Compliance Guide

Loi 25 Quebec: Compliance Checklist for SMBs

Law 25 fundamentally changes how Quebec businesses handle personal data. This guide breaks down the requirements, deadlines, and concrete actions your SMB must take.

Published May 5, 2026 • Reading time: 5 minutes

1. What is Loi 25?

Law 25, Quebec's new privacy law (Loi 25 sur la protection des renseignements personnels), comes into force June 2024. It modernizes privacy rules and applies to all organizations handling personal data of Quebec residents. Non-compliance carries fines up to $50,000 for individuals and $250,000 for organizations.

2. Key Requirements for SMBs

Consent by Default

You must get explicit consent before collecting personal data. Opt-in, not opt-out.

Data Minimization

Collect only what you need. Document why you need each data point.

Right to Access

Individuals can request all data you hold about them within 30 days.

Right to Delete

If someone asks, you have 30 days to delete their data (with exceptions).

Data Security

Implement reasonable security measures. Document your security practices.

Privacy by Design

Privacy must be embedded in processes, not added later.

3. Compliance Timeline

June 2024
Law 25 comes into force
By June 2024
Update privacy notices and consent mechanisms
By June 2024
Audit data flows and delete unnecessary data
Ongoing
Respond to access/deletion requests within 30 days

4. Your 30-Day Action Checklist

☐ Audit: Map all personal data you collect (names, emails, IPs, cookies, etc.)
☐ Review: Check current consents — are they explicit and documented?
☐ Update: Rewrite privacy notices in plain language
☐ Tech: Implement consent management and data deletion workflows
☐ Document: Create a data inventory and security practices list
☐ Train: Brief your team on new data handling rules

Unsure where you stand?

Take our 3-minute Loi 25 Readiness Assessment and get a personalized compliance roadmap.

5. FAQ

Do I need a lawyer?

For initial setup, yes. But many SMBs start with this checklist and consult only on grey areas.

What about cookies?

Yes, cookies require explicit consent under Loi 25. Update your cookie banner immediately.

We have no data retention policy — what now?

Create one. Define how long you keep each data type and delete older data.

Customer says delete my data — can we refuse?

Only with documented business/legal grounds. Default is yes within 30 days.

Don't guess. Assess.

Take our free Loi 25 Readiness Quiz to identify compliance gaps and get a personalized roadmap.

Conclusion

Loi 25 is not a one-time project — it's a shift to privacy-first operations. Start with the checklist above, then build systems to sustain compliance.