Quebec Law 25 — AI Automated Decisions and 2026 CAI Guidance
Quebec's Law 25 has been fully in force since September 2024 and the Commission d'accès à l'information has sharpened its 2025–2026 guidance on AI in the workplace and algorithmic impact analysis. Here is the playbook.
Quebec's Law 25 (formerly Bill 64) is North America's most GDPR-like provincial regime. The CAI's 2025 guidance on AI in the workplace turned Section 12.1 from a notice rule into a real algorithmic-impact discipline.
What the law says
An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information ("Law 25") amended Quebec's Act respecting the protection of personal information in the private sector. Phase 3 took effect 22 September 2024, completing portability rights. Section 12.1 governs decisions made exclusively by automated processing of personal information. The organisation must inform the individual at the time of (or before) the decision that the decision was made by automated means; provide on request the principal personal information used, the reasons and principal factors that led to the decision, and the right to have the personal information rectified; and offer an opportunity to submit observations to a human reviewer.
A Privacy Impact Assessment (Section 3.3) is mandatory before any project that creates or modifies a system involving personal information. The CAI's 2025 guidance recommends an algorithmic impact analysis on AI tools, advance notice well before deployment, and rejects fully automated emotion analysis, biometric categorisation, and significant employment decisions. Quebec law requires data residency notices for processing outside Quebec. Penalties reach C$10M or 2% of worldwide turnover for organisations and C$25M or 4% for the most serious offences.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
What AI voice/chat must do
A voice agent that decides who advances in a hiring funnel, who gets approved credit, or whose claim is denied is making an exclusively automated decision under Section 12.1. The organisation must trigger the notice flow in real time, expose the data inputs and principal factors on request, and route observations to a human. PIAs precede launch and update on material change. Emotion-recognition or biometric-categorisation features are practically off-limits in the workplace. Cross-border processing requires a written assessment of the destination jurisdiction's privacy regime.
CallSphere posture
CallSphere — 37 agents, 90+ tools, 115+ DB tables, 6 verticals, 50+ businesses, 4.8/5, HIPAA and SOC 2 aligned — ships Quebec-pinned PostgreSQL options, a Section 12.1 real-time notice integration, an observation-to-human review pathway in the voice and chat agents, a PIA template aligned to CAI guidance, and a cross-border transfer assessment generator. Emotion-recognition features are gated off by default for Quebec deployments. Pricing $149 / $499 / $1,499; 14-day trial; 22% affiliate; see /pricing; contact /contact; about us at /about.
flowchart LR
A[QC Caller] --> B[Voice Agent]
B --> C[Auto Decision?]
C --> D[12.1 Notice]
D --> E[Inputs + Factors]
E --> F[Submit Observations]
F --> G[Human Review]
B --> H[PIA + Cross-Border]
Compliance checklist
- Identify every workflow that produces an exclusively automated decision; flag for Section 12.1.
- Trigger the 12.1 notice at the moment of decision; do not batch overnight.
- Expose inputs, principal factors, and rectification rights on request.
- Route observations to a human reviewer; document the review.
- Run a Section 3.3 PIA before each project; refresh on material change.
- Add an algorithmic impact analysis when AI is used in employment.
- Avoid emotion recognition and biometric categorisation in the workplace.
- Document cross-border transfers and the destination's privacy regime.
- Localise notices in French and offer the equivalent in English where applicable.
- Train front-line staff on the 30-day request response window.
FAQ
Does Section 12.1 apply if a human signs off? If the human review is real and substantive, the decision is no longer exclusively automated. Pro-forma sign-off does not escape 12.1.
Is a PIA required for an off-the-shelf voice product? Yes — the deploying organisation runs the PIA, regardless of who built the model.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
Are sentiment scores "automated decisions"? A score alone is not a decision. A score that triggers a routing or eligibility outcome is.
Does Law 25 reach extraterritorially? Yes — it follows the personal information of Quebec residents wherever the controller sits.
Can French be substituted with English? The Charter of the French Language requires French; bilingual notices are common.
Sources
- CAI (Commission d'accès à l'information) Site: https://www.cai.gouv.qc.ca/
- Law 25 — Government of Quebec: https://www.quebec.ca/en/government/work-government/access-information-privacy/protection-personal-information
- LegisQuebec — Act respecting privacy in private sector: https://www.legisquebec.gouv.qc.ca/en/document/cs/p-39.1
- Torys CAI AI Workplace Guidance Analysis: https://www.torys.com/our-latest-thinking/publications/2025/06/quebec-privacy-regulator-identifies-best-practices-for-the-use-of-ai-in-the-workplace
- Fasken Bill 64 ADM Article: https://www.fasken.com/en/knowledge/loi-25/5-new-rules-for-automated-decision-making
Try CallSphere AI Voice Agents
See how AI voice agents work for your industry. Live demo available -- no signup required.