Quebec Law 25 is the province's modernized private-sector privacy law, which significantly strengthened how organizations collect, use, and protect personal information about Quebec residents. It introduced mandatory breach reporting, privacy-by-default, consent rules, and transparency around automated decision-making. Its requirements phased in through 2022, 2023, and 2024.
Law 25 requires organizations to appoint a person responsible for privacy, run privacy impact assessments for certain projects, and report confidentiality incidents that pose a risk of serious injury to the regulator (the CAI) and affected individuals.
Section 12.1 requires meaningful disclosure when a decision is based exclusively on automated processing, which directly affects AI products. Penalties can reach 25 million CAD or 4 percent of worldwide turnover.
traztech delivers Quebec Law 25 readiness sprints for startups and growth-stage companies, led by a published CVE researcher.
Book a call