Quebec Law 25 (Loi 25) Compliance Guide 2026: Avoid $25M Fines
· Alexandre Sauvageau
Quebec Law 25 compliance in 2026 — full obligations checklist, automation tactics, fines up to $25M CAD, and how AI email tools meet the rules. Built for Quebec businesses.
Quebec's Law 25 (Loi 25) is now fully in force — the strictest privacy law in North America with fines up to $25M CAD. Get the complete 2026 compliance checklist, automation tactics, and how AI email tools must comply.
What is Quebec Law 25 (Loi 25) and why it matters more than GDPR
Quebec's Law 25 (also called Loi 25) — officially the *Loi modernisant des dispositions législatives en matière de protection des renseignements personnels* — is the most rigorous data privacy law in North America. English-speaking businesses often search for it as Law 25 Quebec or Law 25 compliance automation; both terms refer to the same statute. Adopted by the Assemblée nationale in September 2021 and deployed in three phases (September 2022, September 2023, September 2024), it entirely reshaped how every organization must handle personal information of Quebec residents. Unlike Canada's federal PIPEDA, which hasn't seen a major update since 2000, Loi 25 was written for the age of AI, cloud computing, and behavioral profiling. It applies to any company, domestic or foreign, that collects, uses, or stores personal information of Quebec residents during commercial activities. There are no minimum thresholds: no minimum number of Quebec residents served, no minimum revenue, and no industry exemptions. Non-profits, unions, and professional practices are all covered. Only spiritual and religious organizations receive a narrow exclusion. For federally regulated entities (banks, telecoms, airlines), Canada's PIPEDA applies concurrently, but where Loi 25 is stricter, the higher standard governs. The federal Artificial Intelligence and Data Act (AIDA) under Bill C-27 would add further AI-specific obligations with penalties of $10–25M, but until AIDA passes, Loi 25's automated-decision provisions remain the strongest AI-relevant rules in Canada.
For professionals using AI email tools, Loi 25 is uniquely relevant. Your inbox is arguably your most sensitive data silo: it contains names, addresses, phone numbers, financial details, health information, legal correspondence, confidential business strategies, and intimate personal exchanges. Under Loi 25, "sensitive personal information" is defined as information creating a high reasonable expectation of privacy due to its medical, biometric, or otherwise intimate nature, or the context of its use or communication — email content meets this definition squarely. An AI that reads, analyzes, and generates drafts from this data is processing personal information at industrial scale. Loi 25 imposes penalties of up to $25 million or 4% of worldwide turnover (whichever is greater) for non-compliance, matching GDPR's ceiling. The Commission d'accès à l'information du Québec (CAI) can also impose administrative monetary penalties of up to $10 million or 2% of worldwide revenue without going to court. If your AI email tool is based overseas and makes no mention of Loi 25, that's a compliance gap you're inheriting.
The three-phase timeline: what changed and when
Phase 1 — September 22, 2022. Organizations must designate a Privacy Officer (the highest-ranking authority by default, though delegation is permitted) and publish their name and contact information on their website. A confidentiality incident registry becomes mandatory — every breach must be documented, and incidents presenting a serious risk of harm must be reported to the CAI and affected individuals. New rules permit sharing personal information without consent during commercial transactions and for research purposes, but only under strict conditions. Organizations must also notify the CAI before deploying biometric identification systems (such as facial recognition or fingerprint scanning) at least 60 days in advance.
Phase 2 — September 22, 2023. The heaviest wave of obligations. Companies must now publish detailed governance policies covering data retention and destruction schedules, staff roles and responsibilities, and complaint-handling procedures. Consent rules tighten: consent must be explicit, free, informed, and given for specific purposes, requested separately for each purpose in simple and clear terms. Privacy Impact Assessments (ÉFVP) become mandatory before acquiring or developing any information system involving personal data, and before transferring data outside Quebec. The right to de-indexation (droit à l'oubli) takes effect — individuals can demand that companies stop disseminating their personal information or de-index it from search engines. Default privacy settings must be set to the highest level without user intervention. And critically for AI tools: organizations must inform individuals when decisions are made exclusively through automated processing, and must provide an opportunity for human review.
