Quebec's privacy law (formerly Bill 64) has been fully in effect since September 2023. Penalties run up to $25 million. Here's what your web hosting setup actually needs to meet compliance, plus the Canadian hosts that pass the test.
Sorted by compliance strength. Each is genuinely Law 25 ready, with different strengths for different business types.
Best for compliance
Best value
Best performance
Best for non-Quebec
Full compliance breakdown, scorecard, and detailed reviews further down the page.
The short version: Quebec's modernised privacy law (formerly Bill 64) gives Quebec residents stronger control over their personal information, and gives the provincial regulator (CAI) real enforcement teeth.
Fully in effect since September 2023
Phased in over 2 years. All requirements are now active and enforceable.
Penalties up to $25 million
Or 4% of global revenue, whichever is higher. SMBs have faced $50K-$500K penalties for inadequate consent.
Stricter than PIPEDA
Shorter notification windows, more explicit consent rules, mandatory privacy officer designation.
Applies to non-Quebec businesses too
If you collect data from Quebec residents through your website, the law applies to you regardless of where you operate.
A common misconception is that Law 25 only applies to Quebec businesses. The reality is broader.
If you operate in Quebec and collect any personal information (names, emails, addresses, payment info), Law 25 applies to you regardless of size.
You do not need to be physically in Quebec. If you collect personal data from Quebec residents through your website, you must comply.
Charities, professional associations, religious organisations, and community groups based in Quebec or collecting Quebec data must comply.
If your online store accepts orders from Quebec addresses, you collect personal information from Quebec residents and Law 25 applies.
If you are not sure whether Law 25 applies to you: the safest assumption is that it does. The cost of compliance is low. The cost of penalties for non-compliance can be devastating.
Compliance is a documentation game as much as a technical one. Here is what to verify before signing a hosting contract.
Criterion 01
Law 25 strongly prefers data stored in Quebec or Canada. While the law does not strictly require Canadian-only storage, any cross-border transfer requires documented privacy impact assessments (PIAs) and explicit user consent. The simplest path to compliance is choosing a host that keeps your data physically inside Canadian borders, with documentation you can show to an auditor.
Criterion 02
If your hosting provider experiences a confidentiality incident affecting personal information, Law 25 requires notification to the Commission d'accès à l'information (CAI) and affected individuals within a reasonable delay. In practice, this means your host needs documented incident response procedures, security monitoring, and a way to alert you fast. Hosts without 24/7 monitoring or formal breach protocols put you at risk of penalties.
Criterion 03
Law 25 requires explicit, granular consent for collecting personal information. Your hosting platform needs to support proper consent management - which usually means a cookie banner that allows users to refuse non-essential cookies, and infrastructure that respects those choices. Hosts that automatically deploy tracking, analytics, or third-party scripts without your control make this harder.
Criterion 04
Quebec residents have the right to request deletion of their personal information ("right to be forgotten") and to receive their data in a structured, commonly used format. Your hosting infrastructure needs to support both: clean data deletion across backups and replicas, plus the ability to export user data on demand. Hosts with locked-down database access or opaque backup systems make these requests difficult to honour.
Criterion 05
Personal information must be protected throughout its lifecycle. SSL/TLS certificates for data in transit are now table stakes, but Law 25 also expects encryption at rest for databases, backups, and file storage. Verify your host's default storage encryption, key management practices, and certificate renewal automation. Hosts that charge extra for SSL or do not encrypt backups by default are not Law 25 ready.
Criterion 06
You need to be able to prove who accessed what data, when. Law 25 audits look for documented access controls, role-based permissions, and tamper-evident audit logs. Your host should provide cPanel or equivalent administrative logging, IP-based access restrictions, two-factor authentication, and the ability to export logs for compliance reviews. Shared hosting without proper isolation makes this particularly challenging.
Editorial evaluation across 7 Law 25 criteria. "Partial" indicates a question worth investigating, not a disqualification.
| Criterion | Astral Internet | WHC.ca | PlanetHoster | FullHost |
|---|---|---|---|---|
| Canadian data residency | Yes Yes | Yes Yes | Yes Yes | Yes Yes |
| ISO 27001 certified | Yes Yes | No No | Partial Partial | No No |
| SOC 2 certified | Yes Yes | Yes Yes | Partial Partial | Partial Partial |
| Documented breach response | Yes Yes | Yes Yes | Yes Yes | Yes Yes |
| Encryption at rest + in transit | Yes Yes | Yes Yes | Yes Yes | Yes Yes |
| Bilingual support (FR + EN) | Yes Yes | Yes Yes | Yes Yes | Partial Partial |
| Audit logging available | Yes Yes | Yes Yes | Yes Yes | Yes Yes |
| See plans | See | See | See | See |
Best for Law 25 compliance
Best value for compliance basics
Best for performance + compliance
Best for non-Quebec Canadians
Detailed editorial reasoning for each pick, ordered by Law 25 compliance strength.
Best for Law 25 compliance
ISO 27001 and SOC 2 Type II certified Quebec hosting. The only Canadian host on this list with both certifications, which Law 25 audits look for.
Astral Internet operates ISO 27001 and SOC 2 Type II certified data centres in Saint-Jean-sur-Richelieu, Quebec. ISO 27001 is the international information security standard that Law 25 auditors specifically look for when evaluating a hosting provider. Combined with mandatory breach notification protocols, automated audit logging, and a French/English bilingual support team, they are the most defensible choice if you need to document your Law 25 compliance position to auditors or to the CAI. Slightly more expensive than competitors at $30/month, but the certifications justify it for any business handling sensitive Quebec data.
