Compliance

Law 25 and AI: a compliance guide for Quebec small businesses

By Obrio· ·5 min read

Since Law 25 (the Act to modernize legislative provisions respecting the protection of personal information, formerly Bill 64) came fully into force in September 2023, Quebec businesses have had clear obligations around managing personal data. Adopting AI agents raises fair questions: how do you stay compliant when an automated system processes data about customers, suppliers or employees?

This practical guide answers the questions we hear most often from small businesses across the Gatineau and Outaouais region.

What is Law 25, in plain terms?

Law 25 modernizes Quebec's Act respecting the protection of personal information in the private sector. It draws on Europe's GDPR while being adapted to the Quebec context. Its main requirements for small businesses include:

  • Appointing a person in charge of the protection of personal information — in a small business, this is usually the owner or general manager by default.
  • Publishing a privacy policy on your website, written in plain language.
  • Obtaining valid consent before collecting, using or disclosing personal information, with a clearly stated purpose.
  • Reporting privacy incidents to the Commission d'accès à l'information (CAI) and to the people concerned, within the prescribed timelines.
  • Right of access and correction: anyone can ask to view or correct their data.

Compliance tip: formally name your person in charge of the protection of personal information in an internal document and publish their title (not necessarily their name) on your website. It's one of the first things the CAI checks during an inspection.

Which obligations apply when you use an AI agent?

An AI agent that accesses your customer data, sends emails on your behalf, or files invoices is processing personal information. Law 25 therefore applies in full. Here are the specific points to watch:

Minimal data collection

The agent should only access the data strictly needed for the task. If your agent handles payment reminders, it doesn't need access to medical records or HR information. This principle of data minimization is explicitly required by Law 25.

Transparency with your customers

If your AI agent sends emails to your customers, those customers need to know that some communications are automated. Your privacy policy should mention the use of automated tools in processing their data. This isn't an obstacle — the vast majority of people are perfectly comfortable with automated communication when it's clearly identified.

Automated decisions with a significant impact

Law 25 provides specific protections when a decision is made exclusively by an automated system and has a significant impact on a person (denying credit, terminating a contract, and so on). In that case, the person has the right to ask that a human review the decision. This situation is rare in a small business context, but it's worth being aware of.

What Obrio does to keep you compliant

At Obrio, Law 25 compliance isn't a checkbox — it's a design constraint. Here are our concrete practices:

  • Least-privilege access by default: each agent gets only the permissions it needs for its defined tasks. We never grant broad access to your systems.
  • Logging of every action: each agent action is recorded with a timestamp. If a question or incident comes up, you have a complete audit trail.
  • Mandatory human oversight: for any irreversible external action (sending a customer email, issuing an invoice, updating a record), a summary is sent to the designated person in charge. The human stays informed and can step in.
  • No storage of sensitive data: Obrio agents do not store personal information on our own servers. They operate inside your existing tools (QuickBooks, your CRM, your inbox) — your data stays in your systems.
  • Processing agreement: with every client we sign an agreement that clearly defines our role as a "service provider" within the meaning of Law 25 — you remain the controller of the processing, and we act under your instructions.

In short: what you need to do

If you're deploying or considering AI agents in your Quebec small business, here's your basic checklist:

  1. Appoint a person in charge of the protection of personal information.
  2. Update your privacy policy to mention the use of automated tools.
  3. Make sure your agent only accesses the data its tasks require.
  4. Keep a log of automated actions (your AI agent provider should give you one).
  5. Always keep a human in the loop for important decisions.

Law 25 doesn't ban the use of AI — it governs the use of personal data. A small business that deploys AI agents in a thoughtful, documented way has nothing to fear from the CAI. On the contrary, it demonstrates serious data governance.

Note: this guide is provided for information purposes. For your specific situation, consult a lawyer specializing in data protection or contact Quebec's Commission d'accès à l'information.

Ready to automate your business?

Obrio deploys and operates AI agents inside Quebec small businesses. Turnkey, with no setup fees.

Start a pilot ← Back to publications