Québec's Law 25 requires every business to protect the personal information it holds — and email is one of the main entry points for incidents. Here is the concrete link, without legal jargon.
Since September 2023, every business operating in Québec — whatever its size — must protect the personal information it holds with reasonable security measures, report confidentiality incidents that present a risk of serious injury, and designate a privacy officer.
A domain without protection (SPF, DKIM, DMARC) lets anyone send emails that appear to come from your company. Concretely: a fraudster writes to your customers "from you" to extract payments or personal information. That is a confidentiality incident under the law — with the reporting obligation and reputational risk that come with it.
Québec's privacy regulator (CAI) can impose significant administrative penalties. More importantly: demonstrating you had taken reasonable measures (like DMARC in "reject" mode) completely changes how an incident is assessed.
If your site collects any information at all (contact form, newsletter, orders), the law applies there too: HTTPS in practice mandatory, security headers to prevent script injection, a valid SSL certificate. A compromised site leaking customer data = a reportable incident.
This article is a plain-language summary, not legal advice. For your specific situation, consult a professional.
Enter your domain: we test your SPF, DKIM, DMARC and website, and give you the exact action plan.
Run the free check