Quebec Law 25 for BPOs: What Changed, What to Do
Quebec's privacy regime is now the strictest in North America. If you employ Quebec agents or serve Quebec consumers, and most Canadian BPOs do both; there are eight things to get right.
Serge Belov
Founder, FrontLine · Published May 18, 2026
Quebec's Loi 25 (Law 25) finished its three-year rollout in September 2024 and is now the strictest privacy regime in North America, stricter in several specifics than PIPEDA federally and arguably than GDPR. If you're a Canadian BPO (Business Process Outsourcing: a firm that runs contact-centre operations on behalf of other brands.), you either employ Quebec residents, serve Quebec consumers on behalf of your clients, or both. Most do both, and most are not fully compliant.
This is the operator's read, not legal advice, on what changed, what an audit will actually look at, and the eight controls to have in place.
What Law 25 actually changes
There are eight clauses that matter most for BPO operators. None of them are exotic; most reflect what a careful operator was probably doing already. The shift is that they're now legally enforceable, with real penalties.
1. Privacy officer designation. Every organisation handling personal information of Quebec residents must designate a person in charge of the protection of personal information. The role can be held by an existing executive (it usually is, often the COO or General Counsel), but the designation has to be explicit, published on the organisation's website, and the named person has to actually be reachable. The CAI checks this on the website during routine audits.
2. Privacy Impact Assessments. Before deploying any new information system, software, or process that handles personal information, an organisation must complete a PIA. For BPOs the trigger lands often: a new client onboarding, a new WFM (Workforce Management: forecasting, scheduling, and adherence.) rollout, an LMS swap, a new QA (Quality Assurance: the program that scores and reviews agent interactions.) tool, any AI feature that touches agent or consumer data. The PIA must be in writing, must consider whether the processing is necessary, what the privacy risks are, and what mitigations are in place. The CAI doesn't pre-approve the PIA, but they review it if a complaint or breach surfaces.
3. Consent by purpose. Consent must be "clear, free, informed and given for specific purposes." Bundled consent ("I agree to the terms") doesn't satisfy this anymore. If you collect personal information for purposes A, B, and C, you need to be able to demonstrate the individual was given a clear opportunity to consent to each separately. For BPOs, this affects how agents handle consent collection in calls and forms on behalf of clients, which has to be reflected in the script and the data record.
4. The right to data portability. Individuals can request a copy of their personal information in a structured, commonly used technological format. They can also request transmission to a third party. The thirty-day response clock is hard. For a BPO, this means having a workable export from every system that holds agent or consumer personal information, not just the HRIS.
5. The right to de-indexing. Individuals can request that personal information about them be de-indexed or anonymised, particularly if the publication is causing serious injury. This applies more to consumer-facing platforms than to BPO operators directly, but BPOs handling client knowledge bases on behalf of consumer brands inherit the obligation through their service agreements.
6. Mandatory breach notification. Any "confidentiality incident" presenting a "risk of serious injury" has to be reported to the CAI without delay, and the affected individuals notified. "Without delay" isn't defined to the hour, but the CAI has interpreted it as "a matter of days" in published guidance. The threshold for what counts as serious injury is also fact-specific. Erring toward notification is the operator-safe move.
7. Automated decision-making. When a decision is made about an individual based exclusively on automated processing of their personal information, the individual must be informed of that fact, told what information was used, and given the opportunity to make representations to a human reviewer. For BPOs this lands on automated hiring screens, AI-based candidate scoring, and increasingly on automated coaching or schedule-recommendation systems.
8. Enforcement. Administrative monetary penalties run up to $10M or 2% of worldwide turnover, whichever is greater. Penal sanctions for the most serious infractions run up to $25M or 4% of worldwide turnover, whichever is greater. These are real numbers and the CAI has been clear they intend to use them. The first enforcement actions under the new regime started landing in 2024 and 2025.
The eight controls
The control list maps directly to the eight clauses. Some of these you almost certainly have already in some form. The shift is making the documentation defensible and ensuring the operational workflow follows the documentation.
Appointed privacy officer, named publicly. The CAI checks websites. Put the name, role, and contact email on the privacy page. If you've delegated the function to an external service, the legal designation still has to sit with a named person inside your organisation.
A PIA template you actually use. A blank Word template you fill in once and file is enough only if you actually fill it in for every new system. The control isn't the template; it's the habit of pausing every new system rollout for a written assessment. For a 300-agent BPO this means roughly four to eight PIAs a year (new client onboardings, system swaps, major feature rollouts). The PIA template the CAI references in its guidance is the minimum.
Consent records, segmented by purpose. When an agent collects consent on a call or form for purposes A, B, and C, the system has to record three independent consent flags, with timestamps and the scripted language version. If your call recording or form system stores one aggregated consent flag, that's the gap to close. For BPO operations specifically this often means a script change and a corresponding CRM field change.
