Quebec Privacy Law Compliance Guide for SMEs and Professionals
Updated December 15, 2025
Who must comply?
Any business that collects personal information in Quebec is covered by the Act respecting the protection of personal information in the private sector. This represents over 277,000 SMEs (Institut de la statistique du Québec, 2023).
You're an accountant and keep your clients' financial information? The law applies to you.
You're a freelance photographer and store client emails to send their photos? The law applies to you.
You run a daycare with parents' contact information and children's records? The law applies to you.
You receive resumes? The law applies to you.
Regardless of your industry — retail, professional services, restaurants, healthcare, construction, etc. — if you have clients, employees, or suppliers whose personal information you store, you must comply.
The good news: for most SMEs and professionals, compliance can be quick with the right tools.
The 5 main obligations
The Act respecting the protection of personal information in the private sector imposes five main categories of obligations. Here they are, with concrete examples for each.
1. Designate a person responsible for the protection of personal information
Every business must designate a person responsible for the protection of personal information (RPRP — "Responsable de la protection des renseignements personnels"). By default, this is the person with the highest authority — meaning you, if you're the owner. You can also delegate this role to an employee or external consultant, in writing.
Example: Marie owns a café. She designates herself as RPRP and adds her email on her website's "Contact" page. Done.
Example: Jean runs an accounting firm with 12 employees. He delegates the role to his administrative director, in writing. Her contact information appears on the firm's website.
Learn more about Privacy Officer designation.
2. Document your activities
You must know what personal information you collect, why you collect it, where it's stored, and how long you keep it. This information must be described in a privacy policy published on your website.
Example: A physiotherapy clinic collects: name, date of birth, health insurance number, medical history, contact information. This data is in their management software hosted in Canada, kept for 5 years after the last appointment, then securely destroyed.
Example: An e-commerce site collects: name, shipping address, email, purchase history. This data is in an external e-commerce platform. Note: the platform's servers may be located outside Quebec, which could require a privacy impact assessment (more on this below).
The CAI offers a guide for writing your privacy policy (in French) — a good starting point for structuring your documentation.
3. Manage privacy incidents
A privacy incident is unauthorized access to, use of, or disclosure of personal information. In 2023-2024, the Commission d'accès à l'information (CAI) received 444 incident reports — a 469% increase since the reporting obligation came into force in September 2022. The most common causes of these incidents are cyberattacks, ransomware, and human error (CAI, Annual Report 2023-2024).
You must maintain a registry of all incidents, even minor ones. If an incident presents a risk of serious harm, you must notify the CAI and the affected individuals. The risk of serious harm is assessed case by case, but can include identity theft, fraud, or reputational damage.
Example: An employee accidentally sends a client file to the wrong email address. That's an incident. It must be recorded in the registry.
Example: A laptop containing client data is stolen from a car. That's an incident with risk of serious harm. You must notify the CAI and the affected clients.
Learn more about incident management.
4. Assess risks (Privacy Impact Assessment)
A Privacy Impact Assessment (PIA, called "ÉFVP" in French) is a risk analysis required before certain projects: acquiring a new IT system that processes personal information, or communicating information outside Quebec.
You want to use an email distribution platform for your newsletters? The data will most likely be stored in the United States. You must conduct a PIA first.
You're buying new accounting software hosted in Canada, and the provider doesn't access your clients' personal data? A PIA is probably not required.
You're installing surveillance cameras in your store? A PIA is probably required.
For most SMEs, a PIA is a straightforward process. Learn more about PIAs.
5. Obtain valid consent
Consent is the foundation without which you generally cannot collect personal information. Consent must be free, informed, and given for specific purposes. The language used must be clear and simple — no legal jargon. For example, pre-checked boxes generally do not constitute valid consent.
Example: On your registration form, you cannot pre-check the box "I agree to receive promotions." The customer must check it themselves.
Example: "By submitting this form, you accept our privacy policy and terms of use and consent to receive our promotions." This is not valid consent. Each purpose must have its own checkbox.
Timeline: what applies now?
