Automathing Logo
SecurityLaw 25Quebec

Law 25 and Web App Security: 2026 Checklist

Quebec's Law 25: obligations, penalties and a compliance checklist for your web apps in 2026. Encryption, PIA and data hosting explained.

Orléando Dassi
·
June 3, 2026
·
7 min read
Law 25 and Web App Security: 2026 Checklist

Law 25 and web app security: the 2026 checklist

If your business collects any personal information from a Quebecer (an email, a phone number, a purchase history), Law 25 applies to you. And since its full rollout on September 22, 2024, it's no longer a formality: the penalties are among the most severe in North America.

This guide translates Law 25 into concrete obligations for your web apps, and provides a compliance checklist you can apply this week. This is not legal advice; it's the perspective of a team that builds compliant applications for Quebec SMEs.

What Law 25 is (and why it has teeth)

Law 25 (officially the Act to modernize legislative provisions respecting the protection of personal information) is Quebec's equivalent of Europe's GDPR. It came into force in stages from September 2022 to September 2024.

The penalties are what change everything. Administrative fines can reach $10,000,000 or 2% of worldwide turnover, and penal fines for serious offences up to $25,000,000 or 4% of worldwide turnover, whichever is greater. For an SME, a single mishandled breach can be existential.

Law 25 vs PIPEDA: why "federally compliant" is no longer enough

Many businesses believe being compliant with the federal law (PIPEDA) is enough. Law 25 goes further on several points:

  • Explicit consent: it must be free, informed, and given for specific purposes, not buried in 40 pages of terms.
  • Privacy officer: by default, this is the person with the highest authority in the company, unless delegated in writing.
  • Mandatory reporting of confidentiality incidents presenting a risk of serious injury, to the Commission d'accès à l'information (CAI) and to the affected individuals.
  • Privacy impact assessment (PIA) before certain projects and before any transfer of data outside Quebec.
  • Right to portability and erasure of information.

The obligations that directly affect your web apps

This is where theory becomes code. A Law 25-compliant application must provide, by design (privacy by design):

  1. Collect the minimum: only collect the data necessary for the stated purpose.
  2. Granular consent: separate checkboxes for marketing, analytics and service, never a single pre-checked box.
  3. Privacy settings at the highest level by default at collection time.
  4. Access, rectification and deletion: the user must be able to view, correct and have their data erased.
  5. Access logging: knowing who, in your organization, accessed which data.
  6. Incident notification: a mechanism to detect, record and report a leak.

The technical compliance checklist (apply it now)

Here's the checklist we use during an application audit. Check each item:

Encryption and transport

  • HTTPS/TLS forced everywhere (automatic HTTP→HTTPS redirect, HSTS enabled)
  • Encryption of sensitive data at rest (database, backups)
  • Passwords hashed with a modern algorithm (bcrypt, Argon2), never in plaintext

Access and authentication

  • Multi-factor authentication (MFA) for administrator accounts
  • Principle of least privilege on roles and permissions
  • Access logs that are queryable and retained

Consent management

  • Granular consent banner (not a simple "OK")
  • Timestamped, traceable consent register
  • Clear, simple privacy policy accessible on the site

Data lifecycle

  • Retention schedule and automatic deletion of expired data
  • Data export function (portability) and deletion on request
  • Anonymization or pseudonymization where possible

Hosting and transfers

  • Precise knowledge of where your data is physically hosted
  • PIA done before any transfer of information outside Quebec
  • Contractual clauses with your cloud subcontractors

Detection and response

  • Monitoring and alerts on abnormal access
  • Documented incident-response procedure
  • Confidentiality incident register

Data hosting: the most common trap

The question almost every SME forgets: where does my data physically live? If your application uses a cloud host whose servers are in the United States, you're potentially transferring personal information outside Quebec, which triggers the PIA obligation.

It's not forbidden, but it must be assessed and documented. Choosing a Canadian hosting region (most major providers offer one) greatly simplifies compliance. It's a topic we systematically address in our cloud and DevOps engagements.

The PIA in brief

The Privacy Impact Assessment is mandatory in certain cases (notably transfers outside Quebec and some automated processing), and strongly recommended in others. In practice, it follows six steps: describe the project, map the data flows, identify the risks, assess their severity, define mitigation measures, and document everything. Document it before launching the feature, not after.

Compliance as a commercial advantage

Here's the angle few businesses grasp: Law 25 compliance isn't just a cost; it's a selling point. Display your privacy policy, talk to your customers about encryption and Canadian hosting. In a market where digital trust is rare, being visibly serious about data sets you apart.

Build privacy in from day one, not as a retrofit

The single biggest reason compliance becomes expensive is that it's treated as a final checkbox rather than a design constraint. Retrofitting consent management, access logging, data export and regional hosting onto an application that wasn't built for them is slow, error-prone and far costlier than getting them right at the start. Privacy by design isn't a slogan; it's a budgeting decision. A feature that collects personal data should ship with its retention rule, its consent path and its deletion mechanism already specified, the same way you'd never ship a payment flow without thinking about security.

This is also where a knowledgeable local partner earns its rate. An offshore team optimizing for the lowest hourly cost has little incentive to understand the nuances of a Quebec statute, and the gap shows up later as remediation work. A team that builds Law 25 considerations into the architecture (Canadian hosting region, granular consent, encrypted sensitive fields, an auditable access trail) produces an application that is both compliant and genuinely more secure. The compliance work and the good-engineering work are, for the most part, the same work.

A final practical note: compliance is continuous, not a milestone. Data flows change, you add a third-party analytics tool, you integrate a new payment provider, you expand to a new market. Each of those can re-trigger a PIA or shift where personal information travels. Build a habit of revisiting the checklist whenever the application's data footprint changes, and keep the documentation current, as it's your best defence if the CAI ever asks questions.

Frequently asked questions

What's the maximum penalty under Law 25?

Up to $25,000,000 or 4% of the previous year's worldwide turnover (whichever is greater) for serious penal offences, and $10,000,000 or 2% for administrative sanctions.

Does my SME really have to comply with Law 25?

Yes, as soon as you collect personal information from Quebec residents, regardless of company size. The obligations adapt to your reality, but they apply.

Can I host my data in the United States?

It's not forbidden, but it constitutes a transfer outside Quebec that requires a PIA and contractual safeguards. Hosting in Canada simplifies compliance significantly.

Is encryption mandatory?

The law requires "reasonable security measures." In practice, encryption in transit (TLS) and at rest for sensitive data is expected and is the defensible standard.

Bring your application into compliance

Law 25 isn't a do-it-once-and-forget project; it's an ongoing requirement that must be built into how your application is designed, hosted and maintained. The good news: most points on this checklist are sound engineering practices you should adopt anyway.

If you want an assessment of your existing application's compliance, or to build a new application compliant by design, our software development team can help. Book a free discovery call and we'll run your application through this checklist together.

This article provides general information and does not constitute legal advice. For your specific situation, consult a legal advisor.

Tags:SecurityLaw 25Quebec