Why Most Canadian SaaS Founders Get Quebec Law 25 Wrong
I recently reviewed a Privacy Policy for an Ontario-based SaaS founder. The draft came from a popular AI tool. It was clean, well-organized, and full of GDPR-style language about “data subjects,” “controllers,” and “the right to be forgotten.”
There was just one problem: the founder had Quebec customers. And the Privacy Policy did not mention Quebec’s Law 25 a single time.
This is not an isolated case. In the last year I have reviewed between ten and twenty-five Privacy Policies, Terms of Service, and related website documents for Canadian businesses. The single most common gap I see — by a wide margin — is the missing Quebec Law 25 framework. AI tools default to GDPR. They default to CCPA. They almost never default to the Canadian provincial privacy regime that, in practice, governs most of what SaaS founders actually do.
If you operate a Canadian business with any Quebec customers — and “any” is the operative word — this post is for you.
What Quebec’s Law 25 Actually Is
Quebec’s Act to modernize legislative provisions as regards the protection of personal information — commonly called Law 25, or sometimes Bill 64 — was adopted on September 22, 2021. Its provisions came into force in three waves: September 2022, September 2023, and the final wave in September 2024.
By the end of 2024, all of Law 25 was in effect. By early 2026, the Commission d’accès à l’information du Québec (the CAI) is actively enforcing it.
The penalties are substantial. Administrative monetary penalties can reach 2% of worldwide turnover or CAD $10 million, whichever is greater. Penal fines can reach 4% of worldwide turnover or CAD $25 million, whichever is greater. These are not theoretical numbers — they sit at the upper end of any privacy regime in Canada.
What makes Law 25 particularly significant for businesses outside Quebec is its extra-territorial reach. The law applies to any organization “carrying on an enterprise” in Quebec, which includes out-of-province businesses that:
- Offer goods or services to Quebec residents
- Monitor the behaviour of Quebec residents (analytics, ad tracking, etc.)
- Process personal information of Quebec residents, even from outside the province
If your SaaS has even one customer in Montreal, Law 25 likely applies to you. The same is true for an e-commerce business shipping to Quebec, or any platform with Quebec users.
What Law 25 Requires That GDPR-Style Templates Miss
A common mistake I see is treating Law 25 as “GDPR Lite.” It is not. There are several Law 25 requirements that GDPR templates simply do not address — and these are exactly what AI-generated Privacy Policies leave out.
1. Designation of a Privacy Officer (in effect since September 2022)
Section 3.1 of the law requires every organization to designate a person responsible for the protection of personal information. By default, this is the person with the highest authority in the organization — meaning if you do not actively designate someone, your CEO is automatically the Privacy Officer. The Privacy Officer’s title and contact information must be published on your website.
Most AI-drafted Privacy Policies do not designate a Privacy Officer at all. GDPR’s “Data Protection Officer” concept is similar but not identical, and the role of DPO under GDPR has different thresholds and obligations.
2. Privacy Impact Assessments for cross-border transfers (in effect since September 2023)
Section 17 requires a Privacy Impact Assessment (PIA) before any transfer of personal information outside Quebec — including to Ontario, to the United States, and to any cloud service provider. The PIA must analyze:
- The sensitivity of the information being transferred
- The purpose of the transfer
- The legal framework applicable in the destination jurisdiction
- The measures in place to protect the information
If you run a SaaS on AWS, your customer data is leaving Quebec the moment it is collected. Law 25 requires you to have actually done a documented assessment of that transfer — not just to mention it in your Privacy Policy.
3. Automated Decision-Making Transparency (in effect since September 2023)
Section 12.1 imposes specific transparency obligations when personal information is used to render a decision based exclusively on automated processing. The individual must be informed of:
- The decision being made about them
- The personal information used
- The factors and parameters that produced the decision
- Their right to obtain corrections or further explanation
This is a real concern for any SaaS using AI for scoring, ranking, or recommendation — and AI-drafted Privacy Policies rarely address it because the AI drafting tool does not know what your AI features actually do.
