2026-07-01Technology9 min

By Jeremy Soares — Residential & Commercial Real Estate Broker, OACIQ H2731

Quebec's Law 25 and AI: What Your Business Must Know Before Deploying AI on Client Data

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney before making compliance decisions.

Quebec's Act to modernize legislative provisions as regards the protection of personal information — known universally as Law 25 or Bill 64 — is fully in force as of September 2024. The three-phase rollout is complete. The Quebec Commission d'accès à l'information (CAI) has enforcement authority and is actively issuing findings.

If your business operates any AI system that touches the personal data of Quebec residents — a CRM, a chatbot, an automated lead-scoring tool, a recommendation engine — you need to understand what Law 25 requires. This is not a "future concern." It is a current legal obligation.

The Three-Phase Implementation You Should Know Cold

Law 25 did not arrive all at once. Understanding the phases tells you which obligations are oldest — and therefore most urgent from an audit perspective.

Phase 1 — September 22, 2022: Privacy incident reporting requirements and mandatory designation of a Privacy Officer became effective. Every organization must have a named person responsible for personal information protection.

Phase 2 — September 22, 2023: The most operationally significant phase for AI deployments. This is when consent requirements, Privacy Impact Assessments (PIAs), transparency obligations around automated decision-making, and the requirement to publish a privacy policy all came into force.

Phase 3 — September 22, 2024: Data portability rights became effective. Individuals can now request that their personal information be communicated to another organization in a structured, commonly used format.

Most SMBs focused on Phase 1 (breach reporting) and delayed the Phase 2 work. That delay is now a compliance gap, not a planning buffer.

What "Automated Decision" Means Under Law 25 — and Why It Matters for AI

This is where Law 25 intersects directly with AI systems, and where the obligations are most commonly misunderstood.

Under Law 25 (Article 12.1), when an organization uses personal information to render a decision based exclusively on automated processing that significantly affects a person, it must:

  1. Inform the person that an automated decision is being made, at or before the time the decision is communicated.
  2. Offer the person the opportunity to present observations to a member of the organization.
  3. Allow the person to request human review of the decision.
  4. Be able to explain the factors and parameters that influenced the decision.

The phrase "significantly affects" is the operative threshold. In a real estate context: if your AI system scores leads and routes lower-scored contacts to a deprioritized follow-up sequence, you are making an automated decision that affects those people's access to your services. That may trigger these obligations.

Practical examples of what triggers this provision:

  • An AI chatbot that qualifies leads and decides who gets a callback
  • A CRM system that scores clients and determines communication frequency
  • An AI hiring tool that filters applications before human review
  • An automated credit or financing pre-qualification system

If you are deploying any of these and have not addressed the disclosure requirements, you are running a compliance gap.

Privacy Impact Assessments: When You Need One

A Privacy Impact Assessment (EFVP — Évaluation des facteurs relatifs à la vie privée) is a structured risk analysis required before deploying any technology that:

  • Collects, uses, or communicates personal information, and
  • Presents a risk to privacy, particularly where automated decision-making is involved (Article 63.1)

For AI systems, the PIA is almost always required. The assessment must document:

  • What personal data is collected and why
  • How it flows through the system
  • What third-party processors handle it (your AI vendor, your cloud provider)
  • What risks to privacy exist and what mitigations are in place
  • Whether the project should proceed given the risk profile

PIAs must be documented. If the CAI requests one during an inspection, "we considered this informally" is not an acceptable response. The document must exist.

Consent Requirements for AI Data Processing

Law 25 sets a high bar for consent. Under Article 14, consent must be:

  • Manifestly informed — the person understands not just that data is being collected, but how it will be used in AI processing
  • Free — not bundled as a non-negotiable condition of service where alternatives exist
  • Specific — a blanket "I agree to all data uses" checkbox does not satisfy the requirement for AI-specific processing disclosures

What this means for your chatbot or AI assistant: If your AI tool collects names, email addresses, or phone numbers from Quebec visitors, the consent form or privacy notice must specifically disclose that personal information may be processed by an AI system, and for what purpose.

Generic privacy policies imported from US templates — or boilerplate from a SaaS vendor — do not satisfy this standard. They need to be reviewed and updated for Quebec specifics.

Data Residency: The Question Vendors Cannot Always Answer

Law 25 does not impose a hard data residency requirement mandating that data stay in Canada. However, it does require that communication of personal information outside Quebec be preceded by a privacy impact assessment and a contractual framework ensuring equivalent protection.

This matters because most AI infrastructure — OpenAI, Anthropic, Google Vertex, AWS Bedrock — runs on US-based servers. When you send a Quebec resident's personal data to one of these services for processing, you are technically communicating personal information outside Quebec.

