Quebec's Law 25: What B2B eCommerce Teams Need to Know

Quebec's Law 25: What B2B eCommerce Teams Need to Know

Quebec’s Law 25 — officially An Act to modernize legislative provisions as regards the protection of personal information — is now fully in force. The final phase took effect September 2024, and if you collect personal information from anyone in Quebec, it applies to you.

Not just B2C. Not just Quebec-based companies. Any business that collects, uses, or stores personal information of Quebec residents. That includes B2B eCommerce operators processing buyer accounts, trade credit applications, shipping addresses, purchase histories, and analytics cookies.

Most B2B teams we work with either haven’t heard of it or assume PIPEDA covers them. It doesn’t — not for Quebec. Here’s what you actually need to know.

What Law 25 Is

Law 25 (formerly Bill 64) is Quebec’s overhaul of its Act respecting the protection of personal information in the private sector, originally from 1994. It was adopted in September 2021 and rolled out in three phases:

  • Phase 1 (September 2022): Mandatory data breach reporting. Appointment of a privacy officer. New penalties framework.

  • Phase 2 (September 2023): Consent requirements. Privacy policies. Privacy impact assessments for certain projects.

  • Phase 3 (September 2024): Right to data portability. Right to de-indexation. Full enforcement of all provisions.

If you’ve been waiting for the “final deadline” — it passed. Every requirement is now active.

Why B2B eCommerce Teams Should Care

Here’s the misconception we encounter constantly: “We sell to businesses, not consumers, so privacy laws don’t apply.”

Wrong. Law 25 protects personal information, which means any data that can identify a natural person. In B2B, that includes:

  • Buyer names, email addresses, and phone numbers on trade accounts

  • Shipping and billing addresses tied to individuals

  • Credit application data (SINs, financial records)

  • Website analytics, cookies, and tracking pixels

  • Purchase histories tied to individual buyers (not just company accounts)

  • IP addresses and device identifiers

If a procurement manager in Laval creates an account on your Shopify Plus store and places orders — you’re collecting their personal information. Full stop.

Key Requirements

1. Privacy Governance Officer

Every organization must designate a person responsible for the protection of personal information. By default, it’s the CEO — but you can (and should) delegate. The officer’s name and contact details must be published on your website.

2. Consent Management

This is where most eCommerce businesses trip up. Law 25 requires:

  • Informed, specific consent before collecting personal information

  • Separate consent for each distinct purpose (you can’t bury marketing consent in a terms-of-service checkbox)

  • No bundled consent — collecting data for order fulfillment doesn’t automatically authorize you to use it for marketing

  • Consent must be freely given — tying access to your B2B portal to accepting marketing cookies is non-compliant

Cookie consent banners are no longer optional for Quebec visitors. And “by continuing to browse this site, you agree” is not valid consent under Law 25.

3. Privacy Policy

Your privacy policy must be written in clear, simple language and include: what personal information you collect, the purposes for collection, how long you retain data, how individuals can access, correct, or delete their information, whether data is transferred outside Quebec, and the name and contact info of your privacy officer.

4. Data Breach Reporting

If a confidentiality incident occurs (data breach, unauthorized access, loss of data), you must: assess the risk of serious injury to affected individuals, notify the Commission d’accès à l’information (CAI) if the risk is serious, notify affected individuals, and maintain a breach register (even for incidents that don’t trigger notification).

5. Right to Deletion and De-indexation

Individuals can request that you delete their personal information or stop disseminating it. If the data was collected when the person was a minor, this applies even more strictly.

6. Right to Data Portability

As of September 2024, individuals can request their personal information in a structured, commonly used technological format. This means you need a process — even a manual one — to export a buyer’s data on request.

How It Compares to GDPR

If you already comply with GDPR, you’re most of the way there — but not all the way. Key differences:

  • Scope: GDPR applies to EU/EEA residents. Law 25 applies to Quebec residents specifically, regardless of where your business is located.