Enforcement architecture: two-tier penalties, private lawsuits, and personal liability
Loi 25's enforcement regime is the most aggressive in North America, and understanding its structure is critical for anyone evaluating AI tools that handle personal data. The law establishes a two-tier penalty system. The first tier consists of administrative monetary penalties (AMPs) of up to $10 million or 2% of worldwide turnover, imposed directly by the Commission d'accès à l'information (CAI) without court proceedings. These are issued after a notice of non-compliance and a reasonable opportunity to remedy the violation. The second tier consists of penal (criminal) fines of up to $25 million or 4% of worldwide turnover, which require formal court proceedings and carry a minimum corporate fine of $15,000. Penal offences have a 5-year statute of limitations, and fines double for subsequent offences. This isn't theoretical: the CAI has published its formal enforcement framework (*Cadre général d'application des sanctions administratives pécuniaires*) and is actively investigating complaints.
What truly sets Loi 25 apart from other privacy laws is Section 93.1, which creates an independent private right of action for individuals. If your personal information is mishandled due to intentional violation or gross negligence, you can sue the organization directly — and the court must award minimum punitive damages of $1,000 without requiring proof of the defendant's state of mind beyond the gross fault threshold. Individuals can also pursue class actions, making this a potent tool for large-scale data mishandling. Additionally, corporate officers and directors who authorize, order, consent to, or acquiesce in a violation face personal liability for the same penalty amounts. Organizations can propose engagement commitments — remedial undertakings submitted to the CAI — to avoid AMPs, but only if they fulfill every commitment. The CAI also holds expanded investigation powers: it can require any party (even those not subject to the Act) to produce documents, issue binding compliance orders, and conduct inquiries and inspections without prior court authorization.
Data handling obligations: inventory, anonymization, and cross-border risks
Loi 25 imposes practical data-handling obligations that go far beyond consent banners. Every organization must conduct a complete data inventory: catalog all personal information held, document how it circulates through internal systems, identify every authorized user, determine the purpose of each collection, and establish retention and destruction schedules with specific timelines. For AI email tools, this means the vendor must know exactly what data it collects from your inbox, where it's stored, who can access it, and when it will be deleted. If a vendor can't answer these questions with specificity, it hasn't completed this basic Loi 25 requirement. The law also draws a critical legal distinction between anonymization (irreversible: data ceases to be personal information) and de-identification (reversible: data remains subject to full Loi 25 protections). Anonymization is only permitted following recognized best practices and government-specified criteria, and since Quebec has not yet published those criteria, true anonymization remains technically unachievable under the law. Re-identifying a person from anonymized or de-identified data without authorization is a criminal offence.
Consent has an expiration date. Under Loi 25, consent validity ranges from 6 months to 3 years depending on the sensitivity and context of the data — consent must be renewed after expiry, not assumed to continue indefinitely. For AI email tools with ongoing inbox access, this means periodic re-authorization is legally required. On cross-border transfers, any transfer of personal information outside Quebec requires a completed Privacy Impact Assessment (ÉFVP) and written agreements confirming equivalent protection. But here's the risk most articles miss: if your AI email tool uses US-based cloud infrastructure, the US CLOUD Act allows American authorities to compel US cloud providers to produce data, even if that data is physically stored outside the United States. This creates a direct conflict with Loi 25's cross-border protections. The only way to fully eliminate this risk is to choose a provider with Canadian-resident data infrastructure not subject to US jurisdiction. Cookie and consent mechanisms must also comply: "accept all" and "reject all" buttons must appear on the same banner layer (no dark patterns), implicit consent through scrolling is prohibited for multi-purpose collection, and withdrawal of consent must be persistently accessible via a footer link or floating icon.
What Loi 25 means specifically for AI email tools
No other article on Loi 25 addresses this angle, and it's the most important one for professionals in 2026. An AI that reads your inbox is processing personal information at a depth no other software category matches. It analyzes your writing patterns (which can be considered biometric behavioral data under Loi 25), reads sensitive professional communications, stores contact graphs, and makes automated decisions about how to respond to people in your life. Every one of these activities triggers specific Loi 25 obligations.
