Support
Partners
Contact
Get a demo

Law 25: 10 Myths or Realities

Discover the most common myths associated with the implementation of Law 25 and its impact on businesses in Quebec.
Alain Marceau
26 July 2024
Security and conformity
5
Law 25: 10 Myths or Realities

With the advent of Law 25, you might have heard various opinions. New laws always come with some unclear concepts. Given the significant financial consequences of non-compliance, it’s natural to want clarity. To help you, here are 10 myths or realities:

Myth #1 

Personalization is no longer allowed 

Response: This statement is false.

If you wish to collect data for personalizing your communications, you simply need to mention the purpose at the time of collection or in the privacy policy. It seems perfectly normal, for example, to greet someone by their first name if it has been collected. This does not require special consent. The privacy policy must be adjusted to describe the use and processing of the data.

Myth #2 

Communication consents must be collected again 

Response: This statement is false.

Consents collected through a subscription are still valid. Implicit consents defined by the Canadian Anti-Spam Law (CASL) are also valid when respected. This law also provides for the use of implicit consents. The uses must also be described in the privacy policy. The purpose of the new law is not to hinder customer relationships but to protect personal information.

Link to Article 14 of the Law

Myth #3 

I can transfer data to systems located in the United States 

Response: This statement is true, but not without conditions, as it is not an equivalent state.

When you transfer data outside Quebec, you must inform individuals of this transfer and guarantee the same level of data protection. If the data can be accessed in any way, for example, by a government or used otherwise, there are issues, and you are responsible for the risks and consequences.

That’s why we recommend keeping your data in Quebec.

Note: Facebook was recently fined 1.4 billion in Europe for these transfers.

Link to Article 111 (Article 17) of the Law

Myth #4 

A cookie or tracker manager is mandatory 

Response: This statement is partly true.

If you want to continue using tracking software like Google Analytics and other visit markers that are not anonymous and in a non-commercial context.

Law 25 requires that any function allowing a technology to identify, locate, or profile a person from whom it has collected personal information must be disabled by default. The organization must inform the person and offer ways to activate these functions, if possible.

Link to Article 19 (Article 65) of the Law

Myth #5 

Click and email open tracking are not covered by the law 

Response: This statement is false.

By default, tracking must be anonymous to comply with the law until consent is obtained. People must be informed of the situation and offered a way to activate tracking. Obtain consent for email tracking as this use is not implicit.

Myth #6 

Express consent is required for everything 

Response: This statement is false.

Express (or explicit) consents are mandatory for one purpose only, which is the use of sensitive data.

In all other situations, consent must be obtained in simple and clear terms for each purpose. In other words, the purposes can be stated in a privacy policy. Additionally, the notion of tacit or implicit consent continues to exist under certain conditions.

Link to Article 110 (Article 12) of the Law

Myth #7 

All data is equally important 

Response: This statement is false.

Data must be classified according to type and consider the impact and risk related to them.

Having the list of names and phone numbers from a directory stolen (losing the directory) does not have the same importance as losing SINs and bank account numbers or even someone’s health information.

Link to Article 103 (Article 3.2) of the Law

Myth #8 

The privacy policy must be accepted with each modification 

Response: This statement is false.

You must communicate changes to purposes and uses. Only changes to purposes that have an impact require consent. For example, you could not simply change the policy to accept a data transfer to a third party like Facebook without obtaining consent, unless it is anonymized. However, a simple review of an explanation to make it clearer does not need to be resubmitted.

Link to Article 107 (Article 8.2) of the Law

Myth #9 

I can use an online platform’s services without a contract 

Response: This statement is false.

If you use systems that accumulate personal data, you must have a written contract with the third party with commitments to comply with the law. This contract must specify, among other things, the use of the data, their confidentiality, and destruction.

Link to Article 115 (Article 18.3) of the Law

Myth #10 

We must conduct a risk factor assessment for all our systems 

Response: This statement is false.

Only for new systems to be implemented and systems where data is hosted outside Quebec. Other systems in place are not subject to this requirement.

Link to Article 103 (Article 3.3) of the Law

Find out how your company can benefit from Dialog Insight.

Request a demo

Read also

Omni-Channel Marketing Campaign

Customer Conversion: Turning Every Interaction into a Growth Lever

Every interaction counts: from micro-conversions to hyper-personalized communication funnels, through real-time automation and continuous optimization, this article shows how to turn every touchpoint into a lever for sustainable growth.

Read more

Omni-Channel Marketing Campaign

Customer Engagement: When Precision Makes All the Difference

Every message a brand sends can strengthen the relationship—or weaken it. Omnichannel orchestration, real-time contextualization, artificial intelligence, and advanced performance measurement: this article explores how precision in communications turns engagement into a true lever for differentiation and lasting value.

Read more

Omni-Channel Marketing Campaign

7 common segmentation mistakes… and how to avoid them

Customer segmentation is essential for targeting your audiences effectively. However, some mistakes are often repeated and reduce the impact of campaigns. Discover the 7 most common pitfalls and concrete solutions for successful marketing personalization.

Read more

Security and conformity

Consent Management, What Could it Look Like?

Consent management from past to present. Everything you need to know about best practices for consent.

Read more

Personalization

3 Personalization Techniques to Increase Audience Engagement

The best approach to be successful with relationship marketing is to make advantage of all the resources at your disposal. However, the reality is that many organizations persist with the same strategy, they find comfortable. Because they are unsure of how they operate or whether they would be helpful to their efforts, they neglect some of the best tools at their disposal. Personalization is a powerful way to engage your audience and build relationships. It helps you to connect with your customers. In this blog post, we will explore the benefits of personalization, the latest personalization techniques, and the tools you can use to get started.

Read more

Data Management

SSO : Why is Single Sign-On Important?

We are in an era where computer tools with single connections are multiplying and staff turnover is accentuated. Not to mention the sharing of increasingly sensitive data. Managing access and permissions can become a long and complex process. This is why Dialog Insight wants to simplify and secure everything by offering SSO to its customers. Indeed, it is possible to add single sign-on (SSO) for connection to the DI platform.

Read more

Subscribe to our newsletter

North America

1 866 529-6214

Europe

+33 1 86 76 69 96

Email

info@dialoginsight.com
Contact us

Company

Products

Channels

© 2026 Dialog Insight. All rights reserved.

Privacy Statement

Terms of use

New at Dialog Insight

Every message, on the right channel, at the right time — automatically.

What if your campaigns could find on their own the ideal channel and the perfect moment to generate more impact?With Smart Channel and Omnichannel STO, your campaigns become more engaging and more effective:
  • Automatically send each message through your contacts’ preferred channel
  • Trigger your sends at the optimal time to maximize impact
  • Drive more clicks, conversions, and revenue — without added complexity
See how to activate this smart duo