The personal information you process in your invoicing software — customer names and addresses, emails, phone numbers, payment information, purchase history — is governed by two overlapping Canadian laws. Federally, it's the Personal Information Protection and Electronic Documents Act (PIPEDA) that applies to all private-sector businesses. In Quebec, since September 2023, it's Law 25 (An Act to modernise legislative provisions as regards the protection of personal information) that applies in addition to PIPEDA for information processed in Quebec. Law 25 is, on certain points, stricter than European GDPR — notably the 72-hour confidentiality incident notification and the requirement to designate a privacy officer.
Customer consent and purpose of collection
PIPEDA requires valid consent for the collection, use and disclosure of personal information. Consent must be informed (the customer knows what they consent to) and tied to a specific purpose. 4invoices distinguishes processing purposes (invoicing, payment, collections, marketing) and tracks consent per purpose. The customer can accept being invoiced but refuse marketing — both statuses are tracked independently and respected by the system.
Right to access, correction and erasure
A customer can request a copy of all personal data you hold about them (PIPEDA right of access) and require corrections (right of rectification). With Quebec's Law 25, they can also request erasure (right to be forgotten) under certain conditions, notably end of the initial purpose. 4invoices provides a customer export in JSON or PDF in one click, retains an audit trail of changes and allows masking customer data (anonymisation) while respecting legal invoice retention obligations (6 years CRA).
Confidentiality incident — 72-hour notification
Quebec's Law 25 requires notification to the CAI (Commission d'acces a l'information) and to affected individuals 'as soon as possible' in case of a confidentiality incident presenting a risk of serious harm. Established practice is 72 hours — same as GDPR. 4invoices logs every access to every customer record, every data export, every permission change. In case of compromise, you have the evidence to reconstruct what was accessed, without speculation.
Mapping the two laws — federal and Quebec
Federal PIPEDA applies to inter-provincial and international commerce, and within a province that doesn't have an equivalent law. That covers most provinces. PIPEDA sets out 10 fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access, and challenging compliance. The federal Privacy Commissioner investigates complaints and can issue recommendations.
Quebec has its own law — first the Act respecting the protection of personal information in the private sector (1994), then its modernisation through Law 25 (entering into force progressively from 2022 to 2024). Law 25 adds to the federal principles: obligation to designate a person in charge of personal information protection (default = CEO), privacy impact assessments (PIA) for new projects, right to data portability (from September 22, 2024), right to be forgotten, and administrative sanctions up to $25,000,000 or 4% of worldwide turnover (whichever is higher).
For a Canadian SMB, the practical issue is complying with both laws simultaneously. Best practice: apply Quebec Law 25 standard everywhere in Canada, including for customers outside Quebec. It's simpler to operationalise and covers you in provinces (BC, Alberta) that have their own similar privacy laws. 4invoices applies the Law 25 standard by default — it's Canada's strictest, so complying with it makes you compliant everywhere.
Frequently asked
My business is in Saskatchewan, I have no Quebec customers. Does Law 25 apply?
No, Law 25 applies to information processed in Quebec — that is, concerning Quebec residents or processed by a business established in Quebec. Without either of these links, you're under federal PIPEDA only. But many businesses choose to apply the Law 25 standard everywhere — it's simpler operationally and anticipates eventual federal harmonisation.
My data is hosted in the United States. Problem?
PIPEDA and Law 25 don't prohibit hosting outside Canada, but require you to maintain the same level of protection as if the data were in Canada. In practice: a SOC 2 Type II compliant American provider with a Data Processing Agreement containing Canadian clauses is acceptable. 4invoices offers a Canadian data residency option (datacenter in Montreal or Toronto) for customers who prefer keeping data in Canada.
How long can I keep data of a customer who is no longer active?
General rule: as long as necessary for the purpose, no longer. For invoicing, the CRA requires 6 years of invoice retention (so 6 years of customer data tied to invoices). After 6 years without a new invoice, you can anonymise the customer (keeping historical invoices without identifying the customer). If the customer explicitly requests erasure before 6 years, you must verify that the legal retention purpose (CRA) is still active — otherwise you must erase.
Make your invoicing PIPEDA and Law 25 compliant
Free trial. Consent per purpose, one-click customer data export, immutable access log, optional Canadian data residency.