The 7 Law 25 Obligations Your Firm Must Meet Now

Law 25 imposes seven main obligations on organizations that collect, use, or communicate personal information in Quebec. All have been in force since September 22, 2024. This is no longer a project to plan, it's a framework to comply with today.

For financial services firms, these obligations add to existing AMF and CIRO requirements. The good news: several of these obligations overlap with practices you're probably already partially applying. The bad news: "partially" isn't enough, and gaps can be costly. [Penalties go up to $25M in criminal fines and class actions have no cap](/blog/law-25-fines-penalty-calculations).

Here are the seven obligations, what they concretely require, and how to implement them in a financial firm.

1. Appoint a Personal Information Protection Officer

In force since: September 22, 2022 (Phase 1) What the law requires: Every organization must designate a person responsible for personal information protection. By default, this is the person with the highest authority in the organization (the principal officer). This responsibility can be delegated in writing to another member of the organization. The officer's title and contact information must be published on the company's website. What this means for your firm: If you haven't done anything, you, the owner or principal officer, carry this responsibility. You can delegate it to your compliance officer or administrative assistant, but the delegation must be formalized in writing and the person must have the necessary resources to fulfill the role. Concrete action: Add a "Personal Information Protection" section on your website with the name, title, and email address of your officer. A simple paragraph is sufficient. Draft an internal delegation document if the officer is not the principal.

2. Maintain a Confidentiality Incident Register

In force since: September 22, 2022 (Phase 1) What the law requires: Every organization must maintain a register of all confidentiality incidents that occur. A confidentiality incident is any unauthorized access, unauthorized use, unauthorized communication, or loss of personal information. The register must be kept for at least 5 years and be accessible to the CAI on request. What this means for your firm: An email containing client information sent to the wrong recipient? That's an incident. A former employee who still has access to the CRM after their departure? That's an incident. An unencrypted laptop lost or stolen? That's an incident. All these events must be recorded in the register, whether or not they present a serious risk of harm. Concrete action: Create a simple register. A spreadsheet with the following columns is enough to start: date of incident, description of what happened, types of information affected, number of individuals concerned (estimated), assessment of serious risk of harm, measures taken to limit consequences, date of CAI notification (if applicable), date of individual notification (if applicable). Train your employees to immediately report any incident, even minor ones.

3. Notify the CAI and Affected Individuals in Case of Serious Risk

In force since: September 22, 2022 (Phase 1) What the law requires: When a confidentiality incident presents a risk of serious harm, the organization must notify the CAI "with diligence" and inform the affected individuals. The serious harm risk assessment considers the sensitivity of the information, the anticipated consequences of its use, and the likelihood of malicious use. What this means for your firm: Financial information and social insurance numbers are considered highly sensitive. An incident involving this data almost always presents a serious risk of harm. Notification must be done through the CAI's online form and must include the incident description, categories of information affected, number of individuals concerned, and measures taken. Concrete action: Prepare an incident response plan before one occurs. This plan should identify who does what (the privacy officer coordinates, the IT team assesses the scope, the assistant prepares communications), the CAI notification template, and the individual notice template. When an incident occurs, you won't have time to improvise.

4. Adopt and Publish Governance Policies

In force since: September 22, 2023 (Phase 2) What the law requires: The organization must establish and implement governance policies and practices for personal information protection. These policies must provide rules for information retention and destruction, staff roles and responsibilities, and the complaint-handling process. The privacy policy must be published on the company's website in simple, clear terms. What this means for your firm: The policy published on your website isn't an incomprehensible legal copy-paste. It must explain in accessible language what information you collect, why, how you protect it, how long you keep it, and how individuals can exercise their rights (access, rectification, erasure). You must also have an internal governance framework, even a brief one, describing your security practices and complaint-handling procedures. Concrete action: Draft two documents. First, a public privacy policy for your website (2 to 4 pages, clear language). Second, an internal governance framework describing your practices: who has access to which data, how access is managed when an employee leaves, the procedure for a client access request, how long you retain different types of information. This second document doesn't need to be published but must be available to the CAI on request.

