Bill 25 Compliance for English-Speaking SMBs in Quebec

What the Law Actually Covers

Bill 25 governs how you collect, store, use, share and dispose of personal information about identifiable individuals — your customers, prospects, employees, suppliers and anyone else whose data passes through your business. "Personal information" includes obvious items like names, phone numbers and email addresses, and less obvious items like voice recordings, call transcripts, IP addresses, location data and behavioural profiles.

If any of that data is collected, stored or processed in Quebec, or about a person located in Quebec, Bill 25 applies — even if your head office is in Toronto, Calgary or New York.

Why Operating in English Doesn't Exempt You

A common misconception among English-speaking SMB owners in Montreal, the West Island, Lennoxville, Hull, Aylmer and the Eastern Townships is that Quebec's privacy law is "a French thing" or only enforced against French-language businesses. That is not the case. The CAI investigates complaints in both languages, and its enforcement powers (including administrative monetary penalties of up to $10 million or 2% of worldwide turnover for serious breaches) apply uniformly.

If you take a single phone call from a customer in Quebec, you collect personal information subject to Bill 25.

Bill 25 vs. PIPEDA: Why Federal Compliance Isn't Enough

Many English-Canadian businesses assume that if they comply with PIPEDA (the federal Personal Information Protection and Electronic Documents Act), they are also compliant in Quebec. That is no longer true. Since September 2023, Bill 25 imposes obligations that go beyond PIPEDA — including the appointment of a designated privacy officer, mandatory privacy impact assessments for certain projects, expanded breach-notification rules, the right to data portability, and stricter consent requirements. Operating only on PIPEDA in Quebec creates real legal exposure.

Out-of-Province Businesses Serving Quebec Customers

If you are headquartered in Ontario, Alberta or the United States but you take calls from, ship to or contract with people in Quebec, Bill 25 applies to the personal information of those Quebec residents. The CAI has been clear: territoriality is determined by where the data subject is located and where the activity takes place, not by where your servers or head office sit.

What Triggers the Strictest Rules

Some Bill 25 obligations only kick in above certain thresholds — for example, the requirement to publish detailed governance policies and conduct privacy impact assessments (PIAs) for projects involving personal information. But the core obligations — designating a privacy officer, obtaining valid consent, securing the data, notifying breaches, and honouring access and correction requests — apply to everyone, regardless of size.

1. Designate a Privacy Officer

Every enterprise must designate a person responsible for the protection of personal information. By default, this is the most senior decision-maker (the owner, president or CEO), but the role can be delegated in writing to another employee or to an external consultant. The privacy officer's name and contact information must be published on your website.

2. Obtain Valid, Informed Consent

Consent must be "clear, free, informed and given for specific purposes." Bundled, vague or pre-checked consents are not valid. When you collect personal information, you must tell the person — at or before collection — the purposes, the categories of third parties who will receive the data, the data subject's rights and the name of your privacy officer.

For sensitive information (health, biometric data, financial data, sexual orientation, etc.), explicit and granular consent is required.

3. Collect Only What You Need — and Delete It on Schedule

Bill 25 enshrines the principles of data minimization and limited retention. You can only collect personal information that is necessary for the purposes you have disclosed, and you must destroy or anonymize it once those purposes are fulfilled. "We might need it someday" is not a lawful retention basis. You must publish your retention schedule.

4. Honour Access, Rectification and Deletion Requests

Quebec residents have a statutory right to request access to the personal information you hold about them, to have it corrected if it is inaccurate, and (in many cases) to have it deleted. You must respond within 30 days and provide the information in a structured, commonly used technological format. Bill 25 also introduces a limited right to data portability for computerized personal information.

5. Notify Breaches Without Delay

If a confidentiality incident (a breach) occurs and presents a risk of serious injury, you must notify the CAI and the affected individuals "with diligence" — in practice, this means within days, not weeks. You must also keep an internal register of all confidentiality incidents, even minor ones that do not trigger external notification.

6. Assess and Document Cross-Border Transfers

Before transferring personal information outside Quebec — including to a US-based cloud provider, a CRM hosted in Ireland or an analytics tool running on AWS in Virginia — you must conduct a privacy impact assessment to confirm that the destination jurisdiction offers adequate protection. The assessment must be documented and kept on file. This single requirement catches the largest number of SMBs off guard.

7. Disclose Automated Decisions and Profiling

If you use a decision rendered exclusively by automated processing of personal information, you must inform the person at or before the decision is made and, on request, explain the personal information used, the reasons and the principal factors that led to the decision. The person also has the right to submit observations to a human reviewer.

