Quebec Law 25

Act Respecting the Protection of Personal Information in the Private Sector (as amended by Bill 64)

Flag of CA
Quebec, CanadaOpt-inState
PIPEDA
Back to Regulations Guide

Key Facts

Effective Date
September 1, 2024
Enacted
September 22, 2021
Enforcing Authority
Commission d'acces a l'information du Quebec (CAI)
Consent Model
Opt-in
Fulfillment Time
30 days
Applies To
Any organization collecting personal information of Quebec residents in commercial activities, regardless of location (extraterritorial scope)

Overview

Quebec Law 25 is the most GDPR-like privacy law in the Americas, requiring explicit granular consent per purpose before deploying any tracking technology. Implied consent is explicitly prohibited for cookies and tracking — a significantly stricter standard than PIPEDA or any US state law.

What This Means for Your Website

  • Explicit consent per purpose is required before deploying ANY tracking technology — including cookies, pixels, and analytics
  • Implied consent is explicitly NOT acceptable for cookies or tracking
  • Penalties match GDPR levels: up to CAD $25 million or 4% of worldwide turnover
  • Privacy impact assessments are mandatory for high-risk processing
  • Breach notification to CAI is required within 72 hours
  • Extraterritorial scope applies to organizations outside Quebec targeting Quebec residents

Key Requirements

The CAI enforces Law 25 with penalties up to CAD $25 million or 4% of worldwide turnover — the highest in North America. Consumer requests must be fulfilled within 30 days. The explicit prohibition on implied consent for tracking makes Quebec's requirements closer to GDPR than any other North American jurisdiction. A mandatory privacy officer designation is required.

How ConsentStack Handles This

ConsentStack detects Quebec visitors and applies explicit opt-in consent per purpose category before deploying any tracking technology — matching Quebec's GDPR-like requirements with no reliance on implied consent.

Penalties

CAD $15,000-$25,000,000 OR 4% of worldwide turnover (whichever is greater).

Maximum Fine
CA$25,000,000 aggregate
Revenue-based
4% of annual revenue

Key Requirements

  • Explicit consent per purpose before deploying ANY tracking technology
  • Implied consent NOT acceptable for cookies/tracking
  • Privacy impact assessments mandatory for high-risk processing
  • Designate a privacy officer (mandatory)
  • Breach notification to CAI within 72 hours
  • Automated decision-making transparency

Notable Provisions

  • Most GDPR-like law in the Americas
  • Implied consent explicitly prohibited for tracking
  • GDPR-level penalties (4% worldwide turnover)
  • Extraterritorial scope
  • Separate consent per purpose required

Other PIPEDA Related Regulations

Alberta PIPAAlberta, Canada
Alberta's PIPA is recognized as substantially similar to PIPEDA, covering provincially regulated private-sector organizations. The OIPC has binding order-making power — stronger than PIPEDA's OPC which issues only recommendations. Express consent is required for sensitive data, implied for non-sensitive.
BC PIPABritish Columbia, Canada
British Columbia's PIPA is recognized as substantially similar to PIPEDA. The OIPC can investigate complaints, conduct audits, issue binding orders, and require compliance. Nonprofits engaging in commercial activities are also covered. Organizations must destroy personal information once the original purpose is fulfilled.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

Is Quebec Law 25 similar to GDPR?

Yes. Quebec Law 25 is the most GDPR-like privacy law in the Americas, with explicit per-purpose consent, extraterritorial scope, and GDPR-level penalties (4% worldwide turnover).

Can implied consent be used for cookies in Quebec?

No. Quebec Law 25 explicitly prohibits implied consent for cookies and tracking technologies. Only explicit, granular consent per purpose is valid.

What are the Quebec Law 25 penalties?

Up to CAD $25 million or 4% of worldwide turnover, whichever is greater — the highest penalties in North America.

Does Quebec Law 25 apply to out-of-province organizations?

Yes. The law has extraterritorial scope, applying to any organization collecting personal information of Quebec residents regardless of location.

Stay compliant with Quebec Law 25

ConsentStack helps you implement Opt-in consent for Quebec, Canada automatically.

Get started free