How to Handle a Law 25 Data Access Request in 30 Days

Table of Contents

• What Is a Law 25 Data Access Request?
• Who Must Comply with Law 25 DSARs?
• The 30-Day Deadline: What You Need to Know
• Step-by-Step: How to Respond to a DSAR
• What Data Must Be Included in the Report?
• When Can You Refuse a Request?
• How cookie-banner.ca Handles DSARs for You
• DSAR Response Checklist
• Frequently Asked Questions

What Is a Law 25 Data Access Request?

Quebec's Law 25 (formally the Act respecting the protection of personal information in the private sector) gives every Quebec resident the right to request access to all personal information an organization holds about them.

This right of access (droit d'acces) covers:

• What data you hold about the individual
• Why you collected it (the purpose)
• Who has access to it (categories of persons)
• How long you keep it (retention periods)
• Where it came from (the source, if applicable)

For organizations running cookie consent banners, this typically includes consent records, IP addresses, device fingerprints, browsing behavior, and analytics data collected through your website.

Key difference from GDPR: While the GDPR's right of access (Article 15) is well-known, Law 25's version carries significantly higher penalties relative to the Canadian market. The $25 million CAD maximum is comparable to the GDPR's fines but applies specifically to Quebec operations that many Canadian businesses overlook.

Who Must Comply with Law 25 DSARs?

Law 25 applies to any organization that collects, uses, or discloses personal information of Quebec residents, regardless of where the organization is based.

You must comply if:

| Scenario | Subject to Law 25? | |----------|-------------------| | Business based in Quebec | Yes | | Business outside Quebec with Quebec customers | Yes | | Website that uses cookies and gets Quebec visitors | Yes | | Business with no Quebec-connected data at all | No |

If your website deploys a cookie banner and receives traffic from Quebec, you are almost certainly processing personal information of Quebec residents. That means you must be prepared to handle data access requests.

The Commission d'acces a l'information du Quebec (CAI) is the regulatory body that enforces Law 25 and investigates complaints about unresponded DSARs.

The 30-Day Deadline: What You Need to Know

The single most important rule for DSARs under Law 25: you have 30 calendar days from receipt to respond.

Here is how the deadline works:

• Day 1 starts when you receive the request (in your organization's local timezone)
• Calendar days count, including weekends and holidays
• The 30-day clock cannot be paused (unlike GDPR, which allows a 2-month extension for complex requests)
• You must respond within 30 days even if you are refusing the request

What happens if you miss the deadline?

The CAI can impose:

• Administrative monetary penalties: up to $10 million CAD or 2% of worldwide turnover (whichever is greater)
• Penal penalties: up to $25 million CAD or 4% of worldwide turnover for more serious violations
• Reputational damage: CAI decisions are public and searchable

These penalties escalated significantly when Law 25's final provisions came into force in September 2024. Organizations that previously had informal DSAR processes now face real enforcement risk.

Step-by-Step: How to Respond to a DSAR

Step 1: Receive and Log the Request

When you receive a data access request (by email, letter, or web form), immediately:

1. Record the date of receipt — this starts the 30-day clock
2. Note the requester's identifier — their name, email, or IP address
3. Assign an internal tracking ID — you'll need this for your audit trail
4. Calculate the deadline — exactly 30 calendar days from receipt

Pro tip: Use a system that automatically tracks deadlines and sends you reminders. Missing a deadline by even one day can trigger a formal complaint to the CAI.

Step 2: Verify the Requester's Identity

Law 25 requires reasonable measures to verify the identity of the person making the request before releasing any personal information. You must not release data to an unverified requester.

Accepted verification methods include:

• Government ID — driver's license, passport, or provincial ID
• Email confirmation — send a verification link to the email address on file
• In-person verification — if the requester visits your office
• Knowledge-based verification — questions only the real person could answer

Document your verification method and the date verified. This is part of your compliance evidence.

Step 3: Gather All Personal Data

Search every system where you store personal information about the requester. For cookie consent platforms, this typically includes:

• Consent records (accept, reject, dismiss events)
• IP addresses collected during banner interactions
• User agent strings and device information
• Geographic location (country, region)
• Page paths where the banner was displayed
• Analytics data (decision times, returning visitor flags)
• GPC (Global Privacy Control) signal status

Step 4: Prepare the Report

Compile the data into a structured, readable format. Law 25 requires that the information be intelligible to the requester — a raw database dump is not sufficient.

Your report should include:

1. Personal data held — organized by category
2. Processing purposes — why each category was collected
3. Legal basis — the lawful reason for processing
4. Retention periods — how long each data type is kept
5. Third-party disclosures — who else has access

If the requester speaks French, you should provide the report in French. Quebec's Charter of the French Language applies here.

Step 5: Deliver the Response

Send the report to the requester within the 30-day deadline. Keep proof of delivery (email read receipt, registered mail tracking, etc.) as part of your audit trail.

What Data Must Be Included in the Report?

For organizations using cookie consent management platforms, here is what Law 25 requires you to disclose:

| Data Category | Example Data | Must Include? | |--------------|-------------|--------------| | Consent records | Accept/reject decisions, timestamps | Yes | | Technical identifiers | IP addresses, user agents | Yes | | Device information | Device type, browser, OS | Yes | | Location data | Country, region derived from IP | Yes | | Behavioral data | Pages visited, decision time | Yes | | Analytics aggregates | Daily statistics, visit counts | Yes | | Processing purposes | Why each data type is collected | Yes | | Retention schedule | How long data is kept | Yes | | Third-party sharing | Google Analytics, ad networks | Yes |

Important: You must include data from all systems, not just your cookie consent platform. If you also store the person's data in a CRM, email marketing tool, or customer database, that data is also subject to the access request.

