If you run a business in Quebec and you use AI, Law 25 applies to you. It does not matter how small you are: Quebec's modernized privacy law covers any organization that collects or uses the personal information of Quebec residents, regardless of size or revenue.
AI makes this more urgent. The moment you paste a customer email, a contract, or a list of names into an AI tool, personal information is in play. Here is a plain-language guide to what Law 25 expects, and how to keep using AI without crossing a line.
This is general information, not legal advice. For your specific situation, talk to a privacy professional.
What Law 25 is
Law 25 (formerly Bill 64) modernized Quebec's Act respecting the protection of personal information in the private sector. It rolled out in three phases: breach reporting and a designated person in charge of personal information in September 2022; consent rules, privacy impact assessments, and transparency requirements in September 2023; and the right to data portability in September 2024. All of it is now in force, enforced by the Commission d'accès à l'information (CAI).
Why AI raises the stakes
Law 25 has a provision written for exactly this moment. When a decision about someone is based exclusively on automated processing (an AI deciding with no human in the loop), you must inform the person, and they have the right to know the personal information used, the reasons behind the decision, and to submit observations. If an AI system approves, ranks, or rejects customers on its own, this applies to you.
More broadly, feeding personal information into any AI tool is a use of that information, so the usual rules follow it: a valid purpose, consent where required, and care about where the data goes.
What counts, and when Law 25 kicks in
"Personal information" is broader than people expect: a name with an email, a phone number, a customer's purchase history, a photo, an IP address tied to a person. The moment any of that goes into an AI tool, you are processing personal information under the law.
Three everyday AI uses that trigger obligations:
| AI use | What Law 25 expects |
|---|---|
| Answering customer emails with AI | A valid purpose and transparency that AI is involved |
| Screening or ranking job applicants | Inform the person if the decision is automated; let them ask what was used and why |
| Sending data to a provider outside Quebec | A privacy impact assessment of the transfer before it happens |
The common thread: AI gets no pass. The rules that apply when a person handles the data apply when a model does.
What you actually need to do
For a small business using AI, the practical checklist is short:
- Appoint someone responsible. By default this is your highest-ranking person, but you can designate someone else. Publish their title and contact.
- Know what you send to AI. Keep personal information in prompts and documents to the minimum the task needs.
- Check where the data goes. Before sending personal information outside Quebec, Law 25 expects a privacy impact assessment. Know which provider processes your data and where.
- Be transparent. Say in your privacy policy that you use AI, for what, and whether any decisions are automated.
- Have a breach plan. If personal information is exposed and there is a risk of serious injury, you must notify the CAI and the people affected.
- Get consent for sensitive uses, and let people withdraw it.
The penalties are not symbolic: administrative monetary penalties up to $10 million or 2% of worldwide turnover, and penal fines up to $25 million or 4%, whichever is greater.
How the right platform helps
A lot of compliance comes down to control and knowing where your data is. With Crewdle:
- Your conversations and content are never used to train AI models (see Security and privacy), so your customers' data is not absorbed into someone else's model.
- Role-based access in Crewdle Admin lets you decide who can use which tools and models, so personal information does not flow through AI uncontrolled.
- One platform means one place to reason about where data goes, instead of a dozen separate AI subscriptions you cannot account for.
None of this makes you compliant on its own, but it removes the parts that make AI risky: untracked data, models trained on your information, and no control over who uses what.
The takeaway
Law 25 is not a reason to avoid AI. It is a reason to use it deliberately: know what you send, control who uses it, be honest about automated decisions, and pick tools that keep your data yours. Do that, and you get the upside of AI without the exposure.
Start for free and see how Crewdle keeps your data under your control.
Ask about this article 
