• (819) 423-0001
  • 1 877 423-0001
Auberge Montebello white transparent logo
Three-star-hotel

Explain Quebec Law 25

Last Updated: August 26, 2025

Quebec’s Law 25, officially known as An Act to modernize legislative provisions as regards the protection of personal information (formerly Bill 64), is a significant update to Quebec’s privacy legislation, specifically amending the Act respecting the protection of personal information in the private sector and other related laws. Enacted on September 22, 2021, it introduces stricter requirements for businesses and organizations handling personal information in Quebec, aligning the province’s privacy framework with global standards like the EU’s General Data Protection Regulation (GDPR). The law’s provisions are being implemented in phases, with key requirements effective as of September 22, 2022, 2023, and 2024.

Below is a clear and concise explanation of Law 25, tailored for the context of a boutique hotel in Montebello, Quebec. It covers the law’s key provisions, its implications for businesses, and specific considerations for a hotel website.

Key Provisions of Law 25

Law 25 strengthens protections for personal information in Quebec’s private sector, imposing new obligations on businesses, including small businesses like boutique hotels. Here are the main components:

  • Definition of Personal Information
  • Personal information is any information that relates to an individual and allows them to be identified (e.g., name, email, phone number, payment details, IP address, or guest preferences).
  • Law 25 expands protections for this data, including stricter rules for its collection, use, and disclosure.
  • Consent Requirements
  • Explicit Consent: Businesses must obtain clear, informed, and specific consent before collecting, using, or disclosing personal information, especially for non-essential purposes like marketing or analytics.
  • Granular Consent: Consent must be requested separately for different purposes (e.g., booking vs. marketing emails).
  • Opt-Out Option: Individuals must be able to easily withdraw consent at any time (e.g., unsubscribe from marketing communications).
  • For a hotel: Ensure your website’s forms (e.g., booking, newsletter sign-up) include clear checkboxes for consent and explain how data will be used.
  • Transparency and Privacy Policies
  • Businesses must publish a detailed, plain-language privacy policy on their website, outlining how personal information is collected, used, stored, and shared.
  • The policy must include contact details for a designated Privacy Officer responsible for handling privacy inquiries.
  • For a hotel: Your privacy and cookie policies (as drafted previously) should be accessible on your website and explicitly mention compliance with Law 25.
  • Data Protection Officer
  • Organizations must appoint a person responsible for ensuring compliance with Law 25, often referred to as a Privacy Officer. By default, this is the highest-ranking person in the organization (e.g., the hotel owner), unless another individual is designated.
  • Contact details for this officer must be published on the website.
  • For a hotel: Designate a Privacy Officer (e.g., the hotel manager) and include their contact information in your privacy policy.
  • Data Minimization and Purpose Limitation
  • Collect only the personal information necessary for the stated purpose (e.g., name and payment details for bookings, not irrelevant data like social media profiles).
  • Use the data only for the purposes for which it was collected, unless new consent is obtained.
  • For a hotel: Avoid collecting excessive guest information during bookings and clearly state the purpose of data collection in forms.
  • Data Security and Breach Notification
  • Businesses must implement reasonable security measures (e.g., encryption, access controls) to protect personal information.
  • In case of a data breach that poses a risk of serious harm, businesses must:
  • Notify the Commission d’accès à l’information du Québec (CAI).
  • Notify affected individuals promptly.
  • Keep a record of all data breaches, even minor ones, for at least five years
  • For a hotel: Ensure your website, especially payment and booking systems, uses secure protocols (e.g., HTTPS, encrypted payment processing) and has a breach response plan.
  • Automated Decision-Making
  • If personal information is used for automated decision-making (e.g., profiling guests for targeted offers), individuals must be informed, and businesses must explain the decision-making process upon request.
  • For a hotel: If you use analytics or marketing tools to personalize guest offers, disclose this in your privacy policy and allow guests to opt out.
  • Data Portability and Individual Rights
  • Individuals have the right to:
  • Access: Request a copy of their personal information.
  • Correction: Request corrections to inaccurate or incomplete data.
  • Deletion: Request deletion of their data, subject to legal retention requirements.
  • Portability: Receive their data in a structured, commonly used format (e.g., CSV).
  • Businesses must respond to these requests within 30 days.
  • For a hotel: Implement a process for guests to submit privacy requests (e.g., via email) and ensure staff are trained to handle them.
  • Cross-Border Data Transfers
  • If personal information is transferred outside Quebec (e.g., to third-party booking platforms or cloud servers), businesses must conduct a Privacy Impact Assessment (PIA) to ensure the receiving jurisdiction offers equivalent protection.
  • A written agreement with the third party is required to ensure compliance.
  • For a hotel: If your website uses third-party services (e.g., Google Analytics, Booking.com), verify where data is stored and ensure compliance with Quebec’s requirements. Highlighting that your website is hosted on Canadian servers (as noted in your cookie policy) strengthens compliance
  • Accountability and Record-Keeping
  • Businesses must maintain records of data processing activities and conduct PIAs for high-risk activities (e.g., transferring data outside Quebec).
  • Policies and practices for handling personal information must be documented.
  • For a hotel: Keep records of how guest data is processed and ensure third-party vendors (e.g., payment processors) comply with Law 25.
  • Penalties for Non-Compliance
  • Law 25 introduces significant fines for violations:
  • Up to $25 million or 4% of global annual turnover (whichever is higher) for serious violations.
  • Individuals can seek damages for harm caused by privacy breaches.
  • The CAI has increased enforcement powers, including audits and orders to comply.
  • For a hotel: Non-compliance could lead to reputational damage and financial penalties, so prioritizing compliance is critical.

 

Contact Us

If you have questions or concerns about this Policy, please contact us:

By Email: info@aubergemontebello.com
By Phone: (819) 423-0001 or (877) 423-0001
By Mail: Auberge Montebello, 676, rue Notre-Dame, Montebello (Quebec) J0V 1L0