{"id":1333,"slug":"quebec-law-25-gdpr-ccpa-analog","title":"Quebec Law 25, GDPR (EU/UK), CCPA/CPRA (US) — analog privacy regimes; Quebec Law 25 specifically imposes stronger GDPR-comparable obligations than PIPEDA","kind":"reference","scope":"business","status":"current","audiences":["kevin","smb-owner","candid-team"],"topics":["regulatory-compliance","privacy-pipeda"],"reference_body":"**Claim:** **Quebec Law 25** imposes stronger, GDPR-comparable obligations than PIPEDA. **GDPR (EU/UK)** and **US state laws (CCPA/CPRA)** are analogous equivalents elsewhere.\n\n**Source:** gdprlocal.com\n\n**Confidence:** Verified.\n\n**Why this matters for Candid:** Any Candid client with Quebec, EU/UK, or California-resident customers must satisfy the stricter regime. The bought-portal vendor selection should explicitly include the regime the SMB lives under (most US-only portals have weaker Canadian / EU / Quebec posture).","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"pipeda-core-duties-consent-safeguarding-access","title":"PIPEDA core duties: meaningful consent, safeguards appropriate to sensitivity, data minimization, accountability (designated privacy officer), access/correction rights","kind":"reference","scope":"business","link_type":"relates-to"}],"incoming":[{"slug":"research-brief-client-portals-smb-june-2026","title":"Research brief: client portals for SMBs — the honest case (June 2026)","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"rule-treat-data-custody-as-line-item","title":"R4 — Treat data custody as a project line item, not a footnote: PIPEDA consent + MFA + encryption + breach response plan + 24-month breach records all live in scope before launch","kind":"rule","scope":"business","link_type":"depends-on"}]},"created_at":"2026-06-20T17:57:32.199Z","updated_at":"2026-06-20T17:57:32.199Z"}