Law 25: Transforming Data Protection in Quebec
Law 25 (Act to modernize legislative provisions as regards the protection of personal information) represents the most significant reform of personal information protection in Quebec since the adoption of the Act respecting the protection of personal information in the private sector (LPRPSP) in 1994. Coming into force progressively between September 2022 and September 2024, this law imposes a strict and modernized framework for the collection, use, retention, communication and destruction of personal information by private sector businesses. For mortgage brokers and their firms, who handle some of the most sensitive financial data on a daily basis, this law has profound and concrete implications for their professional practices.
Key Obligations Imposed on Mortgage Brokers
- Appoint a privacy officer: Each brokerage firm must designate a person responsible for the protection of personal information (RPRP). By default, this is the person with the highest authority within the firm. The RPRP's contact information must be published on the firm's website and communicated to the Commission d'acces a l'information.
- Obtain clear and informed consent: Before collecting personal information, the broker must obtain consent that is clear, free, informed and given for specific purposes. The client must know precisely what data is collected, why, how it will be used, with whom it will be shared and how long it will be retained.
- Publish an accessible privacy policy: The firm must publish a privacy policy written in simple and clear terms, describing personal information management practices. This policy must be easily accessible on the website and presented to clients.
- Maintain a confidentiality incident register: The firm must document every confidentiality incident in a dedicated register. Incidents presenting a serious risk of harm must be reported to the Commission d'acces a l'information and to affected individuals promptly.
- Conduct privacy impact assessments: Before any project involving the collection, use or communication of personal information (new software, new process, partnership), the firm must conduct a PIA to identify and mitigate privacy risks.
Strengthened Client Rights Over Their Data
Law 25 considerably strengthens clients' rights over their personal data. The right of access allows the client to consult all personal information held by the broker or firm. The right of correction allows inaccurate, incomplete or equivocal information to be corrected. The right to deletion, also called the right to be forgotten, allows the client to request the destruction of their information when the collection is no longer necessary for the purposes for which it was collected. The right to portability allows the client to request the transfer of their data in a structured and commonly used technological format, facilitating for example a broker change. The broker must respond to these requests within 30 days.
Penalties and Consequences of Non-Compliance
The penalties provided by Law 25 are significant and aim to ensure rigorous compliance. Administrative monetary penalties can reach 10 million dollars or 2 percent of worldwide turnover for businesses. Criminal sanctions, for the most serious offences, can reach 25 million dollars or 4 percent of worldwide turnover. Fines from 5,000 to 100,000 dollars may be imposed on individuals. The Commission d'acces a l'information du Quebec (CAI) is the enforcement body. Beyond financial penalties, non-compliance can result in major reputational damage to the firm and loss of client trust.
Practical Compliance for the Broker
Compliance with Law 25 requires a systematic and ongoing approach. The broker and their firm should conduct a complete inventory of personal information collected and held, review and update consent forms, draft or update the privacy policy, train all staff on new obligations, implement adequate security measures to protect data, establish a confidentiality incident management process and create procedures for responding to client access, correction, deletion and portability requests. This compliance is not a one-time exercise but a continuous process of improvement and vigilance.
Law 25's transformative impact on Quebec's data protection landscape cannot be overstated, particularly for financial services professionals like mortgage brokers who handle some of the most sensitive personal information in the economy. The law's comprehensive approach, combining enhanced consent requirements, strengthened individual rights, mandatory incident reporting and substantial penalties, creates a regulatory environment that demands proactive, systematic compliance efforts from every brokerage firm. Mortgage brokers who embrace these requirements as an opportunity to strengthen client relationships and differentiate their practice through demonstrated commitment to data protection will be better positioned for long-term success in an increasingly privacy-conscious marketplace.
The implementation of Loi 25 has fundamentally transformed how mortgage brokerages in Quebec approach data governance. Beyond the immédiate compliance requirements, the law has catalyzed a broader cultural shift within the industry toward treating personal information as a strategic asset that must be managed with the same rigor and accountability as financial assets. Organizations that embrace this perspective are finding that strong privacy practices enhance client trust, improve data quality, and ultimately support better business outcomes.
For mortgage brokers, the practical impact of Loi 25 extends to every stage of the client relationship, from initial prospecting and data collection through to file retention and eventual destruction. The requirement to conduct privacy impact assessments for new systems or processes that involve personal information means that technology adoption decisions must now include a privacy analysis alongside traditional cost-benefit évaluations. This integrated approach ensures that privacy considerations are embedded in business processes from the outset rather than being addressed as an afterthought.