Quebec Law 25 Compliance Guide: Deadlines, Key Steps, and Tools

Quebec’s Law 25 (formerly Bill 64) is now fully in force. 

The final phase—the right to data portability—took effect on September 22, 2024, completing a three-year rollout. Organizations “carrying on an enterprise” in Quebec must meet stricter consent, transparency, governance, and rights obligations, with administrative monetary penalties up to C$10M or 2% of worldwide turnover and penal fines up to C$25M or 4% for serious violations. 

The guide below clarifies requirements, compares Law 25 and GDPR, and shows how modern data governance—particularly a data catalog, lineage, and a governed Data Products Marketplace—helps you comply and keep pace with change. Let’s dive in!

What is Quebec Law 25?

Law 25 modernizes Quebec’s private-sector privacy framework and strengthens individuals’ control over their data. Crucially, it applies broadly to any organization “carrying on an enterprise” in Quebec, including many Canada-wide and U.S. brands with Quebec customers or employees. If you do business in Quebec and handle personal information about Quebec residents, you’re in scope. 

Why this matters now:

• Final phase completed. The last tranche (data portability) took effect on Sept 22, 2024. Organizations must be able to return computerized personal information in a structured, commonly used technological format and, on request, transmit it to an authorized third party. Response timelines align with access requests (~30 days).

• Enforcement has teeth. The regulator (CAI) can impose administrative monetary penalties and pursue penal proceedings; maximums reach C$10M/2% (AMPs) and C$25M/4% (penal).

The bottom line? In 2023–2024, the CAI received 444 confidentiality-incident reports and tracked hundreds of related files—evidence that oversight is active and expectations are rising. (CAI 2023–2024 Annual Report, Oct 1, 2024). 

Key deadlines for Quebec Law 25

Are you confident you’re compliant today?

Law 25 is no longer “upcoming.” It’s here. Ask yourself: Can we evidence consent, complete PIAs, answer portability requests within ~30 days, and prove governance at every step? 

Meanwhile, privacy enforcement globally keeps trending up—GDPR fines have reached ~€5.65B cumulatively as of March 1, 2025, signaling regulators’ sustained focus on data rights and controls. 

Quebec Law 25 vs. GDPR: What’s the difference? 

Data portability

Quebec Law 25 empowers individuals with the right to data portability, enabling them to access their personal data in a structured, commonly used, and machine-readable format. To meet this requirement, organizations must:

• Verify data subject identities and authenticate portability requests.

• Develop secure methods for extracting, formatting, and transmitting personal data.

• Fulfill data portability requests within 30 days of receipt.

• Collaborate with other organizations to facilitate data transfers when requested by individuals.

Achieving data portability compliance demands close coordination among privacy, IT, and data governance teams to ensure accuracy, security, and timeliness in data transfers.

How to comply with Quebec Law 25: A practical checklist

How to put Law 25 into practice

To operationalize Law 25, focus on these priority actions:

Run a portability “fire drill.” Simulate a full end-to-end request: intake, authentication, extraction, formatting, and delivery. Time the process and stress-test your workflows. This not only proves readiness but highlights weak links before regulators or customers do.

Re-baseline PIA coverage. Review all systems and projects that process personal information. Ensure Privacy Impact Assessments are documented, risk-ranked, and updated for any material changes since 2023. Regulators expect living documents, not one-off exercises.

Publish and verify your privacy officer details. Confirm your designated officer’s name and contact information are easy to find on your website and in internal policies. CAI guidance emphasizes visibility, so test by asking: “Can a consumer or employee find this in two clicks?”

Validate cross-border transfer safeguards. Inventory all vendors and affiliates receiving Quebec personal data outside Canada. Check that transfer assessments are documented, contracts reflect Law 25 requirements, and monitoring mechanisms are in place. This is a recurring compliance pressure point for global organizations.

Key actions for Law 25 compliance

Adopt technology solutions to automate and streamline compliance processes. Data leaders should:

Automate consent and data portability processes: Manual management of consent and data portability requests is often time-intensive and prone to errors. Consent management platforms can streamline the collection, tracking, and management of user consent preferences across channels. Data portability solutions enable secure and automated transfers of personal data upon individual request.

Prioritize minors' data protections: Quebec Law 25 enforces stringent safeguards for minors' personal information. Organizations must secure parental consent before collecting, using, or disclosing data of children under 14. Implement robust age verification systems and mechanisms for obtaining verifiable parental consent.

Implement data discovery and classification tools for identifying sensitive data, privacy-enhancing technologies (PETs) for data anonymization and pseudonymization, and incident response platforms for managing data breaches

Explore data catalog solutions that provide centralized visibility into data assets and automated compliance monitoring—essential for streamlined PIAs and data subject rights management

Automation reduces the risk of human error and ensures consistent adherence to privacy requirements.

