Skip to content

Law 25 and Real Estate: A Practical Guide for Complete Compliance in Quebec

News Technology
May 23, 2024

In 2021, Quebec adopted Law 25 to modernize and strengthen the Personal Information Protection and Electronic Documents Act (PIPEDA). Effective since September 22, 2023, this legislation aligns Quebec’s data protection standards with international norms. Law 25 imposes strict obligations on businesses, strengthens individual rights, and introduces rigorous security measures. Here’s an overview of the main provisions and practical examples of their application in the real estate sector. Here are the key provisions and practical examples of their application in the real estate sector:

Key Measures of Law 25

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies nationally, setting standards for the collection, use, and disclosure of personal information in the private sector. Additionally, some provinces have their own laws that provide additional protection. Quebec has notably strengthened its legislation with the adoption of Law 25, aiming to align its data protection standards with international standards.

1. Explicit Consent

Businesses must obtain clear, informed consent from individuals before collecting, using, or disclosing personal information. This consent must be free and well-explained, ensuring individuals understand why and how their data will be used.

Example: A real estate developer wishing to send promotional offers via email must ask potential clients to check an unchecked box to agree to receive these communications. This checkbox must be accompanied by clear text explaining that their email address will be used solely for sending these offers and not for other purposes.

2. Transparency and Information

Businesses must inform individuals clearly and concisely about the purposes of data collection, collection methods, individuals’ rights, and protection measures. This information should be easily accessible, such as via a privacy policy on the company’s website.

Example: A company’s website must have a page detailing its privacy policy, explaining what personal data is collected (e.g., name, email, purchase preferences), why it is collected (e.g., to offer personalized services), how it will be used, and the users’ rights (e.g., access, rectification, deletion).

3. Accountability and Designation of a Data Protection Officer (DPO)

Businesses must appoint a DPO to oversee compliance with Law 25 and manage security incidents. The DPO should be easily reachable by individuals with questions or those wishing to exercise their rights.

Example: The company must appoint a DPO whose contact details (name, email, phone number) are published on the company’s website. The DPO is responsible for implementing data protection policies, training employees on data security practices, and responding to customer inquiries regarding their personal information.

4. Individuals’ Rights

Individuals have the right to access, rectify, delete, and, in some cases, transfer their personal data to another provider (data portability). Businesses must respect these rights effectively and promptly.

Example: If a client requests to exercise their right to be forgotten, the company must delete all personal information related to that client unless there are legitimate reasons (e.g., legal obligations) to retain it. The company must also confirm in writing that the data has been deleted.

5. Security Breach Notification

Businesses must promptly notify the Commission d’accès à l’information (CAI) and affected individuals in case of a security breach involving personal information that poses a risk of serious harm. The notification must include details about the nature of the breach, the affected data, and measures taken to remedy the situation.

Example: If a real estate developer detects a security breach compromising personal information such as email addresses and phone numbers of potential clients, they must immediately notify the CAI and inform the affected clients. The notification should detail the breach, the types of data affected, measures taken to secure systems, and advice for clients on how to protect themselves (e.g., monitoring accounts for suspicious activity).

6. Personal Information Protection and Security

Businesses must implement adequate security measures to protect personal information from unauthorized access, loss, theft, and any other form of illegal processing. These measures can include data encryption, strict access controls, regular audits, and incident management policies.

Example: A real estate developer implements several security measures to protect clients’ personal information, including data encryption, strong passwords, multifactor authentication, regular audits to detect vulnerabilities, and strict incident management policies to respond quickly to data breaches.

7. Transparency Obligation

Businesses must publish policies and practices for managing personal information accessible to the public. These documents must clearly explain how data is collected, used, shared, and protected, and how individuals can exercise their rights.

Example: A real estate agency publishes a detailed privacy policy on its website describing its data management practices, the types of data collected, the purposes of collection, the security measures in place, and users’ rights. The policy includes clear instructions on how users can exercise their rights.

Sanctions and Penalties

What are the risks of non-compliance with this regulation?

Substantial Fines

Businesses can be fined up to several million dollars for non-compliance.

Legal Actions

Lawsuits from individuals or groups affected.

Operational Impact

Sanctions can disrupt operations and lead to high compliance costs.

Application of Law 25 Internationally

Law 25 primarily applies to businesses operating in Quebec and handling the personal information of Quebec residents. Here’s how it applies based on the company’s location and the clients:

Businesses in Quebec

Any business located in Quebec: Law 25 applies to all businesses based in Quebec, regardless of their international partners. They must comply with the law to protect the personal data of Quebec residents.

Commerce with Businesses Outside Quebec

Quebec businesses dealing with clients outside Quebec: Quebec businesses must ensure that the data of Quebec residents is protected even when transferred to partners outside Quebec.

Businesses Outside Quebec

Businesses outside Quebec handling data of Quebec residents: If a business outside Quebec collects or uses data of Quebec residents, it must comply with the requirements of Law 25.

In summary, Law 25 applies to businesses in Quebec and any business, wherever it is, that handles the personal data of Quebec residents. Adequate protections must be in place to ensure compliance with the law.

Data Protection Laws in Other Canadian Provinces

These provincial legislations, in addition to PIPEDA, form a comprehensive framework for protecting personal data in Canada. Each province adapts its laws to meet the specific needs of its residents while ensuring high and uniform protection of personal information across the country.


Personal Information Protection Act (PIPA)

In Alberta, PIPA governs the collection, use, and disclosure of personal information by private sector organizations. Adopted in 2004, this law imposes strict rules to ensure that personal data is protected and that individuals have control over their information. Businesses must obtain individuals’ consent and implement adequate security measures to protect the data.

British Columbia

Personal Information Protection Act (PIPA)

British Columbia also has its own PIPA, similar to Alberta’s. This law, enacted in 2004, aims to protect the personal information of residents by imposing obligations on private sector organizations. Businesses must inform individuals about data collection, obtain their consent, and ensure the security and confidentiality of personal information.


Freedom of Information and Protection of Privacy Act (FIPPA) and Personal Health Information Protection Act (PHIPA)

While Ontario does not have a PIPEDA-equivalent law for the private sector, it has specific laws for the public sector and health care. FIPPA governs access to information and privacy protection in the public sector, while PHIPA establishes strict rules for managing personal health information, ensuring that individuals’ health data is protected and used responsibly.

Ensure Compliance with Onyx Technologies

Integrating a robust CRM solution is crucial for real estate businesses to comply with Law 25 and protect client data. Our CRM, developed by Onyx Technologies and based on Salesforce, is tailored for the real estate sector and ensures compliance with strict data protection regulations.

Featuring marketing automation, electronic signatures, and access management, we help real estate agencies and developers manage consent, maintain transparency, and secure personal information effectively. Leverage our expertise to ensure compliance and enhance operations.

For more information, schedule a demo of our platform.

Author: Louise Vaissaire