We use cookies to improve your experience on our platform. By clicking “Accept all cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts.
Cookies required for basic website functionality.
Cookies used to deliver content most relevant to you and your needs.
Cookies used to deliver content most relevant to you and your needs.
Cookies that help understand the performance of the website, how users interact with it and to identify bugs.
How is Zeffy free?
How is Zeffy free?
Zeffy relies entirely on optional contributions from donors. At the payment confirmation step - we ask donors to leave an optional contribution to Zeffy.
Quebec Law 25 for Nonprofits: A 2026 Compliance Check-Up
June 24, 2026
⚡TL;DR — The Short Answer
Verdict: Every Law 25 deadline has passed. If your Quebec nonprofit collects donor, volunteer, or staff data, you should already be compliant.
What works: Zeffy's fundraising platform names Law 25 in its NPO Terms and Privacy Policy and documents its data-security posture in writing, reducing the vendor-governance work your Privacy Officer has to do.
What doesn't: Zeffy doesn't replace your Privacy Officer, draft your privacy policy, or complete Privacy Impact Assessments for you. That work still sits with your org.
Best for: Quebec nonprofits of any size that collect donor, volunteer, or staff information.
Worth considering if: You use US-hosted tools (Mailchimp, Google Workspace, Salesforce), run youth programs, or have never audited the consent checkboxes on your donation forms.
Every Law 25 deadline has now passed. If you run a Quebec nonprofit and you collect donor, volunteer, or staff information anywhere (a spreadsheet, a Mailchimp list, a Google Form, a personal Gmail inbox), the law already applies to you. The question is no longer "when do we need to be ready?" but "are we actually compliant today?"
This is a current-state check-up, not a preview. It's written for the kind of Quebec nonprofit where one person wears five hats and donor info sometimes sits in a board member's personal inbox. Every requirement gets a plain-language translation and a self-check question, and the legal claims are sourced to the CAI, LgisQubec, and named law-firm articles. Illustrative samples are flagged as such. This is not legal advice. Confirm anything that matters with your own counsel.
What is Law 25, and does it apply to your nonprofit?
Law 25 (formerly Bill 64) is the Quebec statute that modernized the province's private-sector privacy regime. It amends the Act respecting the protection of personal information in the private sector (LPRPSP) and is enforced by the Commission d'accs l'information du Qubec (CAI). The rules rolled out in three phases on September 22 of 2022, 2023, and 2024. All three phases are now in force.
The trigger isn't your tax status, your size, or your budget. It's whether you collect personal information about Quebec residents as part of an "organized economic activity." Per BCLP's analysis of the statute, Law 25 has no minimum-size or sector exemption for donor, volunteer, or staff data. A food bank that keeps a volunteer roster is in scope. A community youth program with a registration form is in scope. A small foundation that emails a donor list is in scope.
There is one narrow zone of ambiguity: an organization with no economic activity at all (a purely spiritual group with no donations, no programs, no records) may sit outside the definition of an "enterprise." For nonprofit-specific exception analysis, see the Lexology article Quebec's New Privacy Law 25: Is There a Nonprofit Exception?. The short answer in that piece: probably not.
Self-check: Do you have a spreadsheet, CRM, inbox, or form anywhere that holds a Quebec donor's name and email? If yes, you're in scope.
For a small nonprofit: Stop trying to find a loophole. The honest read of the law is that you're covered. The good news is that compliance for a volunteer-run org is much smaller in practice than the law-firm articles make it sound.
The 5 core requirements every Quebec nonprofit must meet today
Forget the phased-deadline timeline. As of right now, here is what should already be in place:
1.A named Privacy Officer with contact info published on your website. The law requires appointment of a Privacy Officer (defaulting to the most senior employee if not delegated) and publication of name, title, and contact on the org website (Law 25 3.1; src: BCLP). Self-check: can a donor find a privacy contact on your site in under 30 seconds?
2.A confidentiality-incident register, active and in use. Even if you've had no incidents, the register itself must exist and be ready to log one. Self-check: if a volunteer's laptop with the donor list got stolen on a Tuesday morning, where would you write that down?
3.A published privacy policy. Plain-language, on your website, explaining what you collect, why, how long you keep it, and how to ask for a copy or deletion. Self-check: does the policy on your site predate 2022, or is it the generic Squarespace template?
4.Privacy by default. No pre-checked newsletter boxes. No "by donating you agree to receive our weekly bulletin" buried in small print. Opt-in is the default; opt-out is the user's right. Self-check: pull up your donation form and find every checkbox. Are any of them pre-checked?
5.Data portability on request. If a donor asks for a copy of their personal information in a structured, commonly used format, you must be able to provide it. Self-check: if a donor emailed today asking for everything you hold on them, could you produce it in a week?
