Does Law 25 apply to a US-based app that I use from Quebec?

Yes. If a business processes personal information of Quebec residents in the course of its activities, it is subject to Law 25 regardless of where the business is incorporated. That's why several US apps updated their privacy policies in 2023-2024 to add a Quebec-specific section. In practice, look for a named Personal Information Protection Officer (PIPO/RPRP) and a documented process to exercise your rights from Quebec.

Can my data be stored outside Quebec?

Yes, but the business must first complete a Privacy Impact Assessment (PIA) showing that the destination jurisdiction offers equivalent protection. Many financial apps now use Canadian cloud regions (Montréal or Toronto) at the major providers to keep the assessment simple. You have the right to ask where your data lives.

What happens if a financial app gets breached?

If the incident creates a risk of serious harm, the business must notify the Commission d'accès à l'information (CAI) and every affected person with diligence. It must also keep an internal incident register for five years. Fines can reach $25M CAD or 4% of global annual revenue, whichever is greater.

What rights do I have over the data an app holds about me?

Four concrete rights: access (get a copy), rectification (correct errors), withdrawal of consent (stop processing), and portability (receive your data in a structured, commonly used format — this last right took effect in September 2024). The business must respond within a reasonable delay, typically 30 days.

Quebec's Law 25 and your personal financial data

Quebec's _Act to modernize legislative provisions as regards the protection of personal information_ — universally known as Law 25 (or Bill 64 before it passed) — has been in force since September 22, 2023 for most provisions, and fully in force since September 22, 2024 when the right to data portability took effect. It modifies two Quebec statutes: the _Act respecting access to documents held by public bodies_ and, most relevant to financial apps, the _Act respecting the protection of personal information in the private sector_ (P-39.1).

If you're a Canadian outside Quebec evaluating an app that connects to your bank or brokerage, you might think Law 25 isn't your problem. It is. Any app that serves Quebec users — which is nearly every Canadian financial app — operates under Law 25, and the standard it forces on them quietly raises the floor for everyone else.

This piece is written by the team behind a Quebec-based app subject to Law 25 (Mozaic Finance, in Longueuil), so I'll describe the obligations as they actually land — on us and on our US-based competitors. None of this is legal advice; when the detail matters for your situation, read the statute or consult a lawyer.

The short version

If you want the conclusions before the reasoning:

Law 25 applies to any private business that processes personal information of Quebec residents — no matter where it's based. A US app used from Montréal is subject to it.
You have four concrete rights: access (get a copy), rectification (correct errors), withdrawal of consent, and portability (receive your data in a structured format).
The fines are serious: up to $25M CAD or 4% of global revenue, whichever is greater. This is no longer ornamental — it's GDPR-equivalent.
Transferring data outside Quebec requires a Privacy Impact Assessment (PIA) demonstrating equivalent protection in the destination jurisdiction.
Consent must be express, free, informed, and given for specific purposes. A pre-ticked box buried in 40 pages of terms no longer holds up.
If a financial app can't name its Personal Information Protection Officer in five seconds, that's a red flag.

The rest of the article explains why each of these is true and how to verify them before you hand over your bank statements to anyone.

What Law 25 actually changed

Before Law 25, Quebec was already covered by P-39.1 (1994) on the private side and by the access act on the public side. Protection existed, but the penalties were ornamental — a few thousand dollars — and the Commission d'accès à l'information (CAI) had little real investigative capacity.

Law 25 did three things that change the math.

First, it aligned fines with GDPR. $25M CAD or 4% of worldwide annual revenue, whichever is greater. For a financial app that handles information classified as "sensitive" — bank balances qualify — a mishandled breach is now a balance-sheet event, not a press-release issue.

Second, it expanded the CAI's investigative powers. On-site inspections, cessation orders, public publication of decisions. An app can now be forced to stop using certain data or to publicly notify its users.

Third, it gave individuals enforceable rights. Access and rectification existed before; Law 25 adds portability, the right to opt out of automated decision-making, and the right to be informed when a decision was made solely by an algorithm. An app that automatically categorizes your spending falls into that last bucket — you have the right to understand how it works and to request a human review.

Five concrete obligations for a financial app

When an app wants to connect to your bank or brokerage account, here's what Law 25 requires of it in practice. If it doesn't do all five, it's not compliant — not "maybe" or "it depends," not compliant.

