All posts
compliancequebeclaw-25privacy

Quebec Law 25 for Online Tutors: What You Actually Need to Do

A plain-English checklist for solo tutors under Quebec Law 25 — consent, data minimisation, cross-border storage, portability, and deletion.

By Classentra Team

If you are an independent tutor, coach, or teacher running a business out of Quebec — or serving Quebec-resident students — Law 25 applies to you. It does not matter that you are a solo operation with no HR department and no legal team. The law does not have a small-business carve-out for private information obligations.

This post is not legal advice. It is a practical checklist of what actually matters for a one-person tutoring business operating under Law 25 (formally An Act to modernize legislative provisions as regards the protection of personal information).

What Law 25 actually is

Law 25 is Quebec's privacy law for the private sector. It modernised the Act Respecting the Protection of Personal Information in the Private Sector and rolled out in three phases (2022, 2023, 2024). As of 2024 it is fully in force.

For a tutoring business, the regulator you care about is the Commission d'accès à l'information du Québec (CAI).

The six obligations you actually have

If I had to compress Law 25 for a solo tutor into bullet points, these are the ones that materially apply:

  1. Designate a person in charge of personal information. In a solo business, that person is you. Publish their contact info (yours) on your website and in any agreement with students or parents.
  2. Get specific, informed, and granular consent before collecting personal information. Bundled "I agree to everything" terms are out. Consent for the core service (running lessons) is separate from consent for marketing (future newsletter).
  3. Minimise what you collect. Do not ask for a postal address if all you need is an email. Do not keep prior-year homework files "just in case".
  4. Disclose cross-border transfers. If any data leaves Canada — including by sitting in a US-based cloud — you must (a) perform a privacy impact assessment, and (b) tell the student (or parent) about it.
  5. Honour access, portability, and deletion requests within 30 days of receipt. Portability specifically means providing the data in a structured, commonly used, technological format. JSON, CSV, PDF all qualify.
  6. Report confidentiality incidents to the CAI and to affected individuals if there is a risk of serious injury. Keep an incident register even when you don't need to notify.

What this looks like in practice

Consent

Your sign-up flow (or intake form) should have separate checkboxes:

  • One for service delivery: "I consent to Classentra / my tutor collecting the information needed to run my sessions."
  • One for marketing: "I consent to receiving occasional emails about new courses and updates." (Unchecked by default.)
  • One for data sharing with third parties if applicable: analytics, video provider, etc.

Log the timestamp and IP of each consent. You will need to prove it later if asked.

Minimisation

Do not collect birthdate unless a session type requires it. Do not collect addresses for online-only tutoring. Do not archive conversations from students who cancelled two years ago — delete them on a schedule.

Cross-border transfers

If you use a US-based video platform, a US-based email provider, or a US-based file storage service, your data crosses the border. You need to:

  • State this clearly in your privacy policy.
  • Do an internal Privacy Impact Assessment (PIA). For a solo business this is a one-page document; it still needs to exist.
  • Ensure the provider has equivalent protection to Quebec law — this is the clause that matters.

Portability and deletion

If a parent emails you asking for their child's records, you have 30 days. Build the muscle now: can you, today, export everything you hold on a given student into a single ZIP within a few minutes? If not, you are one request away from being out of compliance.

Classentra ships this as a self-service button in account settings — the student (or their parent) clicks Export my data and receives a ZIP with every session, message, material, assignment, grade, and notification. Deletion is a separate button in the same screen, and erasure propagates through the system within 24 hours.

If you build your own stack, you need the equivalent. A "we'll get back to you" email is not a compliance strategy.

What you can skip (as a solo tutor)

These parts of Law 25 exist but are unlikely to apply at a one-person scale:

  • Automated decision-making disclosures. Only applicable if you use an AI system to make a decision about a student without human involvement (e.g. auto-grading that affects standing). For a human-in-the-loop tutor, this does not trigger.
  • DPO appointment beyond yourself. A solo business's "person in charge" is the owner. No second person needed.
  • Mandatory written PIA for every vendor. Good practice, but the CAI's guidance focuses on significant transfers. A one-page internal note per major vendor is the realistic floor.

The bottom line

Law 25 is not optional and it is not scary. The real work is:

  • A privacy policy that reflects reality, not a template.
  • An intake flow with granular, logged consent.
  • A named person in charge (you), contactable.
  • A process — even if manual — for responding to access / portability / deletion within 30 days.
  • An incident register.

If you pick a platform, pick one built in Canada or one that gives you the tools to meet these obligations without extra legal work. If you want to see what that looks like in practice, try Classentra — Law 25 compliance is baked in.