Consent to Recording and Transcription

If your AI voice agent records or transcribes calls (most do, for quality and training purposes), the caller must be informed at the start of the call and have a meaningful opportunity to decline. "This call may be recorded for quality purposes" is the legacy formulation; under Bill 25, you should also disclose the purpose of the recording, how long it will be retained, and who will have access.

Agent IA Vocal plays a configurable, bilingual disclosure at the start of every call and lets the caller opt out of recording while still completing their request.

Voiceprints and Biometric Data

If your AI voice agent uses voiceprint authentication (matching a caller's voice to a stored biometric template to authenticate them), you are processing biometric data — which Bill 25 treats as sensitive personal information requiring explicit, granular consent and a higher security standard. Most SMBs do not need voiceprint authentication; if you do, document the legal basis and conduct a PIA before turning it on.

Data Residency and Cross-Border Transfers

Many off-the-shelf AI voice products route audio through US-based speech-to-text APIs and store transcripts in US data centres. Each of those flows is a cross-border transfer that must be assessed and documented under Bill 25. The simplest way to reduce your exposure is to choose a provider that hosts call audio, transcripts and metadata on Canadian infrastructure — which is what Agent IA Vocal does by default.

Fully Automated Call Handling and the Right to a Human

If your AI voice agent makes a decision that affects the caller (for example, refusing to schedule an appointment, classifying the caller as low-priority, or declining to transfer to a person), Bill 25's automated-decision rules apply. Best practice: always offer a clear path to a human ("press 0 or say 'agent' to reach a person"), document your script, and keep an audit log of decisions the AI took on your behalf.

Your Voice-Agent Provider Is a Processor — Get the Paperwork Right

Under Bill 25, when you outsource any handling of personal information to a third party (your voice-agent provider, your CRM, your transcription vendor), you must enter into a written agreement that specifies the purposes, the categories of data, the security measures, the retention period and the obligation to return or destroy the data at the end of the engagement. Ask your provider for a Bill 25-aligned data processing agreement (DPA). Agent IA Vocal provides one as part of every paid plan.

Governance and Documentation

□ Designate a privacy officer in writing and publish the contact information on your website. □ Publish a plain-language privacy policy in both English and French covering purposes of collection, third parties, retention, rights and the privacy officer's contact. □ Maintain an internal register of confidentiality incidents. □ Keep written data processing agreements with every supplier that touches personal information (voice agent, CRM, email provider, payroll, etc.).

Consent and Data-Subject Rights

□ Review every form, signup flow and call disclosure to confirm consent is clear, granular and informed. □ Document your process for handling access, rectification, deletion and portability requests within 30 days. □ Set up a dedicated email or web form (e.g. privacy@yourcompany.ca) for privacy requests.

Data Handling and Security

□ Document a retention schedule for every category of personal information (call recordings, transcripts, CRM contacts, leads, employee files). □ Encrypt personal information in transit (TLS 1.2 or higher) and at rest. □ Limit access on a need-to-know basis with named user accounts and audit logs. □ Train all employees who handle personal information at least once a year.

Cross-Border Transfers and Vendor Reviews

□ List every third-party tool that processes personal information and identify where the data is hosted. □ Conduct and document a privacy impact assessment for every cross-border transfer. □ Where possible, choose Canadian-hosted alternatives — particularly for voice and call data, which is sensitive by nature.

Canadian Hosting by Default

Call audio, transcripts and metadata are stored on infrastructure located in Canada. We do not route call audio through US-based speech-to-text providers unless a customer explicitly opts in and we have completed a documented privacy impact assessment together.

Bilingual Recording Disclosure and Opt-Out

Every Agent IA Vocal deployment includes a configurable opening disclosure that informs the caller — in their language — that the call may be recorded and transcribed for quality and training purposes, and offers a meaningful opt-out. The opt-out is honoured at the system level: no audio or transcript is retained for that call.

Customer-Controlled Retention

You define how long call recordings and transcripts are retained — from days to years — and the system deletes them automatically when the period elapses. You can also delete any specific call from your dashboard at any time, on request from a caller exercising their Bill 25 rights.

Bill 25-Aligned Data Processing Agreement

Every paid plan includes a written data processing agreement that meets Bill 25's requirements for outsourcing — categories of data, purposes, security measures, retention, sub-processors, breach notification and end-of-engagement destruction.

Audit Logs and Access Controls

Every recording, transcript and configuration change is logged with a timestamp and a user identifier. Access to personal information is role-based and reviewable from your dashboard, which makes responding to access requests and demonstrating compliance straightforward.