The Complete 2025 Law 25 Checklist: Are You Actually Ready?

Evergreen Compliance Hub

Look, we have to talk about Law 25. If you run a business in Quebec or handle data of anyone living there, this legislation isn’t just a “nice to have” anymore. It’s fully here, the deadlines have passed, and honestly, the fines are scary enough to keep anyone up at night.

I know, I know. Nobody wakes up in the morning excited to do compliance paperwork. But here at MindSec, we’ve seen what happens when companies ignore this. 2025 is the year where the rubber meets the road. The “grace period” vibe is gone.

1. The “Who is in Charge?” Question

First things first. Who is the boss of your data? Under Law 25, the person with the highest authority in your company (usually the CEO) is automatically the Privacy Officer.

A lot of people don’t realize this. They think, “Oh, I didn’t appoint anyone, so I’m safe.” No, actually, if you didn’t appoint anyone, it’s you.

2. The Incident Log (Because mistakes happen)

Here is the thing about data breaches. They aren’t always a guy in a hoodie hacking your mainframe. Sometimes it’s just Bob from Accounting sending an email to the wrong “Jennifer.”

Law 25 requires you to keep a register of confidentiality incidents. Even the small ones. If there is a “risk of serious injury” to the person involved, you have to notify them AND the CAI.

3. The PIA: Your New Best Friend

PIA stands for Privacy Impact Assessment. Before Law 25, you could just sign up for a new software tool, plug in your customer data, and call it a day. Not anymore.

Now, if you are acquiring a new electronic system or transferring data outside Quebec, you must do a PIA. You have to ask: “Is this tool safe? Where is the data going?”

4. Transparency: Say What You Do

Your privacy policy can’t be a copy-paste job from 2010 anymore. Law 25 is big on transparency. You need to tell people what you are collecting, why, and who sees it. If a regular person can’t understand it, it’s not compliant.

5. Consent is King (And Queen)

This is the big one. Consent must be clear, free, and informed. You cannot use pre-checked boxes anymore. You know those forms where the “Subscribe to newsletter” box is already ticked? Yeah, that’s illegal now.

Technology Note: Check your cookies. If you are tracking people, you need that annoying banner that asks them to “Accept” or “Decline”. And “Decline” has to be just as easy to click as “Accept”.

6. The Right to be Forgotten (and Moved)

As of late 2024, the “Portability” right kicked in. This means if a customer asks for their data, you have to give it to them in a structured, commonly used computerized format. You can’t just hand them a stack of paper.

They also have the right to de-indexing and the right to have their data destroyed when the purpose for collecting it is over. You can’t hoard data “just in case” you need it in ten years. If the project is done, the data should be deleted or anonymized.

7. Biometrics: The Danger Zone

Are you using fingerprints for clocking in? Face ID? Voice recognition? Law 25 is super strict on biometrics. You must disclose it to the CAI before you create the database. You need express consent.

The MindSec Takeaway

Compliance isn’t a one-time thing. It is a habit. Law 25 is designed to make us think about data differently. If you got a low score on the audit above? Don’t panic. Just reach out to us at MindSec.