Loi 25 Compliance: A Practical Guide for Very Small Businesses (VSB)
Compliance with Law 25 is now essential for all Quebec businesses, including very small businesses (VSBs). Even with limited resources, your VSB can comply with this law and effectively protect your customers' personal information.
This guide explains the obligations related to Law 25 compliance for VSBs, and how to meet them easily with options tailored to your reality.
What does compliance mean for VSBs?
Law 25 modernizes the protection of personal information in the private sector in Quebec. It came into effect gradually between 2022 and 2024, with a final deadline scheduled for September 2025.
Law 25 compliance means that even a VSB must ensure greater control for citizens over their data by complying with strict obligations when collecting and processing personal information.
Source : Commission d’accès à l’information du Québec (CAI)
Why does Law 25 compliance apply to all VSBs?
Whether you run an online store, a hair salon, or a consulting office, if your VSB collects customer data (name, email, phone number, etc.), Law 25 applies to you.
Even with just one employee, being compliant requires your VSB to:
- Appoint a person responsible for the protection of personal information;
- Establish a clear privacy policy;
- Obtain explicit consent before collecting data;
- Implement appropriate security measures to protect the data.
5 Steps to Ensure Compliance in Your VSB
To meet Law 25 compliance, here’s a simple 5-step plan for VSBs:
1. Appoint a person responsible for personal information
Appoint someone (yourself or an employee) who will be responsible for personal information within your VSB. This person will be your main point of contact for any questions or complaints.
What is a person responsible for personal information?
2. Write a privacy policy that complies with Law 25
Your policy must clearly explain:
- Why you collect the data;
- How the data is used;
- Who the data may be shared with.
Example of a Privacy Policy Template
3. Obtain informed consent in accordance with Law 25
Before any data collection, make sure your customers give voluntary and clear consent, with no pre-checked boxes or ambiguity.
4. Secure the data according to Law 25 requirements
Even with simple tools, apply these best practices:
- Use strong passwords;
- Limiter l’accès aux données ;
- Check the security of your digital tools.
Make your life easier starting now!
5. Prepare a response plan in case of a data breach
Your VSB must anticipate and organize incident management, including:
- An incident log;
- A procedure to notify the CAI and the individuals concerned.
Law 25 Compliance Made Accessible for All VSBs
Law 25 is not just for large companies. VSBs can also implement tailored management and benefit from personalized support.
Solutions are available to:
- Customize the privacy policy;
- Use a compliance toolkit tailored to your needs;
- Take simple and effective training courses.
Key takeaways about compliance
- It applies to all VSBs;
- A few key actions are enough to comply with the law;
- Non-compliance can lead to heavy penalties (up to $25M or 4% of global revenue);
- Clear and tailored support is available—without legal guarantee, but effective.
Free meeting tailored to your needs
Conclusion: Mastering Law 25 Compliance in Your VSB
Law 25 may seem complex, but with diligence and the right tools, your VSB can achieve compliance gradually and with confidence.
The goal is to establish responsible management of personal information, adapted to your pace and resources.
Need help getting started? Discover tools and guides designed specifically for VSBs.
