Logo
t.514-887-6463

What Is Loi 25? 

Loi 25 (Bill 64) is a breakthrough privacy law that strengthens consumer data protection for Québec residents and overhauls Quebec’s privacy framework. It applies to anyone doing business in Quebec or handling the information of its residents.

In a nutshell, Loi 25 states that businesses operating in the province must enhance data privacy, transparency, and accountability as a way to reinforce individuals’ rights over their personal data. As such, companies must implement measures such as appointing a privacy officer, conducting privacy impact assessments, and obtaining explicit consent for data collection.

Noncompliance with Quebec Loi 25 requirements can lead to severe penalties and millionaire regulatory fines. These include:

  • The need to disclose and request user consent before collecting their data
  • The obligation to notify affected individuals in case of data breaches
  • Penal fines up to $25M (or 4% of yearly worldwide turnover, whichever is higher) for non-compliant companies.
  • Administrative penalties up to $10 million (or 2% of yearly worldwide turnover, whichever is higher) for non-compliant companies

Mindsec’s Loi 25 compliance and automation solutions streamline operations to help organizations stay on the good side of Quebec’s legislation.

Mindsec Is With You Every Step Of
The Loi 25 Automation Way

Adhering to Loi 25 on your own is tough. Mindsec’s software and bilingual expert guidance from start to finish simplify the requirements for you to upgrade your privacy protocols, avoid millionaire fines, and rest at ease doing business in Quebec.

Swift Compliance

Complying with Loi 25 can take up to a year without a clear starting point. Mindsec’s solution takes you to the finish line in weeks to maximize your ROI.

Meaningful Cost-Savings

Compliance consumes lots of resources. Mindsec saves you the need to hire a full-time team and helps you achieve your compliance goals in a fraction of the time, for a fraction of the cost.

End-To-End Expert Backing

Our team remains with you at every step of the security journey, helping you avoid bottlenecks, mishaps, and delays in the safeguarding of your company and your customers’ rights.

Loi 25 Compliance, Fast And Seamless

Start Today

Regain Control Of Your Business
With Mindsec Loi 25 Automation

As Loi 25 continues to roll out, businesses must prioritize compliance to avoid hefty fines and maintain customer trust. Mindsec’s solutions ensure that you stay ahead of regulatory changes with confidence. Our tools and expertise allow you to focus on your core operations while maintaining the highest data protection standards.

Our team helps you adhere to Quebec’s legal frameworks on data privacy while you take a back seat and…

  • Enjoy pre-mapped controls and pre-written policies for the easiest compliance ever
  • Save 70% of the time and costs of compliance
  • Avoid millionaire fines that could bankrupt your business
  • Receive security and IT support from bilingual security experts (EN/FR)
Let’s Work Together
Meet Your Local Loi 25 Compliance Partner

Compliance Is Our Favorite Word

Whether you’re established in Quebec or looking to do business here, Mindsec keeps you on the good side of Loi 25.

Be Ready For Opportunity

Top-grade privacy protocols put you in the best position when dealing with clients, auditors, and new business partners.

Permanent Guidance

Our experts will brief you in and keep you compliant anytime Loi 25 is revised.

Let's Team Up

Loi 25 applies to any governmental or commercial institution that handles Quebec citizens’ data in Quebec, Canada, or abroad. This includes:

  • Canadian Firms Serving Quebec
  • E-commerce sites for Quebecers
  • Quebec-based SaaS companies processing user data
  • International firms courting Quebecers

No matter where you are located, you must comply if your company gathers, maintains, or processes Quebec data.

Consent must be:

  • Free
  • Informed
  • Precise
  • Explicit

Users should know:

  • What data is collected
  • Why it’s gathered
  • How it’s used
  • Who it’s shared with

Yes. Every company must appoint a Privacy Officer (the “Person in charge of personal information”). Usually, this is the CEO or highest-ranking executive, though it may be delegated in writing. Responsibilities include:

  • Overseeing privacy compliance
  • Managing access and correction requests
  • Handling breach notifications
  • Coordinating audits and staff training

The company’s privacy policy must include the Privacy Officer’s contact information.

