All you need to know about Quebec’s Bill 25 on data protection

What is Bill 25? What are the advantages of Bill 25 for my company? What do I need to do to ensure that my company complies with Bill 25? What are PCAN subsidies? Am I eligible? In this article, you’ll find answers to all your questions about the new Bill 25 and PCAN subsidies.

What is Bill 25?

Bill 25, or
an act to modernize legislative provisions respecting the protection of personal information
is a Quebec law that came into force on January 1, 2023. The purpose of this law is to protect the personal information of Quebec citizens.

The main provisions of Bill 25 for citizens are as follows:

  • Consent obligation: Companies and organizations must obtain the free and informed consent of individuals before collecting, using or disclosing their personal information.
  • Right of access: Individuals have the right to access their personal information and request that it be corrected or deleted.
  • Right to portability: Individuals have the right to receive a copy of their personal information in a structured and readable format.
  • Right to object: Individuals have the right to object to the collection, use or disclosure of their personal information.

Part of the
new provisions
The legislative provisions of Bill 25 also came into force on September 22, 2022. This reform modernizes the rules protecting personal information in Quebec so that they are better adapted to the new challenges posed by today’s digital and technological environment.

Companies must also :

  • Designate a person responsible for the protection of personal information and publish his or her title and contact details on the company’s website;
  • In the event of a confidentiality incident, keep a record of all incidents and take prompt action to reduce the risk of harm to those concerned. A company must also notify the Commission and the persons concerned of any incident presenting a serious risk of harm;
  • Disclose in advance to the Commission any verification or confirmation of identity made by means of biometric characteristics or measurements;
  • Comply with the new framework applicable to the communication of personal information without the consent of the person concerned in the context of a commercial transaction or for the purposes of study, research or statistical production.
  • In addition to these obligations, public bodies will also be required to set up an Access to Information and Privacy Committee.

What are the advantages of Bill 25 for my company?

Information governance offers companies benefits that go beyond regulatory compliance. How can you take advantage of Bill 25? Here are a few examples:

  • Make your strategy more transparent, and therefore closer to your customers
  • Demonstrate that your company acts responsibly and ethically
  • Protecting your customers’ and employees’ information
  • Risk reduction

What do I need to do to ensure that my company complies with Bill 25?

The essential steps

The protection of personal data is a major concern for companies of all sizes. Personal data is information that can be used to identify or contact a person. They may be sensitive, such as health or financial information.

To protect personal data, companies must implement appropriate security measures. These measures include an inventory of personal data, a data retention schedule and an incident management plan.

  1. Taking stock of personal data

The first step is to draw up an inventory of the personal data held by the company. This makes it possible to identify the type of information collected, the activities for which it is used and the people who have access to it.

For example, it is important to document staff roles and responsibilities with regard to personal data protection. It also ensures that all employees are aware of their obligations and responsibilities.

To carry out this inventory, we recommend that you map out the way in which data flows through the organization. This will help identify redundant or obsolete data that can be removed.

  1. Establish a data retention schedule

Once the company has an inventory of personal data, it needs to draw up a data retention schedule. This schedule defines how long data must be kept before it is deleted or anonymized, and who has access to it.

The data retention schedule must be adapted to the company’s needs. It must take into account legal and regulatory requirements, as well as operational needs.

For example, deadlines for deleting or anonymizing personal information collected during job interviews.

  1. Implement monitoring measures and an incident management plan

Companies need to implement monitoring measures to detect security incidents. These measures include intrusion detection systems, firewalls and antivirus software.

It is imperative to designate the person responsible for protecting personal information, and to publish his or her title and contact details on the company’s website. In addition, make sure your customers and site visitors are aware of their rights (consent, access, portability and opposition).

In the event of a security incident, companies need to be able to react quickly and effectively. To achieve this, they must put in place an incident management plan.

This plan must define the procedures to be followed in the event of a personal data breach. It must also identify the people responsible for managing the incident.

What are PCAN subsidies?

PCAN subsidies are subsidies offered by the Quebec government to companies and organizations that invest in the protection of personal information. These grants can be used to fund projects to raise awareness, provide training or improve privacy practices.

Here are some examples of projects that can be financed by PCAN grants:

  • The creation of a personal information protection policy
  • Training employees in privacy protection practices
  • Installing a data security solution
  • Analysis of compliance with Bill 25

Am I eligible for PCAN subsidies?

PCAN grants are available to companies and organizations of all sizes, including SMEs. Eligibility criteria are as follows:

  • The company or organization must be located in Quebec.
  • The project is designed to improve the protection of personal information.
  • The project must be carried out by a qualified company or organization.

PCAN grant amounts vary according to the project and the size of the company or organization.


Bill 25 and PCAN grants are important tools for protecting the personal information of Quebec citizens. These measures help to ensure that individuals have control over their personal data, and that it is protected from misuse.

As experts in digital marketing, we’ll be happy to answer your questions! Do you have a question about Bill 25? Would you like an audit of your website to find out if you comply with the new data protection regulations? Would you like to know how to use Bill 25 to your advantage and boost your sales? Send us a message here.(
internal link)

To find out more, here are a few important links:

Check your eligibility for a PCAN grant :

Further information on Bill 25 and the benefits for citizens :

New provisions for Bill 25 :