What Quebec's Law 25 asks of your advisory practice
July 3, 2026 · canada · compliance · law25
If your practice serves clients in Quebec, Law 25 applies to you — whether or not your office is in the province. It modernized Quebec's private-sector privacy law, and it moved the baseline for how any organization handles the personal information of people in Quebec.
This isn't legal advice, and it's no substitute for talking to counsel. But advisors keep asking the same practical question — what does this actually require of a small firm? — so here's the plain-language version, and where a CRM fits in.
The parts that touch a CRM directly
Someone has to be accountable. Law 25 expects a named person responsible for privacy. For a small practice that's usually the principal. The job is real: they need to be able to say where client information lives and who can reach it.
You need to know where the data is. "In the cloud" isn't an answer. You should be able to state which providers hold client information and where. A CRM that keeps Canadian client data in Canadian data centres — and doesn't quietly ship it elsewhere for backups, support tooling, or analytics — makes that a one sentence answer instead of a research project.
Breaches have a clock on them. If personal information is compromised in a way that poses a risk of serious injury, there are notification obligations — to the regulator and, in many cases, to the people affected. That's only possible if you can tell what was accessed and when, which means your systems need a real audit trail, not a vague sense of who logged in.
People can ask for their data — and to be forgotten. Individuals have rights to access their information and, in defined circumstances, to have it corrected or deleted. If pulling one client's complete record is a day of manual work, those requests become a burden. If it's an export, they don't.
Consent has to mean something. Collecting more than you need, or using it in ways a client wouldn't expect, is exactly what the law pushes back on. Capturing only the KYC and suitability information the engagement requires — and being able to show why you hold each field — is the posture the law rewards.
How Advirra is built for this
We designed Advirra so the privacy questions have short answers. Canadian client data stays in Canadian data centres. Every change to a client record is audited — who, what, and when. A departing or requesting client's information can be exported as a clean package, and offboarding a firm ends with a deletion you can evidence.
None of that makes the legal work disappear. You still need a privacy officer, your own assessment of what you collect, and — before you rely on any of it — your own counsel. What good software does is stop the tooling from being the weak link, so the compliance work is about judgment, not archaeology.
If your firm is sorting out its Law 25 posture and your current CRM is fighting you on it, book a walkthrough — we'll walk through exactly where client data lives and how the audit trail and export work.