A Privacy Impact Assessment (PIA) evaluates how a new project or technology may affect privacy. Required before launch for:

  • Any initiative involving personal data
  • Cloud or international data transfers
  • AI decision-making tools
  • New services that gather or analyze user data

PIAs must outline:

  • Privacy hazards
  • Mitigation strategies

These are critical compliance documents and should be retained for audits.

These principles mean privacy must be built into every system and process from the start. By default:

  • Only minimum personal data should be collected
  • The strongest privacy settings must be pre-selected

Examples:

  • Forms should request only essential information
  • Marketing communications should require opt-in consent
  • Systems should limit data visibility unless users choose otherwise

Under Loi 25, individuals may request the erasure or anonymization of their data if:

  • It was collected illegally
  • It is outdated
  • It is no longer needed

Requests must be processed within 30 days unless an exemption applies. The process must be clear and accessible.

Organizations must:

  • Keep a record of all breaches
  • Notify the CAI and affected individuals immediately if there is a “risk of serious injury.”

Risk factors include:

  • Sensitivity of data
  • Population affected
  • Potential for misuse

Your incident response plan must allow for quick investigation, containment, notification, and remediation.

Yes, but under strict conditions. Before transferring data beyond Quebec, organizations must:

  • Conduct a Privacy Impact Assessment
  • Ensure the destination provides equivalent legal protection
  • Inform the individual about the transfer
  • Use contractual protections

Neglecting these steps can result in sanctions, especially if data is sent to jurisdictions with weaker privacy laws.

Fact: Only fully anonymized, irreversible data is out of jurisdiction. Changing names to codes (pseudonymization) is inadequate to shield such data from the law.

Fact: Law 25 penalizes compliance lapses beyond breaches. Fines may apply for:

  • Lack of consent
  • Poor data retention
  • Not registering an Information Guardian
  • Skipping PIAs
  • Ignoring privacy by default

Even without a breach, penalties may exceed CAD 25 million or 4% of turnover.

Fact: Size does not create exceptions. Once an entity handles data beyond personal use, it must comply with Loi 25.

Fact: Contractual safeguards assist, but you must notify individuals about:

  • The destination of the data transfer
  • Associated dangers
  • Protection measures

Passive reliance on ‘model clauses’ is not compliant.

Fact: Privacy Impact Assessments (PIAs) must include:

  • Risk evaluations
  • Mitigation plans
  • Executive approval and documentation

Auditors and regulators may demand verification for new systems or sensitive processes.

Fact: Loi 25 mandates prior permission for data collection and use. Consent must be:

  • Informed
  • Explicit
  • Documented

Fact: Disclosure is required for automated decision-making that affects:

  • Legal
  • Social
  • Financial
  • Reputational outcomes

You must:

  • Inform users
  • Explain logic
  • Enable reviews

Even benign consequences do not exempt disclosure.

Fact: Only irreversibly anonymized data is exempt. Pseudonymization is not enough. De-identification supports compliance but must be verified for legality.

Fact: Physical safety is not a substitute for legal equivalence. The U.S. lacks Quebec-like privacy protections. Use:

  • Encryption
  • Disclosures
  • Contractual and organizational safeguards

Fact: All active personal data systems must comply. Legacy applications storing Quebec data must:

  • Enforce privacy defaults
  • Update consent logs
  • Replace outdated protections
  • Perform retroactive PIAs, if required

Fact: Enforcement is ramping up. Privacy now plays a key governance role. Integration—not surface-level tweaks—is essential.

Fact: Compliance is phased:

  • Consent updates began earlier
  • Privacy by default kicks in late 2024
  • Complete assessments are required by September 2025

Fact: Loi 25 has no third-party certification system.

  • Internal audits ensure compliance
  • Branding aids visibility but doesn’t replace legal governance or documentation

Fact: Only an authorized Information Guardian can manage privacy obligations. General policies are ineffective without assigned responsibility and staff training.