For a small nonprofit: If you can answer yes to all five self-checks, the rest of this article is about going from "compliant" to "comfortably compliant." If you can't, the next sections walk you through each gap.
How to appoint a Privacy Officer for your nonprofit
Section 3.1 of the amended LPRPSP requires every enterprise to appoint a Privacy Officer. The statute defaults the role to the person of highest authority in the organization unless that person delegates it (src: BCLP). The name, title, and contact information must be published on the organization's website.
For a volunteer-run org with no CEO, "highest authority" is the practical question. In practice, small orgs often designate the highest available authority: executive director if you have one, board chair or board president if you don't. Confirm against CAI's official guidance for your specific org structure before publishing.
The role itself is about governance, not engineering. The Privacy Officer:
Oversees compliance with the law inside the organization.
Receives and responds to access and deletion requests from individuals.
Is the point of contact for the CAI in the event of an incident.
Signs off on Privacy Impact Assessments (see the next section).
Illustrative website footer text (sample only, confirm with counsel):
Privacy Officer: [Name], [Title]. For privacy questions, access requests, or to report a confidentiality incident, contact [email] or [phone]. We respond within 30 days.
If you use Zeffy's donor management as your fundraising platform, your Privacy Officer can point to Zeffy's compliance posture (named in the NPO Terms and Privacy Policy) for platform-related data, which narrows what they personally need to govern.
For a small nonprofit: Pick the highest-authority person who is willing. Get a sentence on your website with their name and an email. Done in an afternoon. Do not hire a privacy lawyer for this step.
Managing confidentiality incidents: a step-by-step response plan
A "confidentiality incident" under Law 25 is any access to, use of, disclosure of, or loss of personal information that is not authorized by law. Examples: a stolen laptop, a misdirected email blast, a database breach, a volunteer forwarding a donor list to a personal account.
Section 3.6 of the amended LPRPSP sets out a two-step process: assess, then notify if the threshold is met (src: Gowling WLG).
1.Assess for "risk of serious injury." The statute names three factors: sensitivity of the information, anticipated consequences of its use, and likelihood that it will be used for an injurious purpose.
2.Notify the CAI if serious-injury risk exists. The notification must be prompt.
3.Notify affected individuals in the same circumstances, so they can take protective steps (change passwords, watch for fraud, etc.).
The CAI also has investigative and order-issuing powers, so notification is not optional once the threshold is met.
Whether or not you ever cross the threshold, you must keep a register of all incidents. A simple incident log includes:
Date and time of the incident (and of discovery, if different)
Description of what happened
Categories and approximate volume of personal information involved
The injury-risk assessment and the reasoning behind it
Whether the CAI and affected individuals were notified, with dates
For a small nonprofit: A spreadsheet with the six columns above is your incident register. You do not need a software product. You do need to know which person opens it the moment something goes wrong.
Privacy Impact Assessments: when your nonprofit needs one
A Privacy Impact Assessment (PIA) is a written analysis of the privacy risks of a project or process, completed before the activity starts. Under the Act as amended by Law 25, a PIA is mandatory before communicating personal information outside Quebec (Private Sector Act 3.3 / 17; src: BCLP). This is one of three explicit statutory triggers.
For nonprofits, the cross-border trigger is the one that bites. If you use US-hosted tools (Mailchimp, Salesforce, Google Workspace, a US payment processor), you are communicating Quebec residents' personal information outside Quebec, and the PIA obligation applies.
A PIA does not have to be a legal document. It has to be a written assessment that covers, at minimum:
What personal information is being communicated, and to whom
Where the recipient is located and under what legal regime
The purpose of the communication and whether it's necessary
The contractual and technical safeguards in place
The risks identified and the mitigation chosen
One way to reduce the PIA workload is to consolidate vendors that already document Law 25 posture. Zeffy is one example: the support.zeffy.com data-privacy page lists Stripe (PCI Service Provider Level 1) as the payment sub-processor, SSL/TLS encryption in transit, AWS hosting, and a documented breach-notification procedure. The Law 25 compliance clause is written into the NPO Terms and the Privacy Policy. See Zeffy's data privacy and security overview for the source-of-record on those claims. Zeffy reducing your PIA surface is not the same as Zeffy doing the PIA for you; the obligation still sits with your Privacy Officer.
For a small nonprofit: Inventory every US-hosted tool that touches Quebec donor data. For each, write a one-page PIA. If a tool can't pass a PIA, swap it for one that can. This is the highest-leverage compliance move available to you.
Parental consent for minors under 14
Under Law 25, collecting, using, or sharing personal information about a child under 14 requires consent from the person with parental authority (or a tutor). This affects nonprofits that run youth programs, family event registrations, junior volunteer onboarding, or any signup form that may be filled out by or about a child.
