Quebec's Law 25: What Every Financial Advisor Needs to Know in 2026

Law 25 is Quebec's legislation modernizing personal information protection in the private and public sectors. Adopted unanimously on September 21, 2021 (116 votes in favor, 0 against), it imposes a set of obligations on any organization that collects, uses, or communicates personal information of Quebecers, covering consent, transparency, security, and incident notification. All its provisions have been fully in force since September 22, 2024.

For financial services firms (advisors, mutual fund brokers, MGAs), Law 25 has a direct and immediate impact. You handle some of the most sensitive data in existence on a daily basis: social insurance numbers, banking information, detailed financial situations, health information for insurance. Here's what you need to understand.

Why This Law Exists

Quebec adopted its first private-sector personal information protection law in 1993. It was pioneering at the time, even predating the federal law (PIPEDA) of 2000. But over 30 years, this law was never substantially modernized. It included no obligation to report data breaches, penalties were trivial, and it completely ignored digital realities: cloud computing, social media, artificial intelligence, mass data collection.

Four events forced the legislature to act.

The 2019 Desjardins Breach: The Catalyst

Between 2016 and 2019, a Desjardins employee exfiltrated the personal data of 9.7 million people. more than one in three Quebecers. Names, dates of birth, social insurance numbers, transaction habits. The data was resold on the dark web. The class action settlement reached $200.9 million, the largest in the Canadian financial sector.

And the penalty under the old regime? The CAI president, Diane Poitras, admitted that the financial penalties under the old 1993 law were so "ridiculous" that the CAI didn't even bother to impose them. The maximum for a first offense was approximately $10,000. Under Law 25, with revenues of $18 billion, Desjardins would have faced a theoretical maximum criminal fine of 4% of global revenue, or $720 million. From $10,000 to $720,000,000. That's the scale of change Law 25 represents.

Bill 64 (which became Law 25) was tabled almost exactly one year after the public announcement of the breach.

CAI Recommendations Ignored Since 2011

Quebec's Commission d'accès à l'information (CAI) had been recommending legislative modernization since 2011. Its 2016 report, titled *Rétablir l'équilibre* (Restoring the Balance), contained 67 recommendations: mandatory appointment of a privacy officer, mandatory incident reporting, strengthened penalty powers. The CAI warned that Quebec was "far behind" other jurisdictions. It took the Desjardins crisis for these recommendations to finally be adopted.

The European GDPR as a Model

The entry into force of the General Data Protection Regulation (GDPR) in Europe on May 25, 2018 set a new global standard. With fines reaching up to 4% of global revenue, the GDPR created a compliance floor that Quebec's old 1993 law could not meet. Law 25 draws directly from it for strengthened consent, the right to erasure, impact assessments, and proportional penalty frameworks.

Amplification by Other Breaches

The same year as Desjardins, Capital One revealed a breach affecting 6 million Canadians. Identity theft complaints surged by 84% in 2019. The Equifax (2017) and Tim Hortons (geolocation tracking without consent) affairs consolidated the sense of urgency. The old law couldn't even impose a fine on Tim Hortons.

The 3 Implementation Phases

Law 25 came into force progressively over three years. As you read this, all phases are in effect.

Phase 1, September 22, 2022: Obligation to appoint a personal information protection officer. Maintenance of a confidentiality incident register. Notification to the CAI and affected individuals in case of serious risk of harm. Phase 2, September 22, 2023: Governance policies published on the website. PIAs (Privacy Impact Assessments) mandatory before any new project involving personal information. Strengthened and explicit consent. Privacy by default. Right to be forgotten. Transparency on automated decisions. Penalties in effect: up to $10M or 2% of global revenue in administrative penalties, and $25M or 4% of global revenue in criminal fines. Phase 3, September 22, 2024: Right to data portability in a structured format.

Why Financial Firms Are Particularly Targeted

If you're a financial advisor, mutual fund broker, or operate an MGA in Quebec, you're on the front line for three reasons.

Your data is among the most sensitive. Social insurance numbers, bank statements, complete financial situations, health information for life or disability insurance. The sensitivity of the information is an aggravating factor in penalty calculations. The more sensitive the data, the more severe the CAI will be in case of a violation. You already have a double regulatory layer. The AMF and CIRO impose obligations for communication retention, confidentiality, and Know Your Client (KYC). Law 25 adds on top. Both frameworks coexist and reinforce each other, but also create tensions, for example between the right to erasure (Law 25) and the obligation to retain records (AMF, 7-year minimum). The financial risk is real, even for a small firm. Administrative penalties take into account the ability to pay, but the private right of action (section 93.1) knows no such limit. Every person affected by an intentional breach or gross fault is entitled to a minimum of $1,000 in punitive damages. A firm managing 2,000 client files could face exposure of $2 million in a class action, even with modest revenue.

What This Concretely Changes in Your Daily Practice

You can no longer collect information "just in case." Law 25 requires that collection be limited to what is necessary for the specified purposes. Asking for a client's SIN for a simple address change? That's over. Every new software or vendor requires an assessment. If you adopt a new CRM, switch email providers, or use an AI tool, you must conduct a PIA, especially if the vendor is located outside Quebec, even in Ontario or the United States. An incident must be documented, even if it's minor. You send a statement to the wrong client by mistake? That's a confidentiality incident. It must be recorded in the register. If the risk of harm is serious, you must notify the CAI and the affected individuals. Your clients have new rights. They can ask what information you hold about them, demand rectification or erasure of data, and receive their data in a portable format. You must be able to respond to these requests.

Where to Start

If your firm hasn't yet taken concrete steps, here are the first four actions to take:

1. Officially appoint a personal information protection officer and publish their contact information on your website.

2. Establish a confidentiality incident register, even a simple one (a spreadsheet with the mandatory fields is enough to start).

3. Publish your privacy policy on your website, written in plain language.

4. Inventory your technology vendors and verify where your clients' data is hosted.

Law 25 compliance isn't a one-time project, it's an ongoing practice. But the foundations can be laid in a few weeks, not months.

---

*This article is part of a series on Law 25 and compliance for financial services firms. See also:*

• *[Law 25 Fines: Understanding Penalty Calculations for Your Firm](/blog/law-25-fines-penalty-calculations)*
• *[The 7 Law 25 Obligations Your Firm Must Meet Now](/blog/law-25-obligations-financial-firm)*
• *[Law 25 Class Actions: The Financial Risk Small Firms Underestimate](/blog/law-25-class-action-risk-small-firms)*
• *[Law 25 and AMF: The Double Compliance Layer for Financial Advisors](/blog/law-25-amf-double-compliance-layer)*