The law came into force progressively over three years:
| Date | Obligations in force |
|---|---|
| September 22, 2022 | Privacy Officer designation, incident registry, CAI notification |
| September 22, 2023 | Privacy policy, PIA, consent rules, data destruction obligations, administrative penalties |
| September 22, 2024 | Data portability right |
As of September 2024, all provisions of the law are in force. There is no more grace period.
If you haven't started your compliance journey yet, it's not too late, but it's time to get started.
Penalties for non-compliance
The CAI can impose administrative monetary penalties of up to:
- $50,000 for an individual
- $10 million or 2% of worldwide revenue, whichever is higher, for a corporation (Art. 90.12)
For criminal offenses, fines can reach:
- $5,000 to $100,000 for an individual
- $15,000 to $25 million or 4% of worldwide revenue, whichever is higher, for a corporation (Art. 91)
In cases of gross or intentional misconduct affecting a person's rights, the court awards punitive damages of at least $1,000 per affected person (Art. 93.1).
According to a study by the Groupe de recherche interdisciplinaire en cybersécurité at Université de Sherbrooke, 40% of SMEs said they were ready for the law — but after analysis, only 3% actually were (GRIC, 2023).
The CAI has indicated it prioritizes guidance and education. But penalties exist and will be applied, particularly in cases of serious or repeated negligence.
Maximum fines target large corporations. For an SME, the main risk is often elsewhere: loss of customer trust after a poorly handled incident, or damage to the company's reputation.
Where to start?
Here are the first steps to bring your SME into compliance:
1. Designate your Privacy Officer
Decide who will be responsible. By default, it's you. Publish the contact information on your website: title, email or contact form. Publishing the name is optional.
2. Take inventory of your personal information
What information do you collect about your clients, employees, suppliers? Where is it stored? In which software? On paper?
3. Identify your vendors that process data
Web hosting, accounting software, point-of-sale system, newsletter service, appointment booking... Which ones have access to personal information? Are they in Quebec, Canada, or abroad?
4. Write your privacy policy
Explain in simple terms what information you collect, why, and how people can exercise their rights. The CAI offers a free guide to help you write your policy (in French).
5. Create your incident registry
Even if you've never had an incident, the registry must exist and be ready to use. A simple spreadsheet is enough to start.
Tools like Conforme.ca can automate many of these steps: privacy policy generation, incident registry, vendor tracking, guided PIAs. Quickly, your documentation is ready.
Frequently Asked Questions
Does the law apply to self-employed workers?
Yes. As soon as you collect personal information in the course of your business activities, you are subject to the law, regardless of your size.
What is personal information?
Any information that can identify a person: name, email, address, phone number, but also IP address, geolocation data, or photos.
Do I have to notify the CAI of all incidents?
No. Only those that present a risk of serious harm. But you must record all incidents in your internal registry, even minor ones.
How much does compliance cost for an SME?
For a small business, basic compliance mainly requires time and can be done in a few days. Specialized tools can dramatically speed up the process.
What happens if I'm not compliant?
The CAI can impose administrative and criminal penalties of up to $100,000 for individuals and $25 million or 4% of worldwide revenue for corporations.
I use American services (Google, Mailchimp). Is that a problem?
Not automatically, but you must conduct a PIA before transferring personal information outside Quebec. This assessment documents the risks and protective measures.
How long must I keep personal information?
Only for the time necessary for the purpose for which it was collected. After that, it must be destroyed or anonymized.
Does my website need a cookie banner?
If you use cookies that collect personal information or track user behavior, you must obtain consent.
Additional Resources
Detailed Obligations
- Privacy Officer Designation
- Privacy Impact Assessments
- Incident Management
- Consent Requirements
- Data Portability
- Access and Rectification Rights
Free Templates
Start your compliance journey today
Conforme.ca guides Quebec SMEs through every step of compliance. Privacy Officer designation, data inventory, auto-generated policies, incident registry, simplified PIAs.
Get started for freeMost SMEs complete their basic compliance in less than a day.