A DSAR workflow that hits the thirty-day clock. A documented process for receiving an access or portability request, identifying every system that holds the requester's data, producing the export, and sending it. The clock starts on receipt, not on triage. For a BPO running multi-client operations, the workflow has to include every client tenant the requester touched. This is the most operationally complex of the controls and the most common gap.
Breach response runbook. A written response plan including who calls the CAI, who notifies affected individuals, what "without delay" means in your operation, and a template notification letter. The runbook should be tested at least annually. The first thirty minutes after a breach is detected is when the decision "is this reportable" gets made, and the runbook is what keeps that decision from getting made by panic.
Retention schedules with technical enforcement. A documented schedule of how long each category of personal information is retained, mapped to a legal basis (operational need, regulatory requirement, contractual obligation), and crucially, technical automation that actually deletes the data when the retention period ends. A schedule that lives in a Word document while the data sits in a database forever satisfies the documentation but not the law.
Automated-decision documentation. A written record for each system that makes automated decisions about individuals: what data goes in, what decision comes out, who can request human review, and how that review actually happens. If you use AI-based candidate screening or scoring, this is the document the CAI will ask for first.
Privacy notice template, dual-purpose. One notice for individuals whose personal information you collect directly (job candidates, applicants, employees) and another for individuals whose information you handle on behalf of a client. The two need to be different because the legal basis for processing is different. BPOs commonly use only the first and inherit the second from the client's notice; that's a defensible position only if the client's notice actually covers your processing.
FrontLine bundles most of these into the workflow where the work happens. Privacy notices, consent records, retention schedules, DSAR workflows, and automated-decision documentation all live in the data layer that already runs the operation, rather than in a parallel compliance tool that nobody touches between audits. The Atlas lists each component with its current build status. But none of the controls above require a specific platform; they require documented process and operational habit, which a careful operator can run on whatever stack they have.
Cross-border data: the part most BPOs get wrong
Law 25 isn't a hard data-residency rule. Personal information of Quebec residents can leave the province. What the law requires is a written assessment before the transfer, and adequate contractual protection during it. The common compliance gap isn't the transfer itself; it's that no written assessment was ever done.
The assessment has to cover four things: the nature of the personal information being transferred, the purpose of the transfer, the safeguards in place at the destination (technical, contractual, and legal), and the legal regime in the destination jurisdiction. For a Canadian BPO transferring Quebec resident data to a US-based parent company or a US-based subcontractor, the assessment has to address US surveillance law, the FISA Section 702 question, and the CLOUD Act. None of these mean the transfer is prohibited. They mean the assessment has to acknowledge and address them.
What a defensible cross-border record looks like in practice:
The transfer mapping. A document listing every recipient outside Quebec, what data they receive, why, how often, and how. This is the inventory. If a CAI audit lands and you can hand over an accurate, current transfer mapping inside thirty minutes, you've cleared the highest bar most operators trip on.
The contractual protections. Standard contractual clauses or equivalent, included in every agreement with a cross-border recipient. The contractual language has to bind the recipient to Quebec-equivalent privacy practices. For US-based recipients, this typically includes data processing agreement provisions, sub-processor restrictions, and breach notification obligations.
The PIA covering the transfer. A privacy impact assessment specifically addressing the transfer, completed before the first transfer happened. If the assessment is dated after the first transfer, the documentation is retroactive, which the CAI treats as a separate violation.
The annual review. Cross-border arrangements need to be re-assessed at least annually. The legal regime changes (Quebec's adequacy view of the US shifts, EU adequacy decisions move, new sub-processors get added), and the assessment that was defensible last year may not be defensible this year. The annual review is the cheapest insurance.
Most BPOs I've talked to in Quebec are transferring personal information across borders. Almost all of them are doing it in ways that could be made compliant with documentation work that costs less than a single enforcement action. The catch is the documentation work has to happen before it's needed, not after the CAI shows up. The operators who treat Law 25 as an exercise in writing things down once and maintaining the discipline are in a much better posture than the ones treating it as a one-time audit prep.
Sources
Quebec Law 25 is the common shorthand for *An Act to modernize legislative provisions as regards the protection of personal information* (formerly Bill 64). Authoritative references below.
The Act itself. Act respecting the protection of personal information in the private sector (R.S.Q. c. P-39.1) . The official consolidated statute as amended by Law 25, available in English and French.
The regulator. Commission d'accès à l'information du Québec (CAI) . Quebec's privacy regulator. The CAI's guidance documents, model forms, and enforcement decisions are the primary operational reference. Their site is the best source for current interpretation of "without delay," the model PIA template, and breach notification thresholds.
This article is not legal advice. Quebec privacy law evolves through CAI guidance, court rulings, and administrative decisions. For any specific implementation, retain Quebec-licensed counsel. The article above is the operational read from someone who's helped BPO operators stand up the controls. It's a starting point for the conversation with your lawyer, not a substitute for one.
Serge Belov
Founder, FrontLine
Three decades building software for BPOs. FrontLine is the workforce platform BPO leaders kept asking for and never quite got.