Automated decision-making is the most overlooked provision. Under Loi 25, when a decision about an individual is made "exclusively through automated processing," the organization must inform the individual and provide the opportunity for a staff member to review the decision. For AI email tools that draft and suggest replies, this means the tool cannot send emails autonomously without your explicit review, a requirement Agentys has followed since day one with its approval-before-send architecture. Additionally, the Privacy Impact Assessment requirement means that any AI tool processing your inbox should have completed an ÉFVP before deployment. If your AI email tool has never mentioned an ÉFVP, ask them why. Furthermore, Loi 25's default privacy settings rule means an AI tool must ship with the highest privacy level active by default: no silent data collection, no opt-out-only tracking, no pre-activated profiling. The burden is on the company to protect you, not on you to protect yourself.
Your rights under Loi 25: what you can demand from any AI tool
Loi 25 grants you a comprehensive set of rights that every AI email tool must honor. The right of access (within 30 days for private companies) means you can request every piece of personal information an organization holds about you. The right to rectification lets you correct inaccurate, incomplete, or ambiguous data — particularly important when AI models learn from potentially outdated email patterns. The right to deletion requires organizations to destroy your personal information when its original collection purpose has been fulfilled. The right to de-indexation (droit à l'oubli) lets you request that a company stop publicly disseminating your personal information or remove hyperlinks to it, provided you can show harm to your reputation or privacy that outweighs any public interest.
Since September 2024, the right to data portability means you can request your personal data in a structured, commonly used technological format and have it transferred to another provider. For AI email tools, this means you're never locked in — your data belongs to you, not to the platform. You also have the right to be informed about automated decision-making: if an AI tool makes decisions about you (such as prioritizing or drafting replies), it must tell you and allow human review. And you have the right to withdraw consent at any time. If you revoke an AI tool's access to your inbox, it must immediately stop processing and, upon request, delete all your data. These aren't aspirational goals — they're enforceable legal rights backed by the CAI, with administrative sanctions for companies that fail to comply.
How Agentys was built for Loi 25 from day one
Many AI email tools operating from the US or Europe simply ignore Loi 25 requirements. They treat compliance as an afterthought, a page of legal text added to their website after a lawyer's review. Agentys, as a Canadian company, was built with Loi 25 compliance embedded in its architecture from day one. Our Privacy Officer was appointed before our first line of code shipped. Our Privacy Impact Assessment (ÉFVP) was completed before our beta launch. Our confidentiality incident registry was operational before we onboarded our first user. These aren't marketing claims. They're documented, auditable facts available for review.
In practice, this means your email data is stored in SOC 2 certified data centers in Canada, eliminating exposure to the US CLOUD Act that would otherwise let American authorities compel data production from US cloud providers regardless of where the data is physically stored. Your data is never transferred outside Quebec without an ÉFVP, and never used to train AI models. Our data inventory is maintained and audited continuously: we know exactly what personal information we hold, where it circulates, who has access, and when it's scheduled for deletion. Your consent is managed granularly — you control which folders Agentys accesses, which contacts it drafts for, and which threads to exclude. Default privacy settings are at the highest level out of the box: no pre-activated tracking, no silent profiling, no opt-out-only data collection. Our approval-before-send architecture ensures no email is ever sent without your explicit review, satisfying Loi 25's automated decision-making provisions. Upon cancellation, all data is permanently deleted within 30 days with a certification of deletion available on request. Data portability is supported in structured JSON format. Every one of these features maps directly to a specific Loi 25 requirement, not because a lawyer told us to, but because we believe your email data belongs to you. For technical details on our security certifications, read our guides on ISO 27001 and SOC 2 Type II.
Loi 25 is not a bureaucratic checkbox. It's the strongest privacy protection available to North Americans, and the most relevant law for anyone trusting AI with their inbox. It grants you enforceable rights over your data: access, rectification, deletion, portability, de-indexation, and human review of automated decisions. When you choose an AI email tool, demand Loi 25 compliance as the baseline, not a bonus. Agentys meets every requirement — all three phases — because we believe your email data belongs to you. Period.