What you need:

  1. A data processing agreement with the vendor that includes adequate privacy protections
  2. Documentation that you assessed the privacy risks of the cross-border transfer
  3. Disclosure in your privacy policy that data may be processed outside Quebec

Many SMBs are running AI tools on production customer data through vendor APIs with no data processing agreement in place. This is the single most common compliance gap we see.

For context on choosing AI vendors that can provide this documentation: see AI Agency vs Freelance Developer in Quebec.

The Penalties: Not Theoretical

The CAI has graduated penalty authority under Law 25:

  • Administrative monetary penalties (AMPs): Up to $10 million CAD or 2% of worldwide turnover for less serious violations.
  • Penal sanctions for serious violations: Up to $25 million CAD or 4% of worldwide turnover — whichever is greater.

There is no small-business exemption. A five-person real estate brokerage, a boutique marketing agency, and a solo consultant are all subject to the same rules as a bank.

The CAI has already issued formal findings against organizations in Quebec. This is an active enforcement environment, not a dormant one.

Bill 96 Overlay: French Is Mandatory for AI Client-Facing Tools

Separate from Law 25, Bill 96 (Law 14) — the Charter of the French Language amendments — requires that AI systems used in client-facing contexts offer a French interface and French-language service.

As of June 1, 2025, businesses serving Quebec clients must make their digital tools — including AI chatbots and automated communication systems — available in French. An AI assistant that only speaks English to Quebec prospects is a Bill 96 violation, not just a marketing gap.

For real estate professionals specifically: see AI for Real Estate Brokers in Quebec for how this intersects with OACIQ advertising obligations.

SMB AI Compliance Checklist

Use this as a starting point, not a substitute for legal review.

Governance

  • Privacy Officer designated and named internally
  • Privacy Officer contact publicly available
  • Privacy policy published, current, and Quebec-specific

Before deploying any AI system

  • Privacy Impact Assessment completed and documented
  • Data processing agreements signed with all AI vendors
  • Cross-border data transfer disclosure documented
  • French-language version of AI interface available (Bill 96)

For automated decision-making systems

  • Disclosure mechanism in place to inform individuals of automated decisions
  • Human review process established and accessible
  • Ability to explain decision criteria documented
  • Observations/appeal process defined

Consent

  • Consent language updated to disclose AI-specific processing
  • Consent collected before data entry into AI systems
  • Consent records maintained

Ongoing

  • Privacy incident response process documented
  • Annual review of PIA for active AI systems
  • Vendor contracts reviewed for Law 25 compliance provisions

The Honest Assessment

Most Quebec SMBs running AI tools are not fully compliant with Law 25. The honest reason is not bad faith — it is that the law is genuinely complex, the implementation resources are limited, and the SaaS vendors selling AI tools have not made compliance infrastructure easy to deploy.

The organizations that will avoid penalties are the ones that document their approach: a completed PIA, a current privacy policy, a data processing agreement with vendors, a defined process for automated decision disclosure. Not perfection — documentation and good-faith effort.

The CAI's enforcement focus has been on organizations that either ignored the law entirely or were unable to produce documentation when asked. If you can show your work, you are materially better positioned than the majority of Quebec businesses running AI today.


FAQ

Does Law 25 apply to my small business if I only use a CRM and an email marketing tool? Yes. Law 25 applies to any organization that collects or uses the personal information of Quebec residents, with no revenue or size threshold. If your CRM contains Quebec residents' contact information and you use automated sequences, you have Law 25 obligations.

What is the difference between a Privacy Impact Assessment and a privacy policy? A privacy policy is a public document that discloses your data practices. A Privacy Impact Assessment (PIA/EFVP) is an internal risk analysis document completed before deploying a new technology. Both are required — they serve different functions.

Do I need consent to use AI to analyze my existing customer data? Potentially yes, if you are using data for a new purpose that was not disclosed when it was originally collected. If clients gave you their email address to receive listing alerts and you are now feeding their profile into an AI scoring system, that new use may require fresh consent.

What happens if the CAI investigates my business and I have no documentation? The lack of documentation is itself evidence of non-compliance. The CAI can issue orders to comply, impose administrative penalties, and in serious cases refer matters for penal prosecution. Getting documentation in place before an inquiry is considerably easier than doing so during one.


Related Resources


Ready to audit your AI stack for Law 25 compliance? Let's talk.

Let's talk about your project

Have a question about your situation? Direct answer, no obligation.

About the author

Jeremy Soares is an OACIQ-licensed residential and commercial real estate broker (licence H2731) in Montreal. Trained in architecture, he combines brokerage — multifamily, commercial, pre-construction, and residential — with AI-powered analysis and staging tools. Bilingual service, Greater Montreal.

Newsletter

Stay informed

514 519-8177