The conversation is everywhere: the Quebec Human Rights Commission is reminding businesses of AI's ethical boundaries, and La Presse ran a headline on May 1, 2026 stating that “your use of AI at work could be illegal.” The question is no longer whether Law 25 applies to artificial intelligence — it already does.
The good news: Law 25 does not ban AI. It requires that AI be used correctly. At V pour Design, we have been working with AI for years, and our compliance framework was built to meet these obligations without slowing down delivery. Here's what that means in practice for you.
Law 25 (formerly Bill 64) modernizes Quebec's rules on the protection of personal information. In force progressively since 2022, it requires any organization processing data about individuals in Quebec to follow a clear framework: consent, transparency, impact assessments, controlled transfers. AI is not excluded — it is explicitly covered when it processes personal information.
Law 25 is not a barrier to AI. It's a professional standard — and a competitive advantage for businesses that embrace it.
What Law 25 requires when AI enters the picture
Five obligations come up repeatedly in web, marketing, and automation projects. Here is how they translate in practice.
| Requirement | What the law says | What we do |
|---|---|---|
| Privacy Impact Assessment (PIA) | Required before any project involving AI, profiling, or cross-border data transfers. | Systematically conducted before any mandate involving client data. |
| Explicit Consent | Required for the collection, use, and disclosure of personal information. | Consent mechanisms built in from the start (forms, cookies, newsletters). |
| Transparency on Automated Decisions | Users must be informed when a decision affecting them is made by an algorithm. | No automated client decisions without clear disclosure and human review option. |
| Disclosure of Cross-Border Transfers | Article 17: inform individuals and assess protections offered outside Quebec. | Full mapping of tools used, jurisdiction by jurisdiction, documented per mandate. |
| Privacy Officer | Every organization must designate one. | Role held at V pour Design for internal operations and client guidance. |
The real risk: “Shadow AI”
According to recent data cited by La Presse and the Cloud Security Alliance, nearly 82% of employees use AI at work without telling their employer. A presentation generated in ChatGPT from client notes. An email rewritten in a free tool. A client file uploaded to Gemini to save time.
This is what is called Shadow AI. And it's where most Law 25 violations occur — not out of bad faith, but out of habit.
Often without telling their employer or clients (Cloud Security Alliance, 2026).
According to a Kiteworks study reported in the press in 2026.
Criminal ceiling under Law 25, or 4% of worldwide revenue.
* Sources: La Presse, Commission d'accès à l'information du Québec, Cloud Security Alliance.
Our compliance framework: why you can trust us with your data
V pour Design is not an agency that “discovered” AI this year. We have been integrating it into our processes for years, within a framework designed to respect Law 25 from the ground up. Concretely:
- Signed agreements before any project begins. Written mandate, confidentiality clauses, and AI-specific provisions. No client data is processed without a contract.
- Professional AI tools only. No free accounts, no public prompts. The services we use offer data processing agreements and non-training commitments.
- No personally identifiable information in any prompt. Sensitive data is anonymized or processed in isolated environments. This is an internal rule, not a suggestion.
- Documentation of cross-border transfers. When a tool processes data outside Quebec, we know it, evaluate it, and explain it to the client.
- Systematic human review. AI proposes, we decide. No client deliverable goes live without human sign-off.
Risky vs compliant: the concrete difference
The same AI tools can be a legal liability or a strategic asset. Everything depends on the framework. Here are the four situations we encounter most often.
| Situation | Risky | Compliant — our approach |
|---|---|---|
| Consumer AI tools (free accounts, personal logins) | Data sent outside Quebec without a contract, PIA, or consent. | Professional tools with data processing agreements, logging, and confidentiality clauses. |
| Content generation with real client data | Personal information copy-pasted into a public prompt. | Data anonymized or processed in isolated environments — no identifiable info in any prompt. |
| Marketing automation (segmentation, scoring) | Automated decisions with no framework or disclosure to affected individuals. | Documented rules, human oversight, right of review communicated to users. |
| Agency or freelance subcontracting | No written agreement, no AI or confidentiality clauses. | Signed mandate agreement, AI-specific clauses, NDA where required. |
Delivering results without legal exposure
Law 25 has not slowed our pace. On the contrary: it has clarified our processes and reassured our clients. Here are the types of mandates we continue to deliver in full, in compliance with the law:
- Websites and redesigns: AI-assisted design, SEO optimization, content structure — without ever exposing client data.
- Digital marketing: ad production, newsletters, segmentation — with clear consent and functional opt-out mechanisms.
- Automation: chatbot integration, smart forms, scoring — always under human supervision.
- Content production: text, visuals, video — with a workflow that respects individual rights and intellectual property.
In other words: we stopped nothing. We simply structured what we were already doing so that Law 25 becomes a selling point rather than a grey area.
Frequently asked questions
The questions we receive most often right now, and our straight answers.
01Does Quebec Law 25 ban artificial intelligence?+
No. Law 25 does not ban AI. It governs the use of personal information — including when that information flows through an AI system. A business that structures its processes correctly can continue using AI and even gain a competitive advantage from doing so.
02My agency uses ChatGPT to write my copy — is that legal?+
It depends on what goes into the prompt. If the agency uses a free account and pastes identifiable client data into it, there is a problem. At V pour Design, prompts never contain personally identifiable information, and the professional AI tools we use are under written data processing agreements.
03What is a Privacy Impact Assessment (PIA)?+
A PIA is a mandatory exercise under Law 25: before launching any project involving personal information — especially with AI — the organization documents the risks, safeguards, and options considered. It has become an industry standard, not just a legal obligation.
04What is "Shadow AI" and why does it matter?+
Shadow AI is the undisclosed use of AI by employees — without their employer or IT team knowing. Studies suggest over 80% of employees use AI at work without telling anyone. The risk: confidential data flows through uncontracted tools. A solid internal policy and approved tools solve most of the problem.
05How large are the fines under Law 25?+
Administrative penalties can reach $10 million or 2% of worldwide turnover. Criminal sanctions go up to $25 million or 4% of worldwide turnover. It sounds severe, but enforcement primarily targets organizations that have taken no steps at all.
Next steps
Already using AI in your business, or looking to integrate it properly? We can support you on three fronts: mapping your current usage, building a Law 25-compliant framework, and continuing to deliver web and marketing results at the same pace.
Want to use AI in your business — without breaching Law 25?
We start with a free conversation. We review your current tools, identify risk areas, and propose a simple, signed framework that lets you keep delivering without legal anxiety.
Book a confidential consultation →Disclaimer: this article is informational in nature and does not constitute legal advice. For a formal Law 25 compliance analysis, consult a specialized legal advisor.