Bill 64 was the legislative bill that, once adopted in 2021, became Law 25, which modernized Quebec's public and private sector personal information protection laws.

When did Law 25 take full effect?

Law 25 was phased in across three dates, with provisions taking effect on 22 September 2022, 22 September 2023, and the final stage including data portability on 22 September 2024.

🇨🇦 Canada · Data privacy

Quebec Law 25

Act to modernize legislative provisions as regards the protection of personal information (Law 25)

Quebec's Law 25 modernizes the province's private and public sector privacy laws with some of the strictest requirements in Canada. It introduced enhanced consent, transparency, privacy-by-default, mandatory privacy officers, breach reporting, and data portability over a phased rollout from 2022 to 2024.

Jurisdiction:🇨🇦 Canada

Type:Data privacy

In effect:2022

Authority:Commission d'acces a l'information du Quebec (CAI)

Who it applies to

Public bodies and private-sector enterprises operating in Quebec that collect, hold, use, or communicate personal information about individuals in Quebec.

Identity requirements

Obtain clear, free, and informed consent, with express consent required for sensitive personal information
Designate a person responsible for the protection of personal information and publish their title and contact details
Apply privacy by default for technological products and services that collect personal information
Conduct privacy impact assessments for high-risk projects and for disclosures and transfers outside Quebec
Report confidentiality incidents posing a risk of serious injury to the CAI and affected individuals and keep an incident register
Provide individuals with data portability, the right to access, and the right to de-indexing or correction

How it impacts identity systems

Identity area	Impact
Customer identity & consent (CIAM)	Enhanced consent and privacy-by-default requirements reshape how enterprises capture and manage user consent.
Data residency & cross-border transfer	Disclosing personal information outside Quebec requires a privacy impact assessment confirming adequate protection.
Identity verification (KYC/proofing)	Data access, portability, and correction rights require reliably confirming the requesting individual's identity.
Breach notification	Confidentiality incidents posing a risk of serious injury must be reported to the CAI and affected individuals, with a mandatory incident register.

Penalties

The CAI can impose administrative monetary penalties up to 10 million Canadian dollars or 2 percent of worldwide turnover, and penal fines can reach 25 million Canadian dollars or 4 percent of worldwide turnover.

Official source

https://www.cai.gouv.qc.ca/protection-renseignements-personnels/sujets-et-domaines-dinteret/principaux-changements-loi-25

Quebec Law 25: frequently asked questions

What was Bill 64?: Bill 64 was the legislative bill that, once adopted in 2021, became Law 25, which modernized Quebec's public and private sector personal information protection laws.
When did Law 25 take full effect?: Law 25 was phased in across three dates, with provisions taking effect on 22 September 2022, 22 September 2023, and the final stage including data portability on 22 September 2024.
How severe are Law 25 penalties?: Administrative penalties can reach 10 million Canadian dollars or 2 percent of worldwide turnover, and penal fines can reach 25 million Canadian dollars or 4 percent of worldwide turnover, whichever is greater.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all Canada regulations or the full country index.