What's the difference between PIPEDA and Quebec Law 25?

PIPEDA (Personal Information Protection and Electronic Documents Act) is the federal privacy law — applies to any business handling personal data of Canadians. Requires consent to collect/use/disclose personal data, breach notification to OPC, accountability principle.

Quebec Law 25 (Loi 25, formerly Bill 64) is much stricter and applies to any business handling Quebec residents’ data, even if the business is outside Quebec:

• DPO required — a designated Data-Protection Officer (publicly listed)
• Privacy Impact Assessment (PIA) for high-risk data flows
• Breach notification within 72 hours to the CAI (Commission d’accès à l’information) and affected individuals
• Consent must be granular and unbundled — no implied consent
• Right to data portability and right to erasure (similar to EU GDPR)
• Cross-border transfer restrictions — if you host data outside Quebec, you must do a "comparable protection" assessment

For Magento we wire (a) consent banner with granular toggles, (b) DPO contact in privacy policy, (c) data-export & data-erasure flows in customer account, (d) breach-notification template + on-call rotation. Both stacks — PIPEDA federal + Law 25 for QC + BC PIPA for BC residents — ship together.