25 late. Building it into your privacy program early avoids a costly retrofit.
Law 25 pairs directly with PIPEDA for the rest of Canada and with GDPR if you serve the EU. The underlying data map and controls are shared.
traztech is a Toronto (Bay St) security and compliance firm, led by a published CVE researcher, delivering to startups across Canada and the US with our partner Lorikeet Security.
Yes. If you handle the personal information of Quebec residents, Law 25 applies even if you are headquartered elsewhere in Canada or abroad.
Law 25 pairs directly with PIPEDA for the rest of Canada and with GDPR if you serve the EU. The underlying data map and controls are shared.
Yes. traztech is a Toronto-based security and compliance consultancy serving startups across Canada and the US, led by a published CVE researcher and partnered with Lorikeet Security. We run Quebec Law 25 engagements end to end.
Book a free discovery call. We will tell you whether Quebec Law 25 fits, what it would take, and roughly what it would cost.