Law 25 Compliance Checklist: 12 Steps Every Quebec Business Must Complete (2026)

· Alexandre Sauvageau

Law 25 Compliance Checklist: 12 Steps Every Quebec Business Must Complete (2026)

Law 25 Quebec: 12-step compliance checklist for businesses. Privacy Officer, PIAs, breach notification, AI tool audits & fines up to $25M explained.

All three phases of Quebec's Loi 25 are now in force. Here is the exact 12-step checklist every business must complete to avoid fines up to $25M — from designating a Privacy Officer to auditing your AI tools.

Who does Loi 25 apply to — and what are the real penalties?

Loi 25 — officially the *Loi modernisant des dispositions législatives en matière de protection des renseignements personnels* — applies to every private-sector organization in Quebec that collects, holds, uses, or communicates personal information about Quebec residents. That includes sole proprietorships, non-profits, law firms, agencies, SaaS companies, and any business using a third-party tool (like an AI email assistant) that processes client or employee data. There is no revenue threshold. A five-person agency is as subject to Loi 25 as a 500-person firm. The law is fully in effect as of September 2024, with all three phases having come into force between September 2022 and September 2024.

The sanctions regime is the harshest in North America. The Commission d'accès à l'information (CAI) can impose administrative monetary penalties of up to $25 million CAD or 4% of worldwide revenue, whichever is greater, for serious violations. Beyond fines, Loi 25 creates a private right of action: any individual whose rights were violated can sue your organization directly — without needing to prove specific damages — with statutory minimum damages guaranteed. No equivalent mechanism exists under GDPR, PIPEDA, or CCPA. Quebec courts have already begun seeing cases, and the CAI has started issuing formal guidance on enforcement priorities for 2025–2026.

The 12-step Loi 25 compliance checklist

1. Designate a Privacy Officer. Under Section 3.1 of P-39.1, every organization must publicly identify a person responsible for the protection of personal information. This person's name and contact details must be published on your website. 2. Publish a compliant privacy policy. Your policy must describe what data you collect, why, how long you keep it, who you share it with, and how individuals can exercise their rights. Generic templates don't comply — the policy must reflect your actual practices. 3. Build a personal information register. Document every category of personal data you hold, its source, where it's stored, who has access, retention period, and which third parties receive it. 4. Conduct Privacy Impact Assessments (PIAs) for new projects. Any new system or third-party tool that collects personal data — including AI email assistants — requires a PIA before deployment. The CAI provides an ÉFVP (évaluation des facteurs relatifs à la vie privée) framework. 5. Implement consent mechanisms. Consent must be manifested clearly, separately from other terms, in plain language, and specific to each purpose. Pre-ticked boxes are invalid under Loi 25. 6. Set up a breach notification procedure. You must notify the CAI and affected individuals with diligence after discovering a breach that poses a risk of serious injury. This requires incident detection, internal escalation, and pre-drafted notification templates.

7. Establish data retention schedules. Personal data must be destroyed or anonymized once its purpose has been fulfilled. You need documented retention periods for each data category and an enforced destruction process. 8. Enable data subject rights requests. Individuals can request: access to their data, correction, deletion, portability (since September 2024), de-indexation, and human review of any automated decision affecting them. You need a process to handle these within 30 days. 9. Audit all third-party vendors. Any supplier receiving Quebec personal data must have a contract that includes privacy obligations equivalent to Loi 25 — this includes cloud providers, CRMs, email tools, and marketing platforms. Verify their data residency and breach notification commitments. 10. Implement data minimization. Collect only what's strictly necessary. Every data field must have a documented justification. Excess data — whether in forms, emails, or databases — is a liability. 11. Enable data portability. Since September 2024, individuals can request their data in a structured, commonly-used, machine-readable format. Your systems must be able to export personal data on demand. 12. Disclose automated decision-making. If you use AI that makes decisions affecting individuals (including email AI that sorts, prioritizes, or drafts responses), you must disclose this, explain the logic, and offer the individual the right to request human review.

The 3 most common Loi 25 compliance mistakes Quebec businesses make

Mistake 1: No designated Privacy Officer. This is the single most common non-compliance flag. Many businesses assume the CEO or IT manager implicitly fulfills this role. Loi 25 requires an *explicit, named* designation — and that name must be published publicly on your website or intranet. The Privacy Officer doesn't need to be a lawyer or specialist. What matters is accountability: a named person who can be contacted about privacy matters, who knows the obligations, and who is empowered to act. Without this, the CAI has grounds for immediate sanctions, regardless of your actual data practices. Mistake 2: Using a US-based cloud service without a privacy agreement. The CLOUD Act allows US authorities to compel American companies to produce data stored anywhere in the world. If your AI email tool, CRM, or document platform runs on US infrastructure without a data processing agreement, you may be exposing Quebec personal data to foreign jurisdiction — a direct violation of Loi 25's data residency and third-party vendor requirements. The fix is either a qualifying Privacy Impact Assessment confirming the tool meets Loi 25 standards, or switching to a provider with verified Canadian data residency.

Mistake 3: A privacy policy that doesn't match real practices. Many businesses copy a template, publish it, and consider themselves compliant. Loi 25 requires your policy to accurately describe *actual* data flows. If your policy says you don't share data with third parties but your email tool or analytics platform does, the policy itself becomes evidence of non-compliance. The CAI has been auditing policies against actual data flows, particularly for businesses that use AI tools. An accurate, regularly-reviewed policy is both a compliance requirement and your first line of defense if a complaint is filed.

How AI email tools create Loi 25 obligations — and how to audit them

AI email tools are among the highest-risk third-party vendors under Loi 25. They process email content — which contains names, contact details, behavioral patterns, professional relationships, and sometimes confidential information — at scale, often using servers located outside Canada. Under Loi 25, your organization remains the controller of this personal data even when the processing is delegated to a vendor. That means: if the vendor has a breach, you notify the CAI with diligence. If the vendor uses data for model training, you've violated consent obligations. If the vendor's servers are in the US, you need a qualifying data transfer agreement or a PIA confirming adequate protections. Your vendor audit checklist for AI email tools must include: (1) data residency location — Canadian servers preferred, US requires CLOUD Act analysis; (2) whether user email data is used for AI model training — must be opt-out at minimum, opt-in preferred; (3) breach notification SLA — must commit to notifying you within 24 hours; (4) a signed data processing agreement with Loi 25-equivalent protections; (5) whether the tool discloses automated decision-making to end users.

Agentys was built for this compliance reality from the ground up. Data is stored exclusively in Canadian-certified data centers (no US infrastructure). Email content is never used to train AI models — your data stays yours. Every user sees a clear disclosure that AI processing is occurring, with a human-review step before anything is sent. A named Privacy Officer is publicly listed. And the Data Processing Agreement is available on request before you sign. If your current AI email vendor can't provide answers to all five audit questions above, that's a Loi 25 risk your organization is carrying today.

Loi 25 compliance is not a one-time project — it's an ongoing operational commitment. The 12 steps above cover the full scope of obligations now in force. But compliance isn't just about avoiding fines. Quebec's privacy law is the most rights-respecting framework in North America. Organizations that implement it properly build trust with clients, reduce breach exposure, and future-proof their data practices against even stricter regulation coming at the federal level (Bill C-27). Start with the three highest-impact steps: designate your Privacy Officer today, audit every third-party tool that touches personal data, and publish an accurate privacy policy. Everything else follows from those foundations.