Blog
Compliance10 min readMarch 26, 2026

Quebec's Law 25: Compliance Guide for SMBs

Since September 2023, Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) has been fully in force in Quebec. All businesses that collect personal information are covered — including SMBs, self-employed workers and clinics. This guide explains concretely what the law requires from you, without legal jargon.

What Law 25 Changes for Your Business

Before Law 25, Quebec had data protection rules, but they were rarely enforced for small businesses. Law 25 changes the game: regardless of your size, if you collect names, emails, phone numbers or any other identifying information, you are subject to the law.

The fines are substantial: up to $25 million or 4% of worldwide revenue for serious violations. For an SMB, even a fraction of these amounts can be devastating.

The 7 Concrete Obligations

  1. 1

    Designate a person responsible for the protection of personal information. By default, this is the company's director. Their name and contact information must be published on your website.

  2. 2

    Publish a privacy policy on your site. It must be written in clear, accessible terms, not legal jargon. It must specify: what data you collect, why, how, how long you keep it, and who you share it with.

  3. 3

    Obtain explicit consent before collecting personal data. A pre-checked form is not enough. Consent must be manifest, free and informed. For sensitive data, consent must be given expressly.

  4. 4

    Inform visitors who interact with an automated system. If your site uses a chatbot, a smart form, or any automated decision-making system, article 12.1 requires you to inform the person they are interacting with an automated system.

  5. 5

    Respect the right of access, correction and deletion. Any person can ask you what data you hold on them, demand corrections, or request deletion. You have 30 days to respond.

  6. 6

    Report privacy incidents. If you experience a data breach (theft, unauthorized access, loss), you must report it to the Commission d'accès à l'information (CAI) and to affected individuals if the risk of harm is serious.

  7. 7

    Conduct privacy impact assessments (PIA). Before any new project involving the collection of personal data, you must conduct a privacy impact assessment.

The Minimum Viable Compliance for an SMB

You don't need a law firm to be compliant. Here are the concrete actions, in priority order:

  • 1

    Designate your responsible person and publish their contact info on your site (5 minutes)

  • 2

    Draft and publish your privacy policy (1-2 hours with a template)

  • 3

    Add a cookie consent banner with "Reject all" as visible as "Accept all" (30 minutes if using a tool like CookieConsent)

  • 4

    Add a consent checkbox on your contact forms — not pre-checked (10 minutes)

  • 5

    If you have a chatbot: add a disclosure message at the first interaction ("You are interacting with an automated system")

  • 6

    Document where you store your data, for how long, and who has access (1-2 hours)

  • 7

    Create a procedure to respond to access requests within 30 days

Common Mistakes

Pre-checked consent on forms — Consent must be an active gesture. A pre-checked box or text like "by submitting this form, you agree..." does not comply with the law.

Privacy policy copied from another site — Your policy must reflect your actual practices. Copying one from another site that uses different technologies exposes you to contradictions.

No chatbot disclosure — If your site has a chatbot or virtual assistant, not informing visitors they're interacting with an automated system is a direct violation of article 12.1.

Data hosted outside Canada without documentation — If your data passes through US servers (which is the case for most cloud services), you must document this in your policy and assess the risks.

No procedure for access requests — A client asks for their data? You have 30 days. Without a procedure in place, you risk exceeding the deadline.

What This Means for Your Website

Your website is often the first point of personal data collection. Here are the elements to verify:

  • Privacy page accessible in one click from any page (link in the footer)

  • Cookie banner with refusal by default — no response must equal refusal

  • Contact forms with explicit consent checkbox, not pre-checked

  • Chatbot with disclosure message (automated system) and consent before data collection

  • Data hosted in Canada preferably, or documentation of cross-border transfers

  • Permanent "Manage my preferences" link in the footer for cookies

What If I Use American Tools?

Most SMBs use tools with US-based servers: Google Analytics, Mailchimp, HubSpot, Intercom. This isn't prohibited, but Law 25 requires that you:

  • Document these transfers in your privacy policy

  • Assess the risks related to these transfers (simplified PIA)

  • Ensure these providers have adequate protection policies

  • Inform your users that their data may transit outside Canada

The alternative: host your data in Canada. That's what we do at Synaptiqc — OVH infrastructure in Beauharnois, Quebec. It's simpler to document and eliminates regulatory risk.

Conclusion

Law 25 is not an insurmountable mountain for an SMB. The basics can be put in place in one working day. What matters is starting: designate a responsible person, publish a policy, and implement consent mechanisms.

If you're not sure about your compliance level, we can help. Our free 30-minute diagnostic includes a quick assessment of your Law 25 compliance.

Not sure about your compliance?

Our free diagnostic includes an assessment of your Law 25 compliance. 30 minutes, no commitment.

Free diagnostic — 30 min

Respecting your privacy

This site uses cookies strictly necessary for its operation. Analytics and marketing cookies are disabled by default and are only activated with your explicit consent.