On the registration form: A required field asking the registrant's age, and a separate parental-consent block (name of parent or guardian, email or phone, an opt-in checkbox stating the parent or guardian consents to the collection of the child's information for the stated purpose).
In your records: Keep the parental-consent record alongside the child's record, so an access or deletion request can be answered.
For photos and video: A separate consent block, because the purpose of the collection is different.
For a small nonprofit: If you have one youth-facing form, fix that form. You do not need a youth-programs privacy specialist. You need a checkbox and a field for a parent's email.
How Law 25 affects donor prospecting and fundraising
For Quebec nonprofits, this lands on three common activities:
Purchased or rented donor lists. If you can't show that each person on the list gave consent for prospecting by your organization, you can't use the list for prospecting.
Wealth screening and prospect research. Combining a donor's record with third-party data for prospecting purposes needs the donor's consent.
"Friends-of-friends" outreach. Asking a current donor for personal contacts and then prospecting those contacts without their consent is not compliant.
The cleanest path is consent capture at the source. Your nonprofit CRM or donor management system should record, per donor, what they consented to and when, so prospecting-eligible contacts can be filtered cleanly.
For a small nonprofit: Prospecting from purchased lists is no longer a viable channel for Quebec contacts. Lean into opt-in capture at the donation form, and segment your CRM by consent state.
Consent and transparency: what to tell your donors
Consent under Law 25 must be manifest, free, informed, and specific. Translated to a donation form, that means:
Manifest. The donor makes a clear, affirmative choice. No pre-checked boxes. No "by continuing you agree" buried in fine print.
Free. The donation does not require the donor to consent to marketing as a condition of donating.
Informed. The donor sees, in plain language, what you collect, why, who else sees it, and how long you keep it.
Specific. One purpose per consent. A donor opting in to your monthly newsletter is not opting in to be solicited by a partner organization.
Illustrative donation-form language (sample only, confirm with counsel):
We collect your name, email, and donation amount to process your gift and send your tax receipt. We do not sell or share your information with partner organizations. To opt in to our monthly newsletter, tick the box below.
Before / after (illustrative only):
Before (not compliant): A single checkbox at the bottom of the donation form, pre-checked, reading "Send me updates and offers from [Org] and our partners."
After (illustrative compliant version, confirm with counsel): Two separate unchecked boxes. The first: "I'd like to receive [Org]'s monthly newsletter (about once a month, easy to unsubscribe)." The second: "I'd like to hear about events from [Org]'s partner organizations." Neither is pre-checked, and neither is required to donate.
Whatever tool you use, the consent checkboxes on your form are where this requirement is met or missed, so audit every one of them against the four tests above. You can read Zeffy's Privacy Policy as a real-world example a Quebec nonprofit can adapt as a starting model.
For a small nonprofit: If your current form is on a generic tool you can't configure consent on, that's the lever to pull. Switching form-builders is faster, cheaper, and more durable than retrofitting consent onto something that doesn't support it.
Penalties for non-compliance: what's at stake
Law 25 carries two distinct penalty tiers, both significant. Per Osler's analysis citing statute ss. 90.12 to 91:
Administrative Monetary Penalties (AMPs): up to C$10 million or 2% of worldwide turnover, whichever is greater.
Penal fines: up to C$25 million or 4% of worldwide turnover, whichever is greater.
Enforcement is active, not theoretical. The CAI has had full enforcement powers (AMPs, penal proceedings, investigative orders) since September 22, 2023, and the CAI's 2023-2024 Annual Report records 444 confidentiality-incident declarations received over the year, demonstrating active oversight.
Realistically, a three-volunteer animal rescue is not the target of a C$25 million fine. The realistic risks for a small org are different and arguably worse:
An order from the CAI to change a practice, often public.
Donor trust damage from a breach you can't explain.
A complaint that escalates because no one designated knew how to respond.
For a small nonprofit: Treat compliance as a donor-trust lever, not a fine-avoidance exercise. The work you do to comply (a real Privacy Officer, a real policy, opt-in consent) is the same work that makes donors give again.
Law 25 compliance checklist for Quebec nonprofits
A practical, 12-point self-audit. Aim for yes on every line. Screenshot, print, or paste it into a doc and work through it with your Privacy Officer.
☐ Privacy Officer appointed (highest authority by default; delegation documented if delegated)
☐ Privacy Officer's name, title, and contact published on your website
☐ Plain-language privacy policy published on your website, dated within the last 12 months
☐ Confidentiality-incident register exists and a named person owns it
☐ All donation, signup, and registration forms use opt-in consent (no pre-checked boxes)
☐ Consent text on each form names the specific purpose (donation, newsletter, event, prospecting)
☐ Inventory of every tool that holds Quebec personal information (CRM, email tool, form builder, spreadsheets, inboxes)
☐ Privacy Impact Assessment completed for every tool that communicates personal information outside Quebec
☐ Vendor contracts reviewed; sub-processors with Law 25 posture preferred (compliance language, encryption, breach procedure)
☐ Parental-consent flow in place for any data collection involving minors under 14
☐ Data minimization audit done in the last 12 months: anything you don't need has been deleted or anonymized
For a small nonprofit: Block 90 minutes on a Saturday. Run the list. Anything you can't answer yes to becomes next week's task list. Most volunteer-run orgs can clear 8 of the 12 in a single afternoon.
