What Is Quebec's Law 25?
Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) is Quebec's response to modern digital privacy challenges. Gradually coming into force since September 2022, it imposes obligations on Quebec businesses comparable to Europe's GDPR.
Since September 2024, all provisions are in effect. Businesses that fail to comply face fines of up to $25 million or 4% of their worldwide revenue.
Email: An Underestimated Data Breach Vector
When people think "data protection," they often think of databases, servers, or web forms. But email is the number one vector for personal data breaches in Canada.
- 63% of data breaches in Canada start with a phishing email (CCCS 2024 Report)
- An employee who clicks a fraudulent link can expose the company's entire customer database
- Emails often contain personal information: names, addresses, case numbers, health data
Important: Law 25 requires businesses to take "reasonable security measures" to protect the personal information they hold. Email falls within this scope.
The 3 Key Obligations Related to Email
1. Consent and Transparency
Your customers must know what data you collect and how it is used in your communications. Every email must allow the recipient to easily unsubscribe.
2. Reasonable Security Measures
The business must demonstrate that it has implemented measures to prevent unauthorized access to personal information. Email identity spoofing (when a fraudster sends emails in your company's name) is a form of unauthorized access to your customers' data.
3. Incident Notification
In the event of a breach involving personal information, you must notify the Commission d'acces a l'information (CAI) and the affected individuals. A successful phishing attack that compromises customer data triggers this obligation.
How CodeMail Helps with Compliance
CodeMail adds a unique layer of protection that fraudsters cannot replicate: a personal secret phrase embedded in every legitimate email sent by your business.
- Proactive prevention, Your customers can instantly verify if an email truly comes from you. No technical expertise needed.
- Reduced incident risk, By reducing phishing risks, you reduce the chances of an incident that must be reported under Law 25.
- Demonstration of due diligence, Using CodeMail demonstrates that you have taken "reasonable measures" to protect your customers, a key argument in case of an audit.
- Built-in unsubscribe, Every email sent via CodeMail includes an unsubscribe link compliant with Law 25 and CASL (Canada's Anti-Spam Legislation) requirements.
5 Concrete Steps for Businesses
- Audit your email communications, Identify all automated emails containing personal information (confirmations, invoices, reminders).
- Integrate an authentication mechanism, Add a CodeMail secret phrase so your customers can distinguish your real emails from fraudulent ones.
- Train your employees, 90% of security incidents involve human error. A 30-minute training session per quarter is sufficient.
- Document your measures, Keep a record of your email security policies. The CAI may request them during an audit.
- Review regularly, Fraud techniques evolve. Review your protection measures each quarter.
Law 25 Compliance + Anti-Phishing Protection
Integrate CodeMail in 5 minutes and demonstrate your commitment to customer security.
Free trial →