RPC

RefinancePro.club

Law 25 (Quebec)

Law 25 (Quebec)

Rights4 min readFebruary 11, 2026
Share

Law 25 (Act to modernize legislative provisions as regards the protection of personal information) came into force progressively in Quebec between September 2022 and September 2024, profoundly modernizing the Act respecting the protection of personal information in the private sector (LPRPSP). It imposes significant and far-reaching obligations on mortgage brokers and their firms regarding the management of personal data throughout its lifecycle. Law 25 requires the appointment of a designated privacy officer within each organization, obtaining clear, free and informed consent before any collection of personal data, maintaining a comprehensive register of all confidentiality incidents, conducting privacy impact assessments (PIAs) for projects involving personal information and implementing formal data governance policies. Mortgage brokers collect particularly sensitive data including detailed income information, bank statements, tax returns, credit reports and debt information. They must rigorously comply with these new requirements to protect their clients and their practice. Penalties for non-compliance are substantial, reaching up to twenty-five million dollars or four percent of worldwide turnover for the most serious violations, enforced by the Commission d'acces a l'information du Quebec.

Law 25: Transforming Data Protection in Quebec

Law 25 (Act to modernize legislative provisions as regards the protection of personal information) represents the most significant reform of personal information protection in Quebec since the adoption of the Act respecting the protection of personal information in the private sector (LPRPSP) in 1994. Coming into force progressively between September 2022 and September 2024, this law imposes a strict and modernized framework for the collection, use, retention, communication and destruction of personal information by private sector businesses. For mortgage brokers and their firms, who handle some of the most sensitive financial data on a daily basis, this law has profound and concrete implications for their professional practices.

Key Obligations Imposed on Mortgage Brokers

  1. Appoint a privacy officer: Each brokerage firm must designate a person responsible for the protection of personal information (RPRP). By default, this is the person with the highest authority within the firm. The RPRP's contact information must be published on the firm's website and communicated to the Commission d'acces a l'information.
  2. Obtain clear and informed consent: Before collecting personal information, the broker must obtain consent that is clear, free, informed and given for specific purposes. The client must know precisely what data is collected, why, how it will be used, with whom it will be shared and how long it will be retained.
  3. Publish an accessible privacy policy: The firm must publish a privacy policy written in simple and clear terms, describing personal information management practices. This policy must be easily accessible on the website and presented to clients.
  4. Maintain a confidentiality incident register: The firm must document every confidentiality incident in a dedicated register. Incidents presenting a serious risk of harm must be reported to the Commission d'acces a l'information and to affected individuals promptly.
  5. Conduct privacy impact assessments: Before any project involving the collection, use or communication of personal information (new software, new process, partnership), the firm must conduct a PIA to identify and mitigate privacy risks.

Strengthened Client Rights Over Their Data

Law 25 considerably strengthens clients' rights over their personal data. The right of access allows the client to consult all personal information held by the broker or firm. The right of correction allows inaccurate, incomplete or equivocal information to be corrected. The right to deletion, also called the right to be forgotten, allows the client to request the destruction of their information when the collection is no longer necessary for the purposes for which it was collected. The right to portability allows the client to request the transfer of their data in a structured and commonly used technological format, facilitating for example a broker change. The broker must respond to these requests within 30 days.

Penalties and Consequences of Non-Compliance

The penalties provided by Law 25 are significant and aim to ensure rigorous compliance. Administrative monetary penalties can reach 10 million dollars or 2 percent of worldwide turnover for businesses. Criminal sanctions, for the most serious offences, can reach 25 million dollars or 4 percent of worldwide turnover. Fines from 5,000 to 100,000 dollars may be imposed on individuals. The Commission d'acces a l'information du Quebec (CAI) is the enforcement body. Beyond financial penalties, non-compliance can result in major reputational damage to the firm and loss of client trust.

Practical Compliance for the Broker

Compliance with Law 25 requires a systematic and ongoing approach. The broker and their firm should conduct a complete inventory of personal information collected and held, review and update consent forms, draft or update the privacy policy, train all staff on new obligations, implement adequate security measures to protect data, establish a confidentiality incident management process and create procedures for responding to client access, correction, deletion and portability requests. This compliance is not a one-time exercise but a continuous process of improvement and vigilance.

Law 25's transformative impact on Quebec's data protection landscape cannot be overstated, particularly for financial services professionals like mortgage brokers who handle some of the most sensitive personal information in the economy. The law's comprehensive approach, combining enhanced consent requirements, strengthened individual rights, mandatory incident reporting and substantial penalties, creates a regulatory environment that demands proactive, systematic compliance efforts from every brokerage firm. Mortgage brokers who embrace these requirements as an opportunity to strengthen client relationships and differentiate their practice through demonstrated commitment to data protection will be better positioned for long-term success in an increasingly privacy-conscious marketplace.

The implementation of Loi 25 has fundamentally transformed how mortgage brokerages in Quebec approach data governance. Beyond the immédiate compliance requirements, the law has catalyzed a broader cultural shift within the industry toward treating personal information as a strategic asset that must be managed with the same rigor and accountability as financial assets. Organizations that embrace this perspective are finding that strong privacy practices enhance client trust, improve data quality, and ultimately support better business outcomes.

For mortgage brokers, the practical impact of Loi 25 extends to every stage of the client relationship, from initial prospecting and data collection through to file retention and eventual destruction. The requirement to conduct privacy impact assessments for new systems or processes that involve personal information means that technology adoption decisions must now include a privacy analysis alongside traditional cost-benefit évaluations. This integrated approach ensures that privacy considerations are embedded in business processes from the outset rather than being addressed as an afterthought.

Frequently Asked Questions

What is Law 25?
Law 25 is a Quebec law that modernizes the framework for the protection of personal information in the private sector. Coming into force progressively from 2022 to 2024, it imposes new obligations on businesses, including mortgage brokerage firms, regarding consent, transparency, data security and incident management.
What obligations does Law 25 impose on mortgage brokers?
Brokers must appoint a privacy officer, obtain explicit consent for data collection, inform clients about the use of their data, maintain a confidentiality incident register, notify the Commission d'acces a l'information in case of serious incidents and implement governance policies.
What is a confidentiality incident?
A confidentiality incident is any unauthorized access, use or communication of personal information, or any loss of such information. For example, a computer breach, an email sent to the wrong recipient or the loss of a client file would constitute incidents that must be recorded and, if the risk is serious, reported to the Commission d'acces a l'information.
What are the penalties for non-compliance with Law 25?
Penalties can reach $25 million or 4% of worldwide turnover for businesses. Criminal sanctions are also possible, including fines from $5,000 to $100,000 for individuals. The Commission d'acces a l'information du Quebec is the enforcement body.

Educational information only. This does not constitute financial advice under the Act Respecting the Distribution of Financial Products and Services (LDPSF). Consult an AMF-certified mortgage broker before making any financial decision.

Mortgage Assistant

Hello! I'm your educational mortgage assistant. Ask me questions about mortgages in Quebec and Canada.

Educational info · Not financial advice
RPC
RefinancePro.club
Mortgage Guide
© 2026 RefinancePro.club. All rights reserved.

RefinancePro.club provides estimates only. Always consult your lender for exact penalty calculations.

Compliant with Canadian personal information protection laws (PIPEDA). All data is processed in Canada.

🇨🇦Proudly Canadian