Designate a Personal Information Protection Officer (PIPO, RPRP in French). This is a named person, not a mailbox. The name and contact details must be published on the site, accessible without authentication. For an SMB like Mozaic, that's typically the founder or the CTO; for a larger company, it's a dedicated role.
Obtain express, free, informed consent given for specific purposes. "Express" means a pre-ticked box doesn't count. "For specific purposes" means "to improve our services" isn't a purpose — you have to say what your data actually does (display your balances, compute your net worth, send a weekly email). For sensitive information — including financial data — consent must be given explicitly and separately from general consent.
Maintain a clear, French, accessible privacy policy that the user can read before consenting. Not an 80-page PDF — a document a reasonable person can read in five to ten minutes. The policy must list the categories of data collected, the purposes, the recipients, retention periods, and any transfers outside Quebec.
Complete a Privacy Impact Assessment (PIA) before any transfer of data outside Quebec. The PIA must conclude that the destination jurisdiction — say, the US for AWS US-East or Google Cloud us-central — offers equivalent protection. When equivalence isn't obvious, the business has to put in contractual or technical measures (application-layer encryption, standard contractual clauses, pseudonymization).
Notify privacy incidents with diligence — to the CAI and to each affected person — when the incident creates a risk of serious harm. The business must also keep an internal incident register for five years, even for incidents that don't require notification, because the CAI can request the register at any time.

Your four rights, in practice

As a Quebec user, Law 25 gives you four concrete levers you can pull today, for free, without a lawyer. Anglo-Canadians outside Quebec can also exercise the equivalent rights under PIPEDA, which is broadly similar but slightly thinner on portability and automated decision-making.

The right of access. You can ask any business for a copy of every piece of personal information it holds on you. The request must be processed within a reasonable delay — typically 30 days — and the answer must be intelligible. For a financial app, this includes your profile, your bank-connection history, imported transactions, automatic categorizations, sent emails, and your account access logs.

The right of rectification. If a data point is inaccurate, incomplete, or ambiguous, you can require it to be corrected. Often it's mundane — a misspelled name — but it can matter when wrong data fed an automated calculation (a wrong category that skews your dashboard, for instance).

The right to withdraw consent. At any time, you can withdraw your consent to data processing. The business must stop processing and, if you ask, destroy or anonymize the records. Anonymization is now a legal alternative to destruction under Law 25 — useful for the aggregated statistics a business wants to keep.

The right to portability. In force since September 22, 2024, this is the newest and most practically useful right for personal finance. You can require that your data be handed back to you "in a structured, commonly used technological format" — typically a CSV, JSON, or OFX file. In practice, this means you can leave an app with your transaction history under your arm and import it elsewhere without re-connecting every bank one by one.

These rights are exercised through the business's PIPO. If an app refuses or stalls, you can file a complaint with the CAI — it's free and the CAI now has the means to act.

How to vet whether an app is compliant

Before connecting a bank account, these four checks take about ten minutes and rule out the majority of unprepared apps.

Look for the PIPO on the website. Usually in the privacy policy or on a Contact / Privacy page. If you can't find one in two minutes — or the only address is a generic mailbox like "privacy@" — that's a sign compliance isn't being taken seriously.
Read the privacy policy as far as the cross-border transfers section. A compliant policy names explicitly the countries where your data may travel and explains how protection equivalence is maintained. If the section is missing or vague ("we may transfer data globally"), red flag.
Check the technical security posture. Read-only bank connections (the app can't initiate a transfer)? Application-layer encryption of sensitive fields (not just HTTPS)? Two-factor authentication available? These three are industry best practice, not direct Law 25 requirements, but their absence in a 2026 financial app is telling.
Exercise your access right. Before paying for an annual subscription, write to the PIPO and ask what category of data would be collected if you became a customer, and where that data would live. The quality and speed of the answer tell you a lot. A business that takes compliance seriously responds in a few days, in writing, with specific technical detail.

Law 25, PIPEDA, GDPR — practical differences

If you read enough privacy policies, you'll often see three laws cited together. Here's what each adds, in practical terms.

PIPEDA (Personal Information Protection and Electronic Documents Act) is the Canadian federal law. It applies to commercial businesses operating outside Quebec or processing interprovincial data. For an app serving all of Canada, PIPEDA and Law 25 apply in parallel — the stricter law wins on any given issue. Law 25 is generally stricter on cross-jurisdiction transfers, consent, and fines.

