AI & Automation

Quebec Law 25 and AI: What Your SME Needs to Know (2026)

May 4, 2026 10 min read By NEXTIWEB

Quebec's Law 25 — officially Act 64 modernizing privacy protection legislation — has been fully in force since September 2023. Its impact on artificial intelligence use in Quebec SMEs is often misunderstood, or ignored entirely.

Chatbots, automated email marketing, CRM systems, behavioural analytics, ChatGPT: each of these AI tools touches personal data. And every poorly framed use exposes your business to real risks. This guide explains exactly what Law 25 governs and what you need to do to use AI in full compliance.

64%

of Quebec SMEs report that they are not fully compliant with Law 25 on the protection of personal information

Source: Commission d'accès à l'information du Québec (CAI) — Annual Report 2024

What Law 25 Concretely Governs

Law 25 imposes specific obligations on any business that collects, uses, communicates, retains, or destroys personal information of Quebec residents. Here are the four pillars to understand:

Personal data collection — names, email addresses, phone numbers, browsing behaviour, IP addresses: anything that allows a natural person to be identified is considered personal information.
Explicit consent — before any data collection, individuals must be informed of the purpose and must give their agreement. Implied consent or pre-ticked boxes are no longer accepted.
Right to erasure — any person can request that their data be deleted from your systems. You are legally required to act on this request within a reasonable timeframe.
Privacy Officer (PO) — every business must designate a Privacy Officer, publish their contact information on the company website, and ensure that person is trained to respond to incidents and access requests.

AI and Law 25 — Risk Areas to Know

Some AI applications are particularly exposed. Here is a table of the most common situations in SMEs and the required actions:

AI use	Law 25 risk	Required action
Chatbot that collects name/email	High	Up-to-date privacy policy + explicit consent before data collection
Automated email marketing	Medium	Documented opt-in consent + easy unsubscribe on every send
Website behavioural analytics	Medium	Updated cookie policy + compliant consent banner
CRM with client data	High	Data processing register + role-based access controls for staff
Generative AI (ChatGPT) with client data	High	Never enter personal data into the consumer version

A compliant digital presence is also a stronger one

Privacy policy, cookies, compliant forms — a well-built digital strategy respects your legal obligations and builds trust with clients.

See our services →

3 Reflexes to Adopt Immediately

If your SME uses AI tools and you have not yet formalized your Law 25 compliance, these three actions are the most urgent:

Never copy-paste client data into ChatGPT or public AI tools: Names, emails, phone numbers, payment details — no data that identifies a client should pass through a consumer AI tool. This data may be used to train models or could be accessible to third parties.
Verify that your AI tools store data in a compliant manner: Prioritize tools that host data in Canada or that have Data Processing Agreements (DPAs) compliant with Law 25. Ask each vendor where data is hosted and how it is protected.
Maintain a personal data processing register: Document what data you collect, for what purpose, how long you retain it, and who has access. This register is both a legal obligation and an internal management tool that simplifies responding to access or erasure requests.

FAQ — Law 25 and AI for Quebec SMEs

Does Law 25 apply to small businesses?

Yes, any business that collects data from Quebec residents is subject to Law 25, regardless of its size. There is no exemption for SMEs or self-employed workers. The obligations scale in intensity with company size, but the fundamental principles apply to everyone.

What are the penalties for non-compliance?

Administrative fines of up to $10 million or 2% of worldwide revenue for a first offence, and up to $25 million or 4% of worldwide revenue for subsequent offences. Criminal penalties also exist for the most serious cases.

Is ChatGPT compliant with Law 25?

OpenAI stores its data in the United States. The consumer version (free or Plus) is not recommended for processing personal data of Quebec clients. Enterprise versions with Data Processing Agreements (DPA) and enhanced privacy options exist — contact OpenAI directly for your specific situation.

What should I do first to achieve compliance?

Designate a Privacy Officer (PO) and publish their contact information on your website, conduct an inventory of all personal data you collect, and update your privacy policy to accurately reflect your actual practices. These three actions cover the most fundamental obligations.

Is Your Digital Presence Compliant?

An audit of your website and digital tools identifies non-compliance areas before they become costly. We guide you through it, without legal jargon.

Get My Free Audit →