Bill 25 in detail: P3F analysis, implications and recommendations

Bill 25, an important new law protecting the rights and interests of citizens, has just been passed in Quebec. Have you heard about it?

In short, Bill 25 aims to strengthen the protection of personal information and privacy. It introduces new measures and requirements for companies that collect, use or process personal data. These companies will have to adjust their privacy policies to comply with the new legal rules. This will promote transparency and trust with users, while complying with current standards.

Here’s an overview of the changes that will take place as of September with the activation of Bill 25:

Informed consent: The law emphasizes the importance of informed consent before any personal information is collected or used. Organizations will therefore have to ensure that they inform their users of data collection and obtain explicit and informed consent from them. Consent is essential.

P3F recommends that you carry out a Privacy Impact Assessment (PIA) before disclosing any personal information, whether for study, research or statistical purposes;

Right to be forgotten

Bill 25 introduces the right to oblivion, allowing your users to request the deletion of their personal information in certain situations. If the data is no longer required for the purposes for which it was collected, you must comply with the deletion request.

We advise you to destroy personal information once the purpose for which it was collected has been fulfilled, or to anonymize it subject to the conditions and retention period stipulated by law; Provide, by default, settings ensuring the highest level of confidentiality for the technological product or service offered to the public.


Organizations will be required to provide clear information about their personal information collection, use and disclosure practices. In addition, you will need to inform your users about your privacy policies and the security measures you are putting in place to protect their data.

Designating a person responsible for the protection of personal information is essential, and his or her title and contact details must be published on your website.

Data breach notification

In the event of a security breach that could present a high risk to users’ rights and freedoms, you will be required to inform the relevant authorities, as well as the users concerned, to ensure that you take the necessary steps to protect this data.

We advise you to keep a record of all incidents, their implications and the corrective measures put in place, in order to reduce the risk of harm.

To sum up in a few words, you will need to:

  • Include privacy policies and terms and conditions on your website.
  • Offer users the option of accepting or blocking cookies.
  • Designate a privacy officer and mention him or her on your website.

If you have any questions about implementing changes to your website to ensure compliance, contact us – P3F is at your disposal!