Law 25 and CRM: What Every Quebec IT Integrator Must Know in 2026
Maximum fine: $25M or 4% of worldwide revenue
The Commission d'accès à l'information (CAI) can impose administrative monetary penalties since September 2023. CRM and monitoring tools that store Quebec personal data outside Canada are directly affected.
What is Law 25 and why does it affect your CRM?
Law 25 — officially the Act to modernize legislative provisions as regards the protection of personal information — came into force in three phases between 2022 and 2024. It applies to all businesses that collect, use, or communicate personal information about Quebec residents.
For an IT integrator, this directly includes:
- Your CRM (contact names, emails, phone numbers)
- Your commercial monitoring tools (decision-maker data)
- Your contact enrichment tools (Hunter.io, ZoomInfo, Apollo)
- Your email and marketing automation platforms
The 3 phases of Law 25 — where do you stand?
Sept. 2022
Privacy Officer
Appoint a Privacy Officer (RPRP) and publish their contact information publicly.
Sept. 2023
Privacy Impact Assessments (PIA)
Conduct a PIA before any project involving personal information. Declare privacy incidents to the CAI within 72 hours.
Sept. 2024
Individual Rights
Right to data portability, right to erasure, explicit consent for automated decisions. Accessible privacy policy required.
5 questions to ask your CRM vendor
- Where is data hosted? — Quebec personal data should ideally stay in Canada. Otherwise, a Privacy Impact Assessment (PIA) is required before any cross-border transfer.
- Do you have an incident registry? — Any privacy incident must be reported to the CAI within 72 hours. Your vendor must notify you immediately.
- How do you handle deletion requests? — The right to erasure is enforceable. Your CRM must be able to purge all data about a person on request.
- What is your consent process? — Consent must be explicit, free, informed, and given for specific purposes. Pre-checked boxes no longer suffice.
- Do you have an accessible privacy policy? — It must be written in plain language and easily findable on your website.
Commercial monitoring tools — Law 25 compliance comparison
| Tool | Hosting | Law 25 | Note |
|---|---|---|---|
| Salesforce | 🇺🇸 USA | Data outside Canada by default. Addendum required. | |
| HubSpot | 🇺🇸 USA | US servers. EU option available but not CA. | |
| ZoomInfo | 🇺🇸 USA | Quebec personal data exposed. Non-compliant. | |
| Apollo.io | 🇺🇸 USA | Aggregates personal data without explicit Quebec consent. | |
| KairosNode | 🇨🇦 Canada | Neon PostgreSQL (AWS ca-central-1), SHA-256, automatic purge on deletion. |
Turning Law 25 into a competitive advantage
Most IT integrators see Law 25 as a constraint. The smartest ones see it as a commercial differentiator.
Your Quebec public sector clients — ministries, CISSS, municipalities — are themselves subject to Law 25. They're looking for vendors who understand their obligations and can demonstrate their own compliance.
An integrator who can say “all our tools are hosted in Canada and Law 25 compliant” has an immediate advantage in public tenders where compliance is an evaluation criterion.
Compliance checklist — Law 25 for your sales stack
- ✅ CRM with Canadian hosting or cross-Quebec transfer addendum
- ✅ Updated privacy policy (individual rights, portability, erasure)
- ✅ Privacy Officer (RPRP) appointed
- ✅ Incident declaration process (72h to CAI)
- ✅ Personal data processing activity registry
- ✅ Explicit consent for commercial communications
- ✅ Compliant commercial monitoring tools (data hosted in Canada)
KairosNode is built from the ground up for Law 25 compliance: Neon PostgreSQL hosting in ca-central-1 (Canada), SHA-256 on all identifiers, automatic data purge on account deletion, and no personal data stored in plain text.
Law 25-compliant sales intelligence — starting today
KairosNode monitors SEAO and identifies IT opportunities in Quebec's public sector, with 100% Canadian hosting and native Law 25 compliance.
No credit card · Law 25 compliant · Data in Canada