How to use a data catalog for Law 25 compliance

Compliance with Law 25 at enterprise scale requires more than policies written in binders. Organizations need consistent metadata, auditable processes, and controlled access—backed by automation. A modern data catalog gives leaders the ability to embed policies directly into data workflows, automate enforcement through bulk actions, and reduce manual overhead.

Crucially, data catalogs also serve as the bridge between governed data products and compliant self-service analytics. By curating and enforcing rules at the data layer, organizations empower business users to innovate with confidence—driving data democratization that’s safe, auditable, and aligned with regulatory obligations.

Make governed data the “front door”

A Data Products Marketplace gives business users a curated, governed way to discover and request data with embedded policies, approvals, and access controls—reducing unauthorized processing and aligning use with consent and purpose. It also supports lifecycle stewardship so product owners can update data products as regulations evolve.

Compliance is not a project—it's a product. Treat governed data products as living assets with owners, SLAs, and controls that evolve as laws change.

A data product operating model also supports lifecycle stewardship, enabling product owners to update, retire, or re-certify data products as laws evolve. In this model, compliance isn’t an afterthought or one-off initiative—compliance becomes a product. Governed data products are treated as living assets with assigned owners, SLAs, and controls that adapt alongside regulatory change.

Automate governance with AI agents

A Data Products Builder Agent can can speed the creation and upkeep of compliant data products. These AI-powered assistants can:

• Auto-suggest business-friendly descriptions.

• Tag sensitive fields such as identifiers or health data.

• Recommend and wire appropriate approval workflows.

By embedding compliance controls directly into the build process, AI agents reduce administrative burden and help ensure that controls follow the data wherever it travels. This scalability is key to staying compliant over time, even as your data ecosystem grows.

Catalog lineage supports PIAs and rights requests

Under Law 25, Privacy Impact Assessments (PIAs) are required for projects and systems that involve personal information. These assessments evaluate the potential risks to individual privacy and identify safeguards. Without the right tools, PIAs can be time-intensive and fragmented. 

Catalog for context. A data catalog centralizes both technical and business metadata, links steward ownership, and connects policies to specific assets. This foundation streamlines PIAs, helps privacy officers demonstrate compliance to the CAI, and reduces the time needed to validate risk assessments.

Lineage for traceability. Data lineage provides an end-to-end map of how personal information flows across systems, who has access, and which reports or dashboards consume it. This transparency is essential for impact assessments, cross-border data checks, and fulfilling portability requests within the ~30-day requirement. 

Think of lineage as the “flight path” for personal data—from source to every downstream table, model, dashboard, and export—so you can answer “where is this PI used, and what happens if we change or delete it?”

(Learn more about data lineage.) 

Embed policy-aware experiences for data consumers

The most effective compliance programs meet users where they work. By embedding policies and usage rules into the everyday data experience—whether in the marketplace, catalog search, or browser extensions—organizations nudge employees toward compliant behavior naturally, without slowing them down.

This approach turns governance from a barrier into an enabler: employees discover not just the right data, but also the right way to use it safely and legally.

For a vision of where catalogs are going—and why governance + AI agents are converging—see Alation’s perspective on Reinventing Data Catalogs for Governance with AI Agents.

Turn compliance into a competitive advantage

Quebec Law 25 raises the bar for data protection in North America, and enforcement is already active. For organizations, the challenge is twofold: avoiding penalties while also enabling innovation.

By investing in a modern data catalog, governed data products, AI-assisted automation, and end-to-end lineage, businesses can transform compliance from a reactive project into a repeatable, scalable discipline. Done right, Law 25 compliance doesn’t just protect your organization—it builds trust, fuels compliant self-service analytics, and unlocks a foundation for responsible innovation.

Ready to operationalize Law 25? See a demo of how a catalog, lineage, and a governed marketplace simplify PIAs, portability, and proof of compliance.

References

• Commission d’accès à l’information du Québec – Principaux changements (overview of obligations, AMPs, PIAs, transfers). (CAI Québec)

• CAI – Rapport annuel d’activités 2023–2024 (incidents and activity statistics). (CAI Québec)

• McMillan LLP – Québec’s New Data Portability Law (final phase date and scope context). (McMillan LLP)

• DLA Piper – Right to data portability in Quebec (30-day response timeline guidance). (DLA Piper)

• Osler – Enforcement scheme (penal fines up to C$25M/4%). (Osler, Hoskin & Harcourt LLP)

• CMS – GDPR Enforcement Tracker Report 2024/2025 (global fines ~€5.65B). (CMS Law)