Adapt your website to Law 25 with PH MEDIA


Quebec is now a leader in data protection and privacy. Law 25, passed in 2021, implements several new measures strengthening the rights of citizens and internet users while holding organizations and website operators accountable. These actors must now meet various requirements to comply with the new regulations, with significant penalties for non-compliance. Explore the main changes brought by Law 25 and potential actions with your marketing agency in Montreal, PH MEDIA.

What to Know About Law 25?

The Government of Quebec informs the public about the gradual implementation of Law 25, also known as the “Act modernizing legislative provisions regarding the protection of personal information.” As outlined in its timeline, this regulation’s enforcement is spread over three years. The initial measures were introduced in 2022, with further ones following in 2023, and the bulk of Law 25‘s provisions will be in effect starting September 2024.

What Are the New Obligations Accompanying Law 25?

Quebec’s Law 25 draws inspiration from the General Data Protection Regulation (GDPR), a foundational text for data protection in Europe. Aligned with GDPR’s fundamental principles, Law 25 helps harmonize data protection laws in Quebec and globally, fostering cross-border commerce and enhancing citizens’ trust in organizations collecting their personal information.

Key areas addressed by Law 25 include :

  • Informed Consent :

Farewell to pre-checked authorizations and unreadable fine print on websites : Law 25 requires obtaining the informed, freely given, and specific consent of the internet user before collecting, using, or disclosing their personal information. Website visitors must clearly understand how their data will be used and have the option to refuse each use.

  • Transparency :

Websites must provide clear and understandable information about their practices regarding the user’s personal information. Users have the right to know why their data is collected, how it’s used, and for how long it’s retained.

  • Data Security :

Law 25 imposes strict obligations on data security and protection. Website operators must implement appropriate security measures tailored to the risks faced by internet users’ information. Provisions include protection against theft, loss, unauthorized access, disclosure, alteration, or data destruction.

  • Access to and Rectification of Data :

Users have the right to access their personal information held by websites and request corrections for any errors or omissions. They also have the option to request the deletion of their data if it is no longer needed or collected unlawfully.

Who is affected?

Law 25 is a regulatory provision that involves a broad range of actors, from citizens to public entities, organizations, and individuals operating websites. Each participant has a specific role and responsibilities in protecting personal information :

  • Organizations and individuals owning websites and businesses : Essential compliance

Law 25 imposes strict obligations on actors who collect, use, or disclose personal information. They must obtain informed consent before collecting data and provide transparent information about their privacy practices. In this regard, these actors are encouraged to explain their policies regarding collecting, using, and managing personal information. They must also take appropriate security measures to protect information from unauthorized access.

  • Public entities : Responsible management of citizens’ data

Public organizations are also subject to Law 25. They must adhere to the same principles of protecting personal information as private companies. These entities must also comply with strict rules of governance and transparency regarding personal data.

  • Citizens and Internet Users : Increased Control Over Data

The public benefits from the system by exercising control over their data. Citizens should know how their data is collected, used, and disclosed. They should have access to their information, correct it if necessary, or refuse its collection, use, or disclosure.

PH MEDIA’s Services for Law 25 Compliance

With PH MEDIA, you benefit from the expertise of an agency specialized in aligning websites with Law 25. Our support enables you to meet all legal requirements. Our services range from a comprehensive evaluation of a website to identify areas for improvement to assistance in appointing a data protection officer within your organization. We guide you in appointing a data protection officer and help define their role and responsibilities.

The joint actions we undertake on behalf of an organization operating a website include :

  • Customized privacy policy development: We draft a clear and concise privacy policy detailing your practices regarding collecting, using, and disclosing personal data.
  • Tailored consent solutions : We implement compliant and intuitive consent banners to gather informed consent from users regarding the use of their data.
  • Enhanced data protection : We assist you in implementing appropriate security measures to safeguard your users’ personal information against unauthorized access, data breaches, and other threats.

Beyond mere compliance, we offer significant time and resource savings : focus on your core business by entrusting website compliance to experts and avoiding penalties.

Risks of Non-Compliance with Law 25

Significant penalties are imposed on actors failing to meet Law 25‘s requirements. Collecting or using personal data without consent or denying users access to their personal data may result in administrative and pecuniary sanctions, with fines of up to CAD 10 million or 2% of the organization’s global turnover.


By entrusting your website compliance to PH MEDIA, you ensure complete peace of mind and a lasting relationship with your clients while respecting the fundamental principles of data protection. Contact our team to discuss a personalized solution for your website.

Posted in B2B