Quebec Law 25
Quebec's Law 25 (formerly Bill 64) overhauled the province's private-sector privacy regime in phased stages. It strengthens consent and transparency, requires a privacy officer, mandates breach reporting, introduced privacy-impact assessments for certain projects, and includes a privacy-by-default expectation for technology that collects personal information. Analytics on Quebec residents can be in scope. This is educational, not legal advice.
What this means
Law 25 modernises Quebec's Act respecting the protection of personal information in the private sector. Phased in over several years, it raised consent and transparency standards, required organisations to designate a person responsible for privacy, mandated reporting of confidentiality incidents, and called for privacy-impact assessments before certain processing or transfers of personal information.
Privacy by default and analytics
A notable provision requires that, where a product or service collecting personal information offers privacy settings, the highest level of confidentiality applies by default — without the user having to act (subject to defined exceptions). For analytics this favours collecting less by default and asking before doing more. Combined with the consent and transparency rules, Law 25 nudges operators toward minimised, clearly disclosed measurement of Quebec residents.
- Stronger consent and transparency obligations
- Designated privacy officer and breach reporting
- Privacy-by-default for technology with privacy settings
How it appears in analytics and logs
If analytics identifies Quebec residents, Law 25 obligations — clear consent, a designated privacy officer, breach reporting, and privacy-by-default — can apply.
Diagnostic use case
Check whether analytics collects personal information of Quebec residents, since Law 25 adds consent, transparency, and privacy-by-default duties to that processing.
What WebmasterID can help detect
WebmasterID's privacy-by-default posture — cookieless, IP-anonymised, no fingerprinting — aligns with the direction Law 25's technology rules push toward.
Common mistakes
- Assuming Canada's federal PIPEDA covers Quebec without Law 25.
- Skipping a privacy-impact assessment where Law 25 expects one.
- Defaulting analytics to maximal collection despite privacy-by-default.
Privacy and accuracy notes
This page is educational, not legal advice. Minimised, anonymised analytics reduces the personal information that Law 25's consent and transparency rules govern.
Related pages
- Canada's PIPEDA and analytics
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organisations collect, use, and disclose personal information in commercial activity. It is principle-based, centred on meaningful consent and accountability, and overseen by the Office of the Privacy Commissioner. Analytics handling Canadian visitors' personal information should follow its fair-information principles. This is an educational overview, not legal advice.
- Privacy by design and by default
Privacy by design and by default, codified in GDPR Article 25, requires data protection to be built into systems from the outset and the most privacy-protective settings to be the default. For analytics this points to minimised collection, cookieless and anonymised defaults, and short retention out of the box — protection that does not depend on the user opting in. This is an educational overview, not legal advice.
- Data protection impact assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a structured analysis the GDPR requires before processing that is likely to result in a high risk to people's rights — for example large-scale profiling or systematic monitoring. Some analytics and tracking setups meet that bar. This page explains when a DPIA is required and what it documents.
- Privacy-first analytics
Privacy-by-default posture aligned with Law 25.
Sources and verification notes
- Commission d'accès à l'information du Québec — Law 25Quebec privacy regulator. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.