GDPR (General Data Protection Regulation) is the European law. Law 25 borrows heavily from it — fines pegged to 4% of global revenue, the PIPO/DPO concept, the right to portability. If an app serves Europe and Quebec, its GDPR compliance covers the bulk of Law 25, with a few differences (notably the policy language requirement, which must be available in French in Quebec).

Law 25 is distinctive in practice on three points: the explicit PIA requirement for transfers out of Quebec, the PIPO who must be _publicly named_ (GDPR also requires this in principle, but enforcement is patchier), and access-request response times that can be shorter than GDPR's in some cases.

What Law 25 does not do

To stay honest, Law 25 doesn't fix everything.

It doesn't protect you if you consent to bad practices. A privacy policy that clearly says "we sell aggregated data to advertisers" and that you accept by clicking "I agree" — that's legal under Law 25. The protection runs through _informed_ consent; if the information is there and you accept anyway, that's your choice. Hence the importance of actually reading policies before clicking.

It only applies to businesses doing business in Quebec. If an app has no Quebec customers and doesn't offer services in Quebec, it isn't subject to Law 25 — even if a Quebec resident finds a way to use it. Most large North American apps serve Quebec, so the point is largely theoretical, but it's worth knowing.

The "right to be forgotten" is narrower than under GDPR. You can withdraw consent and request destruction, but the business can retain whatever is necessary for legal obligations (e.g., accounting records the Income Tax Act requires for six years).

It doesn't replace sectoral obligations. A financial app is also subject to other regimes — the federal _Retail Payment Activities Act_, the Autorité des marchés financiers rules if it distributes a product, FINTRAC anti-money-laundering obligations. Law 25 layers with these regimes, it doesn't supplant them.

Where Mozaic stands

For transparency: Mozaic Finance is a Quebec company based in Longueuil, subject to Law 25 like any other player in the space. Here's how we handle each of the five obligations above, without embellishment.

PIPO. That's me, Laurent Risser, the founder. My contact details are on /privacy-policy. When the team scales, the role will move to a dedicated position and the transition will be published.
Consent. At account creation, consent to the terms and to the privacy policy is requested separately, with no pre-ticked boxes. Marketing email consent — when we send any — is a separate opt-in that you can withdraw with one click from any email.
Privacy policy. Available in English and French at /privacy-policy. It lists the categories of data, purposes, sub-processors (Plaid, SnapTrade, Google Cloud, Stripe, Resend), retention periods, and transfers.
Data location. The primary database and application files live in Google Cloud's northamerica-northeast1 region — Montréal. Backups stay in the same region. US sub-processors that handle fragments (Plaid for bank aggregation, SnapTrade for brokerages, Stripe for billing) are covered by equivalence assessments and contractual clauses. The technical detail is on /security.
Incidents. We keep an internal register and commit to notifying the CAI and affected persons within 72 hours of identifying a serious-risk incident. No material incidents to report since launch.

On the technical side: bank and brokerage connections are read-only — the tokens we hold can't initiate a transfer, place an order, or modify a position. Sensitive fields (aggregation tokens, institution identifiers) are encrypted at the application layer before they touch the database. Full architecture documented at /security.

This isn't a magic promise — it's the minimum Law 25 and good sense require of a financial app in 2026. You should require the equivalent from any app you evaluate.

In summary

Law 25 isn't a formality — it's the framework that makes enforceable rights you already had in theory, and that forces businesses handling your financial data to do so in a documented way. For you as a user, that means three things.

First, demand transparency before connecting an account. The PIPO, the data location, the sub-processors, the retention periods — all of this should be readable in a few minutes. If it isn't, the app isn't ready for your data.

Second, use your rights. Asking for a copy of your data is free, takes five minutes, and reveals enormous amounts about a company's hygiene. Portability lets you change apps without starting from zero — it's now a right, not a favour.

Third, read privacy policies. Not word-for-word — but look for the cross-border transfers section, the sub-processors, and the retention periods. That's where the real differences between a serious app and one that isn't yet hide.

For deeper reading: the official text of P-39.1 is on LégisQuébec, and the Commission d'accès à l'information publishes a summary of the main changes. The Government of Quebec also keeps a reference page on the obligations (French only).

If you have a specific question about Mozaic's compliance or about exercising your rights with us, email me directly at laurent.risser@mozaicfinance.com.