How Zeffy helps you stay compliant
Zeffy is a free fundraising platform built specifically for nonprofits. More than 100K+ nonprofits have raised $2B+ on the platform, all at no cost to their organizations. The Law 25 compliance posture is documented in writing rather than implied in marketing copy. What that documentation covers:
Law 25 compliance named in the NPO Terms and Privacy Policy. Not a brochure claim. The clause is written into the contract you accept and the privacy policy you can show your Privacy Officer. See Zeffy's NPO Terms.
Free donor management. Donor records, segmentation, and donor history in one place, so the personal information your Privacy Officer governs lives in one system instead of scattered across spreadsheets, inboxes, and US-hosted tools.
Donor data stored in Canada. Donor details are held on Amazon's Canadian servers (ca-central), with SSL/TLS encryption in transit, per Zeffy's data-privacy documentation.
Automatic compliant tax receipts. Personal information isn't re-keyed across tools, which reduces the surface area for handling errors.
Payment processing through Stripe (PCI Service Provider Level 1). Zeffy itself never stores card data.
A documented breach-notification procedure. Source of record: support.zeffy.com.
Zeffy charges nonprofits nothing: no platform fee, no transaction fee, and no credit card fee. Donors are invited to leave an optional contribution that keeps the platform running.
Honest scope: Zeffy is a fundraising platform, not a privacy-law consultancy. It reduces the surface area that needs a PIA, names Law 25 in its NPO Terms, and gives your Privacy Officer one less vendor to govern. It does not replace your Privacy Officer or your counsel.
Yes, in almost every case. Law 25 applies to any enterprise conducting organized economic activity that collects, uses, or discloses personal information of Quebec residents, and there is no minimum-size or sector exemption for donor, volunteer, or staff data (src: BCLP). If your nonprofit has a donation form, a volunteer list, or a staff record, you are in scope.
Law 25 3.1 defaults the role to the person of highest authority unless that person delegates it. For a volunteer-run org, the highest authority is typically the executive director, or, if there isn't one, the board chair or board president. Confirm against CAI guidance for your specific structure.
Under 3.6, you assess the incident for "risk of serious injury" based on sensitivity of the information, anticipated consequences, and likelihood of injurious use (src: Gowling WLG). If that threshold is met, you must promptly notify the CAI and the affected individuals. Whether or not the threshold is met, you must log the incident in your confidentiality-incident register.
Yes, if those tools host or process Quebec residents' personal information outside Quebec. Communicating personal information outside Quebec is an explicit statutory trigger for a PIA under Private Sector Act 3.3 / 17 (src: BCLP). This applies to most US-hosted SaaS tools.
Two tiers (src: Osler, citing ss. 90.12 to 91). Administrative Monetary Penalties up to C$10 million or 2% of worldwide turnover (whichever is greater), and penal fines up to C$25 million or 4% of worldwide turnover (whichever is greater). The CAI has had full enforcement powers since September 22, 2023, and the 2023-2024 Annual Report records 444 confidentiality-incident declarations received.
No. Consent under Law 25 must be manifest, free, informed, and specific. A pre-checked box is not manifest consent. Each consent must be a separate, affirmative, unchecked action by the donor.
Yes. Article 22 of the LPRPSP requires prior consent (manifest, free, informed, specific) to use personal information for commercial or philanthropic prospecting (src: BCLP). Purchased or rented Quebec donor lists without per-contact prospecting consent are no longer usable.
Collection, use, or communication of personal information about a minor under 14 requires the consent of the person having parental authority. If you run youth programs or family-event registrations, your form needs a parental-consent field and your records need to keep that consent alongside the child's data.
Here’s a recap of all the links and documents mentioned in this article:
Get weekly fundraising tips from nonprofits experts
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Keep reading :
Raffle laws
How to Get a Lottery License in Quebec for a Nonprofit (2026 Guide)
Online charitable lotteries. 50/50 draws in Quebec. Eligibility for a nonprofit or charity lottery licence. Zeffy can help make sense of lotteries in Quebec.
Look for people who attend related events, follow relevant Facebook groups, or subscribe to aligned newsletters.These aren’t just potential donors—they’re your future advocates.
Look for people who attend related events, follow relevant Facebook groups, or subscribe to aligned newsletters.These aren’t just potential donors—they’re your future advocates.
.webp)
