Since September 22, 2023, Quebec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information, also known as Bill 64) has been fully in effect. It imposes new obligations on any business that collects personal data in Quebec, including through a chatbot on its website. In Europe, the GDPR (General Data Protection Regulation) has imposed similar requirements since 2018.
If you use an AI chatbot that collects names, emails, phone numbers or any other identifying information, your business is directly affected by these laws. Here's how to ensure your chatbot is compliant.
What is Quebec's Law 25?
Law 25 (formerly Bill 64) is Quebec's major privacy protection reform. It amends the Act respecting the protection of personal information in the private sector and applies to any business that collects, uses or communicates personal information of persons residing in Quebec.
Key points of Law 25 that directly concern chatbots:
- Explicit consent: You must obtain clear, free consent from the individual before collecting their personal information. Implied consent or consent buried in terms and conditions is no longer sufficient.
- Determined purpose: You must indicate what the collected data will be used for at the time of collection. For example, "We use your email to contact you regarding your inquiry."
- Right of access and correction: The individual has the right to view the data you hold about them and request corrections.
- Right to deletion (de-indexation): The individual can request deletion of their personal data when it is no longer necessary.
- Privacy officer: Each business must designate a privacy officer (by default, the person with the highest authority).
- Incident notification: Any breach of personal information (leak, unauthorized access) must be reported to Quebec's Commission d'acces a l'information (CAI).
Law 25 provides for administrative penalties of up to $10 million or 2% of worldwide revenue, and criminal penalties of up to $25 million or 4% of worldwide revenue.
Specific obligations for chatbots
An AI chatbot collects personal information in several ways: information entered directly by the visitor (name, email, phone), technical metadata (IP address, browser, pages visited) and the conversation content itself. Here are the resulting obligations:
- Display an accessible privacy policy: Before any collection, the visitor must be able to consult your privacy policy. The chatbot should include a link to this policy in its interface.
- Obtain consent before data collection: If your chatbot asks for an email or phone number, consent must be obtained before collection, not after.
- Limit collection to what's necessary: Only collect data strictly necessary for the stated purpose. If you don't need a phone number, don't ask for one.
- Define a retention period: Data must not be kept indefinitely. Define a retention period and delete data when it expires.
- Anonymize IP addresses: IP addresses are considered personal information. Anonymization (truncating the last octets) is a best practice to minimize risk.
GDPR vs Law 25: Key differences
If your chatbot is used by European visitors, you must also comply with GDPR. Here are the main differences:
| Criteria | Law 25 (Quebec) | GDPR (Europe) |
|---|---|---|
| Consent | Explicit, free and informed | Explicit, free, specific and informed |
| Geographic scope | Persons in Quebec | Persons in the EU/EEA |
| Right to portability | Yes (common technological format) | Yes (structured, machine-readable format) |
| Maximum penalties | $25M or 4% of global revenue | €20M or 4% of global revenue |
| DPO / Privacy officer | Privacy officer mandatory | DPO mandatory (certain cases) |
| Cookies | Consent if non-essential cookies | Prior consent mandatory |
| Incident notification | CAI + affected individuals | Supervisory authority + individuals (72h) |
In practice, if you comply with both Law 25 and GDPR, you cover both jurisdictions. The requirements are similar enough that a unified approach works.
5 steps to make your chatbot compliant
Step 1: Map collected data
Identify all personal data your chatbot collects: name, email, phone, IP address, conversation content, pages visited, browser language. Document the purpose of each collection and the planned retention period.
Step 2: Implement consent
Before starting data collection, display a clear notice in the chatbot interface. For example: "This conversation is recorded to process your request. By continuing, you agree to our privacy policy." The visitor must be able to refuse without losing access to the basic service.
Step 3: Configure anonymization and retention
Enable IP address anonymization (removing the last octet). Define a data retention policy: for example, 90 days for conversations, 12 months for leads, automatic deletion at expiry. Configure a "zero cookie" mode if your chatbot doesn't need cookies to function.
Step 4: Enable rights exercise
Provide a mechanism for visitors to request access to their data, its correction or deletion. Ideally, this feature is built directly into the chatbot (a "Delete my data" button, for example). The maximum response time is 30 days in Quebec.
Step 5: Document and train
Document your data protection practices. If you have employees who access chatbot conversations, train them on confidentiality obligations. Maintain a register of personal data processing activities.
How ChatDirect integrates Privacy by Design
The Privacy by Design approach means compliance isn't added as an afterthought but is built into the product's architecture. Here's how this philosophy translates concretely in a solution like ChatDirect:
- Hosting in Canada: Data doesn't leave Canadian territory, simplifying Law 25 compliance and avoiding cross-border transfer issues.
- Native IP anonymization: Visitor IP addresses are automatically anonymized, with no additional configuration needed.
- Zero cookie mode: The chatbot can operate without placing cookies on the visitor's browser, eliminating the need for cookie consent banners.
- Configurable retention: The administrator sets the retention period for conversations and lead data. Deletion is automatic at expiry.
- Visitor data deletion: A built-in mechanism allows visitors to delete all their data (conversations, leads) in one click, compliant with the right to erasure.
- AES-256 encryption: Sensitive data (API keys, configuration information) is encrypted at rest with the AES-256-CBC algorithm.
- No third-party sharing: Conversations are not used to train AI models and are not shared with non-essential external services.
- Conditional analytics: Google Analytics is only activated if the administrator explicitly configures it and the visitor consents.
Compliance checklist for your chatbot
Use this checklist to verify that your chatbot meets Law 25 and GDPR requirements:
- Privacy policy accessible from the chatbot interface
- Explicit consent obtained before any personal data collection
- Purpose of collection clearly stated to the visitor
- Collected data limited to what's strictly necessary (minimization)
- IP addresses anonymized or not collected
- Data retention period defined and enforced
- Data deletion mechanism accessible to the visitor
- Data access mechanism (right of consultation)
- Sensitive data encrypted at rest and in transit (HTTPS + AES-256)
- Privacy officer designated
- Data processing register up to date
- Incident notification protocol in place
- Employee training on confidentiality obligations
- Data hosted in a compliant jurisdiction (Canada or EU)
Compliance with Law 25 and GDPR isn't just a legal obligation. It's also a competitive advantage. Canadian consumers are increasingly sensitive to the protection of their personal data. A business that clearly displays its commitment to privacy inspires trust and stands out from competitors.
To learn more about deploying a compliant AI chatbot, check out our complete AI chatbot guide for SMBs.
A compliant chatbot from day one
ChatDirect natively integrates Privacy by Design. Canadian hosting, IP anonymization, zero cookies, right to deletion.
Discover Plans