Fact: Self-reporting doesn’t ensure immunity.

  • Penalties are still possible if safeguards are lacking
  • Prompt reporting reduces penalties
  • Long-term protection requires systemic compliance

Fact: Loi 25 promotes continuous improvement:

  • Annual compliance evaluations
  • Regular PIA updates
  • Fresh consent collection
  • Breach log maintenance
  • Ongoing staff training

Organizations must develop a privacy culture, not a checkbox approach.

 

Loi 25 is changing the way how companies in Quebec handle people data. The rules are strict, the penalties is huge, and even small businesses now must prove they protecting customer info. But for most teams, figuring out what exactly Loi 25 compliance mean in real life is confusing and takes up too much time and resource.

Mindsec helps companies cut thru the noise. With our mix of automation software and expert guidance, you can meet the new privacy requirements without drowning in paperwork or hiring huge compliance teams. Loi 25 certification automation makes the whole process smoother, faster and a lot less stressful.

Law 25 isn’t just another regulation to check off. It forces companies to rethink how they collect, store and use customer data. That means new processes, new policies, and a lot of reporting. If you fail, fines can reach millions of dollars, not even mentioning the damage to reputation. By taking compliance serious now, you build stronger trust with customers and partners who expect their information handled safe.

Most businesses don’t have the time or tools to keep up with every detail of Loi 25. That’s where Mindsec comes in. Our platform automates evidence collection, risk tracking and policy management, so you always know where you stand. With Loi 25 certification automation, you’re not waiting till the last minute to get audit ready—you’re already prepared.

And it’s not just the software. Our team guides you thru the process, pointing out gaps, helping write policies, and making sure every control is covered. We cut down wasted time, lower compliance cost, and keep the focus on business growth instead of endless forms.

At the end, Loi 25 compliance is about more than avoiding penalties. It’s about showing customers you respect their privacy and take security serious. With Mindsec, achieving and maintaining compliance is no longer a headache. You save time, reduce stress, and most important—you build the kind of trust that lasts.

Mindsec makes Law 25 compliance and certification automation simple, affordable, and reliable. Don’t let privacy rules hold back your business. Turn them into an advantage.

Why Companies Choose Mindsec

  • Faster certification – 70% quicker time to audit readiness compared to manual processes.
  • Lower costs – Save big by reducing wasted effort and consultant fees.
  • Always audit ready – Automated monitoring and evidence collection so nothing falls thru the cracks.
  • Expert support – Our team works alongside yours, guiding you at every stage.
Great Compliance Goes Along With Great Resources.
Read our blog
Loi 25 Incident Response Plan: A How To Guide
By Rodrigo 23 July, 2025
Loi 25 Incident Response Plan: A How To Guide

If you’re a Quebec resident or do business in Quebec, you should know that Quebec’s Loi 25 doesn’t only require companies to protect personal data. It also demands a swift, structured incident response plan for when things go south. Having a concrete cyber security incident response protocol allows companies to alleviate...

Quebec’s Law 25 Compliance: What you need to know
By Mindsec Staff 1 March, 2024
Quebec’s Law 25 Compliance: What you need to know

Requiring lengthy and complicated compliance processes and with potential fines in the millions of dollars, Law 25 is something businesses dealing with Quebecers' personal information can no longer ignore.  Here's what you need to know to make sure you aren’t found to be noncompliant.

Quebec's Loi 25 in comparison with GDPR and CCPA
By Mindsec Staff 9 July, 2024
Quebec's Loi 25 in comparison with GDPR and CCPA

Quebec's privacy and data security arena is transforming, and organizations are already racing against time to adapt. Mirroring the advanced privacy benchmarks set by Europe's General Data Protection Regulation (GDPR), Quebec's National Assembly unanimously passed Loi 25, also known as The Privacy Legislation Modernization Act, on September 21st, 2021. The...

Why Stall?
Book A Call!

The greater your growth, the higher the stakes. Don’t leave compliance to chance or fate. Get in touch with our team’s experts to answer your doubts and learn all the ways Mindsec can help you.

Book a Call