When Can You Refuse a Request?

Law 25 section 28 allows you to refuse a data access request — fully or partially — in specific circumstances:

• Third-party information: Disclosure would reveal personal information about another individual
• Investigation prejudice: Releasing the data would compromise an ongoing investigation
• Legal privilege: The information is protected by solicitor-client privilege
• Unreasonable effort: The information cannot be isolated from other data without disproportionate effort
• Commercial secrets: Disclosure would reveal confidential commercial information

Partial refusal

You don't have to refuse the entire request. Under Law 25, you can provide partial access — releasing the sections you can while refusing the specific data that falls under an exemption. You must:

1. Identify which specific sections are refused
2. Provide a written reason for each refusal
3. Inform the requester of their right to contest the refusal with the CAI

Always document your refusal reasoning. The CAI may review it.

How cookie-banner.ca Handles DSARs for You

Most cookie consent tools stop at the banner. They help you collect consent but leave you on your own when someone asks to see their data.

cookie-banner.ca Pro includes a built-in DSAR workflow that handles the entire process:

Automatic Deadline Tracking

Create a DSAR request in your dashboard and the system calculates the 30-day deadline based on your organization's timezone. Color-coded indicators show green (>15 days), yellow (7-15 days), and red (<7 days remaining). Daily monitoring alerts you before deadlines expire.

Identity Verification Gate

No report is generated until you confirm the requester's identity. Choose your verification method (government ID, email confirmation, in-person, or other), add notes, and the system records who verified, when, and how — creating an audit trail for compliance evidence.

One-Click Report Generation

Once identity is verified, generate a complete data access report with one click. The report pulls all personal data held about the individual across your consent records, banner analytics, and technical data — scoped strictly to your organization's data.

Reports are available in JSON or CSV format, with bilingual section headers in English and French.

Secure Download with Signed URLs

Reports are stored in encrypted private storage. Download links are time-limited (15 minutes) and cannot be shared or reused. Every download is logged in your audit trail.

Partial Refusal Support

Need to refuse part of a request? Select which report sections to exclude, provide a reason for each, and the system generates a report clearly marking which sections were refused and why — exactly what the CAI expects to see.

Full Audit Trail

Every action — request creation, identity verification, report generation, downloads — is logged with timestamps, user IDs, and IP addresses. This is your evidence of compliance if the CAI ever investigates.

Start handling DSARs today →

DSAR Response Checklist

Use this checklist for every Law 25 data access request:

• [ ] Request received and date recorded
• [ ] 30-day deadline calculated (accounting for timezone)
• [ ] Internal tracking ID assigned
• [ ] Requester's identity verified (method documented)
• [ ] All data systems searched for the individual's data
• [ ] Report compiled in an intelligible format
• [ ] Processing purposes, legal basis, and retention periods included
• [ ] Third-party disclosures documented
• [ ] Report language matches requester's preference (EN/FR)
• [ ] Partial refusal documented with reasons (if applicable)
• [ ] Response delivered within 30-day deadline
• [ ] Proof of delivery saved
• [ ] Full audit trail preserved for a minimum of 36 months

Frequently Asked Questions

How long do I have to respond to a Law 25 data access request?

You have 30 calendar days from the date you receive the request. This deadline runs from the date of receipt in your organization's local timezone, not the date you begin processing. Failing to respond within 30 days can result in penalties of up to $25 million CAD or 4% of worldwide turnover.

Can I refuse a data access request under Law 25?

Yes. Under Law 25 section 28, you can fully or partially refuse a request if disclosure would reveal information about a third party, prejudice an investigation, or if the information cannot be isolated without unreasonable effort. You must document the reason for refusal and inform the requester of their right to contest with the CAI.

Do I need to verify identity before responding to a DSAR?

Yes. Law 25 requires organizations to take reasonable measures to verify the identity of the person making the request before releasing any personal information. Accepted methods include government ID verification, email confirmation, or in-person verification.

What data must I include in a Law 25 access report?

You must include all personal information held about the individual, the purposes for which it was collected, the categories of persons who have access to it, and the retention period. For cookie consent platforms, this includes consent records, IP addresses, device information, and analytics data.

Does Law 25 apply to my business outside Quebec?

Law 25 applies if you collect, use, or disclose personal information of Quebec residents, regardless of where your business is located. If your website uses cookies and receives visitors from Quebec, you are likely subject to Law 25.

What is the penalty for not responding to a data access request?

The CAI can impose administrative penalties of up to $10 million CAD or 2% of worldwide turnover. For more serious violations, penal penalties can reach $25 million CAD or 4% of worldwide turnover. Decisions are public.

How is a Law 25 DSAR different from a GDPR subject access request?

The core concept is the same, but Law 25 has a stricter 30-day deadline with no extension option (GDPR allows up to 3 months). Law 25 also carries penalties scaled to the Canadian market — up to $25 million CAD — making it the most stringent privacy law in Canada.

Do I need to provide the report in French?

If the requester communicates in French, best practice is to provide the report in French. Quebec's Charter of the French Language encourages French-language communications. cookie-banner.ca's DSAR reports include bilingual labels in both English and French.

Take Action Before the Next Request Arrives

The average organization receives its first Law 25 data access request without warning. When it arrives, the 30-day clock starts immediately — and scrambling to build a manual process under deadline pressure is how organizations miss deadlines and face CAI complaints.

cookie-banner.ca Pro gives you the complete DSAR workflow: deadline tracking, identity verification, automated report generation, secure delivery, and a full audit trail. It's the only cookie consent platform built specifically for Canadian privacy law compliance, including Law 25.

Get started with Pro → | See all features → | Read the Canada compliance guide →