5. Conduct PIAs (Privacy Impact Assessments)

In force since: September 22, 2023 (Phase 2) What the law requires: A PIA must be conducted before any project involving the acquisition, development, or overhaul of an information system involving personal information. A PIA is also mandatory before any communication of personal information outside Quebec, including to another Canadian province. The assessment must be proportionate to the sensitivity of the information, the purpose of the project, and the context. What this means for your firm: Every new technology vendor that will process your clients' data requires a PIA. Changing CRMs? PIA. Adopting an electronic signature tool hosted in Ontario? PIA. Using an email service with servers in the United States? PIA. This isn't a one-time exercise, it's an ongoing obligation with every technology change. Concrete action: Build a simplified PIA template in five sections: (1) description of the project or vendor, (2) inventory of personal information affected, (3) identification of privacy risks, (4) planned mitigation measures, (5) conclusion and decision. For transfers outside Quebec, add a sixth section: assessment of the legal framework in the destination jurisdiction. Keep all your PIAs in a centralized file accessible to the privacy officer.

6. Obtain Strengthened Consent

In force since: September 22, 2023 (Phase 2) What the law requires: Consent must be manifest, free, and informed. It must be requested for each purpose separately and in simple terms. For sensitive information (financial data, health data, biometric data), consent must be explicit. Default consent (pre-checked boxes) is no longer valid. Tracking and profiling require opt-in consent. The individual must be able to withdraw consent as easily as they gave it. What this means for your firm: When you collect a client's financial information for a financial plan, the client must clearly understand why you're collecting it, what it will be used for, and to whom it might be communicated. If you use this data for a different purpose (e.g., sending marketing communications), you need separate consent for that purpose. And if you use a tool that does profiling or client segmentation, the client must have expressly consented to it. Concrete action: Review your account opening forms and existing consents. Ensure each collection purpose is described in clear language, that marketing consent is separate from service consent, and that no boxes are pre-checked. Document consents obtained (when, how, for what) so you can demonstrate them to the CAI if needed. If you use a communication platform that archives exchanges, like TnS, documented consents within the platform constitute a verifiable trail.

7. Ensure Data Portability

In force since: September 22, 2024 (Phase 3) What the law requires: Any person can request to receive the personal information you hold about them in a structured, commonly used technological format. They can also request that this information be communicated directly to another organization or enterprise authorized by law to collect it. What this means for your firm: If a client leaves your firm for a competitor and asks you to transmit their file in a structured digital format, you must be able to do so. This doesn't mean handing over a scanned PDF of their paper file. The format must be structured (e.g., CSV, XML, or JSON) and commonly used, so the data can be reused by the recipient. Concrete action: Verify that your CRM or file management system allows exporting a client's data in a structured format. Test the export functionality before receiving a request. Establish an internal processing timeline (the law doesn't set a precise deadline, but "within a reasonable time" is the standard). Document the procedure so any team member can handle a portability request.

Summary: Your Compliance Checklist

Here's a quick summary to assess where you stand:

Privacy officer appointed and published on the website. If this isn't done, it's the starting point. Without an identified officer, all other elements lack governance. Incident register in place and kept up to date. Even if you've never had an incident (or think you haven't), the register must exist and be ready to receive entries. Incident response plan documented. Who does what, in what order, with which notification templates. Test it at least once a year with a fictional scenario. Privacy policy published on the website. Written in clear language, not legal jargon. Updated with Phase 2 obligations (PIAs, consent, individual rights). Internal governance framework documented. Retention, destruction, access management rules. Not necessarily published, but accessible on CAI request. PIAs completed for each technology vendor. Particularly those hosting data outside Quebec. Updated when the vendor changes its practices. Consents reviewed and documented. Up-to-date forms, distinct purposes, no pre-checked boxes, trail of each consent obtained. Portability process functional. Export possible in a structured format, documented procedure, reasonable processing time.

If you check all eight points (seven obligations plus the incident response plan), your firm is in good shape. If several boxes are empty, prioritize in this order: privacy officer, incident register, privacy policy. These are the three foundations everything else builds on.

---

*This article is part of a series on Law 25 and compliance for financial services firms. See also:*

• *[Quebec's Law 25: What Every Financial Advisor Needs to Know in 2026](/blog/quebec-law-25-guide-financial-advisors)*
• *[Law 25 Fines: Understanding Penalty Calculations for Your Firm](/blog/law-25-fines-penalty-calculations)*
• *[Confidentiality Incident: What to Do in the First 72 Hours](/blog/confidentiality-incident-law-25-72-hours)*
• *[PIA: How to Conduct a Privacy Impact Assessment](/blog/pia-privacy-impact-assessment-law-25)*
• *[Law 25 and AMF: The Double Compliance Layer for Financial Advisors](/blog/law-25-amf-double-compliance-layer)*