Headquarters: Saint-Jean-sur-Richelieu, Quebec
Best value for compliance basics
Montreal-based since 2003. SOC 2 certified data centres, automated daily backups, bilingual support, and PIPEDA compliance documentation included. Excellent compliance baseline at an accessible price.
WHC has been operating Canadian hosting since 2003 and runs SOC 2 certified data centres in Montreal. They publish PIPEDA compliance documentation and offer the operational basics Law 25 expects: encryption at rest and in transit, daily backups with retention policies, bilingual breach response, and audit logging through cPanel. They do not have ISO 27001 like Astral, but for most small and medium Quebec businesses, WHC's compliance documentation is sufficient. The $3.99/month entry point makes them the most affordable way to get a defensible Law 25 hosting setup.
Headquarters: Montreal, Quebec
Best for performance + compliance
Operates its own autonomous network (AS53589) from Laval, Quebec. Hermetic project isolation, hydroelectric-powered data centre, and 100% Canadian data infrastructure.
PlanetHoster owns and operates its entire infrastructure including its own autonomous network (AS53589) routed exclusively through Canadian peering points. This eliminates a common Law 25 concern around cross-border data transit. Each customer's project is hermetically isolated, which simplifies the compliance question of "could another tenant access our data?" The hydroelectric-powered Laval data centre is 100% Canadian energy. For Quebec businesses that need both top-tier performance AND verifiable Canadian data sovereignty, PlanetHoster is the strongest combined offering. The HybridCloud product line goes further with dedicated resources for compliance-sensitive workloads.
PHA-hostfinder
Headquarters: Laval, Quebec
Best for non-Quebec Canadians
British Columbia-based with Canadian data centres. Strong PIPEDA documentation and a good Law 25 fit for Anglo-Canadian businesses with Quebec customers.
FullHost is based in Vancouver and operates Canadian data centres. For Anglo-Canadian businesses outside Quebec who suddenly realise they need Law 25 compliance because they collect data from Quebec customers, FullHost is the natural fit. English-first support team, clear PIPEDA documentation, daily backups, and Canadian data residency. They do not have ISO 27001 or French-language support staffed in Quebec time, so for Quebec-based businesses, the three above are stronger picks. But for a BC, Ontario, or Alberta business serving some Quebec customers, FullHost lets you tick the data residency box without overpaying for Quebec-specific certifications you do not need.
Headquarters: Vancouver, British Columbia
The most common questions from businesses figuring out Law 25 compliance.
Quebec Law 25 (formerly Bill 64) is the province's modernised privacy law that came into full effect in September 2023. It strengthens the rules around how businesses collect, use, store, and protect personal information of Quebec residents. It applies to any organisation handling Quebec residents' personal data, regardless of where the business is physically located. Penalties for non-compliance range from $15,000 to $25 million.
Not strictly, but it is the simplest path. Law 25 does not legally require data to be stored in Canada, but any cross-border transfer requires you to document privacy impact assessments and obtain explicit user consent. Using a Canadian web host eliminates these complications and gives you defensible documentation for audits.
Administrative monetary penalties (AMPs) range from $15,000 to $10 million, or 2% of global revenue, whichever is higher. For serious offences, penal sanctions reach up to $25 million or 4% of global revenue. The Commission d'accès à l'information (CAI) enforces these penalties. Even smaller businesses have faced penalties in the $50,000 to $500,000 range for inadequate consent or breach response.
Yes, if you collect personal information from Quebec residents. An Ontario-based e-commerce store that ships to Quebec, a BC software company with Quebec users, or an Alberta consulting firm with Quebec clients all need to comply. The test is whether you handle Quebec residents' personal data, not where you are physically located.
PIPEDA is Canada's federal privacy law and applies to all businesses across the country. Law 25 is Quebec's provincial law and applies on top of PIPEDA for any business handling Quebec residents' data. Law 25 is generally stricter: shorter breach notification windows, more explicit consent requirements, mandatory privacy officer designation, and higher maximum penalties. If you serve Quebec customers, you must comply with both.
Law 25 requires notification to the Commission d'accès à l'information (CAI) and to affected individuals "with diligence" once you become aware of a privacy incident that presents a risk of serious injury. The CAI interprets this as 72 hours in practice, matching GDPR standards. Your hosting provider needs documented breach response procedures and the ability to alert you quickly.
Yes. Every business subject to Law 25 must designate a privacy officer responsible for ensuring compliance and being the contact point for the CAI. For small businesses, this can be the owner or a designated employee. The privacy officer's name and contact information must be published on your website.
Before relying on any third-party summary (including this one), here are the authoritative sources to consult.
The Quebec privacy regulator that enforces Law 25. Their English-language portal explains your obligations as a business, how to handle privacy incidents, and what penalties apply for non-compliance. The authoritative source for any compliance question.
Read this resourceThe full English text of the law from LegisQuebec. Read this if you want the actual legal requirements rather than a summary. Key sections for hosting are 18.3 (cross-border transfers) and 3.5 (breach notification).
Read this resourceCFIB's plain-English FAQ designed for small and medium businesses. Covers what counts as "personal information", when you need consent, and how to handle a privacy officer designation. The most accessible non-government summary available.
Read this resourceCanada's federal privacy law (PIPEDA) covers businesses across all provinces. Quebec Law 25 is stricter and applies on top of PIPEDA for any business handling Quebec residents' data. Understanding the difference matters if you serve customers across Canada.
Read this resourceThis guide is informational only and not legal advice. For specific compliance questions, consult a Quebec privacy lawyer or the Commission d'accès à l'information directly.