4. Data Portability (in effect since September 2024)
Section 27 grants Quebec residents the right to receive their personal information in a structured, commonly used technological format — and to have it transmitted to a third party of their choosing. The response timeline is 30 days.
If your application has no export mechanism, you have a Law 25 problem. A Privacy Policy that mentions “portability” generically is not enough; the operational capability has to exist.
5. Specific Cookie Consent Standards
Law 25 takes a stricter position on cookie consent than the historical Canadian PIPEDA approach. Pre-checked consent boxes are not valid. Tracking that is not strictly necessary requires affirmative consent. The consent withdrawal mechanism must be as easy to use as the granting mechanism.
Most Canadian cookie banners I review fall short of this standard. They were drafted years ago, or they were copied from a U.S. site, or they were generated by an AI tool that defaulted to a more permissive framework.
What I Tell SaaS Founders to Do
If you are a Canadian SaaS founder with Quebec customers (or expecting them), here is the practical sequence:
Step 1: Assume Law 25 applies and act accordingly.
Do not wait for a CAI complaint to discover you should have been compliant. The penalty regime is severe enough that even one enforcement action could be existential for a startup. Build the assumption into your privacy posture from the start.
Step 2: Designate a Privacy Officer in writing.
For most early-stage SaaS, this will be the founder or CEO. Publish the name and contact information on your website. This is the simplest single Law 25 requirement to meet — and the most commonly missed.
Step 3: Document your cross-border data flows.
Make a list of every place customer data goes: your cloud host, your analytics provider, your email service, your CRM, your support tool, your payment processor. For each, you should be able to identify the jurisdiction where the data is stored and processed.
This is the foundation for the Privacy Impact Assessments that Law 25 requires when data leaves Quebec. You do not need a 40-page formal PIA for every transfer — but you do need a documented assessment.
Step 4: Update your Privacy Policy to actually mention Law 25.
Your Privacy Policy should specifically reference Quebec Law 25 obligations. It should identify your Privacy Officer. It should explain cross-border transfer practices. It should describe how to exercise data portability rights and how to receive explanations of automated decision-making.
If your current Privacy Policy was generated by an AI tool or copied from a template, it almost certainly does not do these things. Our Privacy Policy review service is built specifically for this scenario — flat-fee, Canadian-law focused, Quebec Law 25 specific.
Step 5: Review your cookie consent mechanism.
If your site uses Google Analytics, Meta Pixel, or any ad-tracking technology, your cookie consent banner needs to meet Law 25’s specific consent standards. Our Cookie Policy review service covers both the policy and the consent mechanism.
What This Means If You Are Selling to Enterprise
One additional point worth flagging: enterprise customers — especially Quebec-headquartered ones — are increasingly asking pointed Law 25 questions during procurement. The question “Are you Law 25 compliant?” is now showing up in vendor security questionnaires, in Data Processing Agreement redlines, and in M&A due diligence.
A Privacy Policy that does not reference Law 25 is a flag in those conversations. A vendor who cannot articulate their Privacy Officer designation, PIA process, and cross-border data flow assessment is increasingly going to lose deals.
If you are a SaaS vendor selling to enterprise in 2026, Law 25 compliance is not just a regulatory concern. It is a sales enablement issue.
The Bottom Line
Quebec Law 25 is not new. It has been in effect in stages since September 2022. The CAI is actively enforcing it. The penalties are real, the extra-territorial reach is real, and the gap between AI-drafted Privacy Policies and Law 25’s actual requirements is wide.
For Canadian SaaS founders, the right approach is straightforward: assume the law applies, designate a Privacy Officer, document your data flows, update your Privacy Policy to reflect Law 25 specifically, and review your cookie consent mechanism. None of these steps are individually complex. The mistake most founders make is assuming a generic AI-drafted policy already covers them. It almost never does.
If you would like a Canadian business lawyer to review your existing Privacy Policy against Law 25 specifically — including a flat-fee tracked-changes revision — we can help. The same flat-fee approach is available for your Cookie Policy, your Data Processing Agreement, and your complete website legal package.
This post is general information about Quebec Law 25 and is not legal advice for any specific situation. For advice tailored to your business, contact us for a free 15-minute consultation.