Skip to content
perkaria
All resources
Law 25 & CASL

Law 25 for small business marketing: the plain-language 2026 checklist

5 min read

Law 25 is Québec's privacy law, and it applies to you. Not just to banks and telecoms — to any private business that holds personal information about people. A café with a birthday list, a salon with client files, a boutique with a texting list: all covered, and held to the same obligations as the big chains.

The scale of the work is different, though. For a shop, most of Law 25 comes down to a handful of habits you set up once, plus tools that were built with the rules in mind. Here's the checklist, in the order it's worth doing.

First, know what the law actually covers

Personal information is anything that identifies a person: a name, a cell number, an email, a birthday, a language preference, what someone bought and when. If you keep a customer list of any kind, you hold exactly that. A loyalty program is a file of personal information on purpose — that's what makes it useful, and it's why Law 25 concerns your marketing before it concerns your lawyer. The law doesn't say don't collect. It says collect deliberately, with real consent, and take care of what you keep.

Step 1: name your privacy officer (it's probably you)

Every business, whatever its size, needs a person responsible for protecting the personal information it holds. By default, the law gives the job to the person with the highest authority — in a small business, that's you, the owner. You can delegate it in writing to someone you trust, but you don't have to.

  • Decide who holds the role. If it's you, the decision is made — write it down anyway.
  • Publish that person's title and contact details, typically on the privacy page of your website.
  • Know what the role means: this person answers what do we collect, who can see it, and how a customer asks for their file.

Step 2: list what you collect, and why

This is an hour with a coffee, not a consulting mandate. Write down every place customer information lives, then give every piece of it a job. The law's rule of thumb is necessity: collect only what your stated purpose actually requires.

  • What: names, cell numbers, birthdays, language, visit history. Name each item.
  • Where: your POS, your loyalty platform, a spreadsheet, the paper book beside the register, your inbox.
  • Why: the birthday feeds the birthday reward; the cell number carries the member's card and the texts they said yes to.
  • Anything without a job shouldn't be collected. A stamp card has no business asking for a home address.

Step 3: consent that would survive a second look

Under Law 25, consent has to be clear, free and informed, given for specific purposes, and requested in simple terms, separately from everything else. Behind a counter, that translates into four habits:

  • No pre-ticked boxes, ever. The customer actively says yes.
  • Joining the loyalty program and receiving marketing texts are two different purposes — so two separate yeses.
  • Say what they're agreeing to at the moment you ask: offers and reminders by text, from this store, with an opt-out that works.
  • Keep proof: who consented, to what, when. The tool that holds your list should hold that record too.

This is where your choice of tool either protects you or quietly exposes you. In Perkaria's campaigns, the marketing-text consent is its own explicit checkbox at enrolment — never bundled into joining — and every send is logged: who, when, what.

Step 4: stop keeping what's done its job

Once the purpose is fulfilled, personal information has to be destroyed or anonymized. Keeping everything forever, just in case, is precisely what the law is written against. Customers also have the right to see the file you hold on them and to have it corrected.

  • Set a routine for stale data: decide what happens to contacts who opted out and lists that no longer serve a purpose.
  • Be able to answer an access request from one place, without an archaeology dig through old exports.
  • Mind the exceptions: invoices and tax records follow their own retention rules. Purging marketing data doesn't mean shredding your books.

Step 5: a breach plan shorter than a page

A confidentiality incident is any loss, theft or unauthorized access to personal information: a stolen laptop, a compromised inbox, an export emailed to the wrong person. The law asks three things of you, and none of them requires an IT department.

  • Keep a register of incidents, including the small ones.
  • If an incident poses a risk of serious injury, notify the Commission d'accès à l'information and the people affected.
  • Shrink the blast radius in advance: the fewer places your customer list lives, the less there is to lose. One system with controlled access beats four spreadsheets.

Where your loyalty list fits

Law 25 governs how you hold personal information; Canada's anti-spam law, CASL, governs how you send to it. A clean loyalty program does both: real consent going in, disciplined messaging going out. The second half is worth automating, because it's the half that fails at 10 p.m. on a Friday, when a human is supposed to remember the rule.

That's why Perkaria puts the guardrails in the engine rather than in a training binder: marketing texts respect quiet hours from 9 p.m. to 9 a.m., are capped at two per member per week, and a STOP or ARRET reply is honoured the moment it arrives. The loyalty program itself runs on the same idea — ask for little, say why, log everything. And if you want to see the whole loop before you commit, how it works walks through it from enrolment to reward.

Ready to meet your regulars?

Book a 20-minute demo — we'll set up a sample program with your brand on it, live, while we talk.