  • Consent: Both require explicit consent, but Law 25 has stricter rules about implied consent for cookies — there’s effectively no “legitimate interest” equivalent for tracking technologies.

  • Penalties: GDPR allows up to 4% of global turnover or EUR 20M. Law 25 allows up to 4% of worldwide turnover or CAD $25 million — whichever is greater.

  • Private right of action: Law 25 allows individuals to sue for damages, with a minimum statutory damage of CAD $1,000 per violation when the breach is intentional or results from gross negligence.

The bottom line: if you sell to Quebec, Law 25 is your primary compliance obligation — not GDPR, not PIPEDA.

Practical Steps for eCommerce Teams

Step 1: Implement a Real Cookie Consent Banner

Not a notification bar — a functional consent management platform (CMP) that blocks tracking scripts until consent is given, provides granular choices, records consent for audit purposes, and allows users to withdraw consent easily. Tools like OneTrust, Cookiebot, or Termly integrate with Shopify Plus. The key is that scripts must actually be blocked before consent — not just hidden behind a banner while they fire anyway.

Step 2: Audit and Update Your Privacy Policy

Most B2B privacy policies are copied from templates and haven’t been touched since 2019. Review yours against Law 25’s requirements. Include specifics: name the third-party tools you use (GA4, Meta Pixel, HubSpot, etc.), disclose cross-border transfers, and state retention periods.

Step 3: Map Your Data

You need to know what personal information you collect, where it lives, and who has access. For a typical Shopify Plus B2B store, that means: Shopify customer records, ERP/CRM synced data, email marketing platforms, analytics tools, payment processors, and third-party apps installed on your store.

Step 4: Review Vendor Agreements

Law 25 requires that any third party processing personal information on your behalf has a written agreement covering data protection obligations. Review contracts with your SaaS vendors, agencies, and integration partners.

Step 5: Set Up a Breach Response Process

Don’t wait for a breach to figure out your process. Define who assesses the risk, who notifies the CAI, and who contacts affected individuals. Keep a breach register from day one.

Law 25 and Shopify Plus

Shopify has built-in tools that help, but they don’t make you compliant on their own:

  • Customer Privacy API: Shopify provides a JavaScript API to manage consent signals. Your theme should use this to conditionally load tracking scripts.

  • Customer data request/erasure: Shopify supports data subject requests via the admin — but you need to extend them to cover data in connected systems (ERP, CRM, email platform).

  • Cookie banner apps: Several Shopify apps handle consent (Pandectes, Consentmo, etc.). Make sure whichever you choose actually blocks scripts — not all of them do.

The gap we see most often: the Shopify store is compliant, but the data flowing to Klaviyo, HubSpot, or a custom ERP integration isn’t governed at all. Compliance doesn’t stop at your storefront.

Penalties Are Real

  • Administrative monetary penalties: Up to CAD $10 million or 2% of worldwide turnover

  • Penal fines (for organizations): CAD $15,000 to $25 million or 4% of worldwide turnover

  • Private lawsuits: Minimum CAD $1,000 in statutory damages per intentional or grossly negligent violation

For a mid-market B2B company doing $50M in revenue, 4% means a potential $2M fine. That’s not theoretical — it’s a risk your CFO needs to understand.

The Bottom Line

Law 25 is not going away, and “we’re B2B” is not a defense. If you have Quebec buyers — or Quebec-based employees, partners, or contacts — you’re in scope.

The good news: the practical steps aren’t overwhelming. A proper consent banner, an updated privacy policy, a data map, vendor agreements, and a breach response plan will get you to a defensible position.

The companies that treat this as a one-time checkbox will get caught off guard. The ones that build privacy into their data governance — the same way they build security into their infrastructure — will have a competitive advantage. Because when your Quebec buyer asks “how do you handle my data?” and you have a clear answer, that’s trust. And in B2B, trust closes deals.

Need help assessing your Shopify Plus store’s privacy compliance? Get in touch — we audit B2B eCommerce setups for Law 25 readiness.