Law 25 summarized for a small business: five concrete moves ranked by real enforcement risk, and what the CAI has actually sanctioned since 2022.

Search for a Law 25 summary and you will find two kinds of texts. On one side, law firm analyses, accurate but written for other lawyers. On the other, compliance vendors waving the $25 million fine to sell you a package. In between, the owner of a 5-50 person business is left with the practical question: what do I actually have to do? The question applies to your website as much as to your AI agent projects, and the honest answer is shorter than either camp lets on.
This article lays out the minimum credible compliance path for a Quebec SMB, ordered by real risk. Not the full program a compliance officer would roll out at a bank: the short list of moves that matter, ranked by what the Commission d'accès à l'information (CAI) has actually watched and sanctioned since 2022.
Law 25 is Quebec's overhaul of its private-sector privacy regime, phased in between September 2022 and September 2024 and now fully in force. It applies to every business that collects personal information in Quebec, with no size exemption. For an SMB, the credible minimum comes down to five moves: designate a privacy officer (by default, the person with the highest authority in the company) and publish their contact information; post a privacy policy in plain language; collect only the information you actually need; keep a register of confidentiality incidents and report those creating a risk of serious injury to the Commission d'accès à l'information; and run a privacy impact assessment before any new information system or any transfer of personal data outside Quebec. Maximum administrative penalties reach $10 million or 2% of worldwide turnover, but actual enforcement so far has targeted biometrics and excessive collection.
Law 25 modernizes Quebec's personal information regime. It came into force in three phases: September 2022 (designating a privacy officer, managing confidentiality incidents), September 2023 (the bulk of the obligations: privacy policy, consent, privacy impact assessments, transfers outside Quebec, the penalty regime) and September 2024 (the right to data portability). Since that last date, the law is fully in force. There is no grace period left.
First point most summaries skip: the law applies to every business collecting personal information in Quebec, with no size threshold. A freelancer with a contact form is covered, just like a multinational. What varies is proportionality: nobody expects an eight-person company to run the governance program of a financial institution.
Second point: the scary numbers are real, but they need reading correctly. The CAI can impose administrative monetary penalties of up to $10 million or 2% of worldwide turnover, whichever is greater. Penal prosecutions can lead to fines for a business of $15,000 up to $25 million or 4% of worldwide turnover, doubled for repeat offences. These are ceilings designed for tech giants, not price tags. The real question is elsewhere: what has the CAI actually done with these powers?
As of this writing (July 2026), the CAI has not publicly announced a single administrative monetary penalty against a named company. Its enforcement record since the reform consists of orders and recommendations, and it draws a very clear profile.
In September 2024, its oversight division issued its first decision since the reform: it ordered a printing company to stop using facial recognition to control employee access. In February 2025, it prohibited Metro Inc. from deploying a biometric database meant to identify shoplifters. In early 2026, it called out recruitment practices (you cannot collect more than necessary to hire) and landlords (no credit checks without consent). In May 2026, the joint investigation with Canada's other privacy authorities into OpenAI concluded with recommendations on consent and data retention.
Three lessons. First, biometrics is the red zone: it is where the CAI strikes hardest, and the classic SMB trap is the fingerprint or facial-recognition time clock installed without a second thought. Any bank of biometric characteristics must be declared to the CAI at least 60 days before it goes live. Second, the necessity test is enforced for real: collecting data "just in case" is precisely what the recent decisions condemn. Third, the machine almost always starts with a complaint: an employee, a customer, a job applicant. Your real exposure is not a $10 million fine tomorrow morning; it is an investigation triggered by a complaint, ending in an order that can shut down a practice you built a process on.
The absence of headline fines is not a compliance plan, though. The framework for applying penalties is published, the powers have been in force since September 2023, and an investigation file where the company has no designated officer, no policy and no register is exactly the kind of file where a penalty becomes likely.
Here is the list, in the order I would do it, meaning the order of what is visible from outside and what gets sanctioned.
1. Designate the privacy officer and publish their contact information. By default, the law assigns the role of person in charge of protecting personal information to the person with the highest authority in the company: probably you. You can delegate it in writing. The officer's title and contact information must be published, in practice on your website. It is an hour of work, and it is the first thing a complainant or an investigator checks.
2. Post a privacy policy in plain language. If your site collects personal information by technological means (forms, newsletter, analytics), you must publish a policy written in simple terms: what you collect, why, who has access, and how people can consult or correct their information. It is the storefront of your compliance, visible from outside. A policy auto-generated for California does not count.
3. Collect only what you need. Review your forms and remove every field nothing justifies. The necessity test is the one the CAI applies most in its recent decisions. And if a project touches biometrics, stop: a declaration 60 days in advance, express consent, and case law that runs against you.
4. Create the incident register. Every business must keep a register of its confidentiality incidents, including those that present no serious risk, and retain that information for at least five years. If an incident creates a risk of serious injury, you must notify the CAI and the people affected. A one-page table is enough; what matters is that it exists before the incident, because the CAI can demand a copy.
5. Run a PIA before new systems and transfers outside Quebec. The privacy impact assessment is mandatory in two cases: before acquiring, developing or overhauling an information system involving personal information, and before communicating personal information outside Quebec. The threshold really is "outside Quebec", not outside Canada: a cloud provider with servers in Ontario or the United States triggers the obligation. The law requires the assessment to be proportionate: for an SMB, a few serious pages beat a hundred-page report nobody reads. We walk through the exercise in our PIA guide for an AI agent project.
If your SMB uses or is considering AI agents, the five moves stay the same, with two extra pressure points. The first: the tools your employees already use without telling you. An employee pasting a client file into a consumer AI tool creates exactly the kind of incident your register will have to document; we wrote about this shadow AI problem. The second: where the data lives. Most AI models run on American servers, which triggers the outside-Quebec transfer PIA; the details are here.
This is also why compliance is decided at design time. A website or agent built with these obligations in mind costs barely more; the same system retrofitted afterwards costs a rebuild.
The five moves above amount to a week of focused work, not a transformation program. If you are starting from zero, do moves 1 and 2 this week: they are visible from outside and cost almost nothing. The rest follows.
And if your next project is a new website or an AI agent, the simplest path is to build compliance into the quote. That is what we do: sites and agents compliant by design, register and PIA included.
This article summarizes a law to help an SMB set priorities; it is not legal advice. Your exact obligations depend on your situation: for ambiguous cases (biometrics, sensitive data, international transfers), consult a specialized lawyer. The official texts and CAI decisions prevail.
Written by