Every enterprise mobile device on a Quebec warehouse floor, delivery route, or retail back room is a personal information collection point under Law 25—and most operations teams don’t realise it. The scanners, handhelds, and rugged tablets your frontline workers carry generate location data, productivity metrics, and transaction records that fall squarely within Quebec’s strictest-in-Canada privacy framework. This post explains exactly where Law 25 intersects with your mobile device fleet and what it means for how you source, configure, manage, and retire those devices.
Your Quebec mobile fleet is a privacy liability you haven’t scoped
A warehouse supervisor in Longueuil hands a Zebra TC53 to a new seasonal worker. That scanner will log the worker’s location every 30 seconds via MDM, record every item they pick, track their productivity against shift targets, and store Wi-Fi access point associations that reveal movement patterns throughout the facility. Under Law 25, every one of those data points is personal information—and the employer needed to obtain meaningful consent, document the purpose, and complete a privacy impact assessment before that device was ever powered on.
Most operations leaders sat through a legal briefing on Law 25 and walked away knowing their website needed a cookie banner. Nobody mentioned the 800 scanners on their warehouse floors.
The stakes here aren’t theoretical. Law 25’s administrative penalties reach up to $10 million or 2% of worldwide revenue—and that’s for administrative violations, not intentional misconduct. A single MDM misconfiguration affecting hundreds of devices isn’t a one-off incident in the eyes of the Commission d’accès à l’information (CAI). It’s a systemic violation that could attract maximum penalties.
Here’s the blind spot we see repeatedly: operations teams assume privacy law applies to customer data. It does. But Law 25 also applies to employee personal information, requiring notice and consent before collection and processing. Every piece of data your MDM platform collects about an employee’s device usage, location, and behaviour falls under the same framework that governs how you handle customer records.
In practice, this is what happens: a national retailer deploys 1,200 handhelds across Quebec stores with the same MDM profile used in Ontario. Six months later, their legal team discovers that the location-tracking interval, app-usage logging, and productivity dashboards all constitute personal information collection under Law 25—and no privacy impact assessment was ever conducted. Retrofitting compliance across a live fleet is ten times harder than building it into the staging process.
The conversation about your Quebec device fleet needs to happen before the devices ship, not after a CAI investigation begins.
Law 25 requirements that touch every stage of the mobile device lifecycle
Law 25 doesn’t care whether you think of your device fleet as “IT infrastructure” or “operational equipment.” If a device collects, stores, transmits, or provides access to personal information—and every enterprise mobile device does—the full weight of Quebec’s privacy framework applies at every lifecycle stage.
This isn’t a single compliance checkbox. It’s a chain of obligations that runs from the moment you source a device to the moment you destroy the data on it.
Privacy impact assessments are mandatory before any project involving collection, use, or disclosure of personal information—including MDM deployments and device monitoring programmes. Most organisations treat PIAs as a one-time legal exercise completed when the project launches. Under Law 25, every new MDM policy, every firmware update that changes data collection behaviour, and every new app deployment on Quebec devices can trigger a fresh PIA obligation.
When we stage devices for Quebec deployments, the configuration checklist is materially different from the rest of Canada. French-default language settings (required under Bill 96), consent-aware MDM enrollment workflows, data collection policies scoped to the minimum necessary for the stated purpose—these aren’t optional enhancements. They’re compliance requirements that must be built into the device before it ships.
Sourcing and staging—French-default configuration and consent-aware enrollment
A device staged for a Quebec warehouse that boots in English with an MDM enrollment screen that doesn’t explain what data will be collected, in French, is already non-compliant before it scans a single barcode.
Bill 96’s French-language workplace requirements intersect directly with Law 25’s consent obligations at the staging phase. Employee-facing device interfaces, on-screen communications, and printed materials must be in French by default. The “markedly predominant” standard requires French text to occupy at least twice the space of other languages on signage and digital displays.
Bill 96 fines range from $3,000 to $30,000 per violation, with personal liability for corporate directors. The critical detail: “per violation” means per device if each device presents a non-compliant interface. A fleet of 500 devices with English-default configurations represents 500 potential violations—and the Office québécois de la langue française (OQLF) is actively enforcing. Over 10,000 complaints were filed and 9,813 inspections conducted in the most recent reporting period.
Your French-default device staging for Quebec deployments isn’t a regional courtesy. It’s a procurement requirement.
MDM policies—data minimisation and proportional monitoring
The default MDM policy templates from most platforms collect far more data than Law 25 permits. Location polling every 30 seconds, app usage logging, browsing history, Wi-Fi association records—each data point needs a documented, proportional justification tied to a stated business purpose.
Law 25 requires that personal information collection be limited to what is necessary for the purposes identified at the time of collection. “We might need it someday” is not a compliant purpose statement.
Here’s what we find in practice: we’ve audited MDM environments where the platform was collecting 47 distinct data categories from each device, but the organisation could only articulate a business purpose for eight of them. Under Law 25, the other 39 categories represent unjustified personal information collection—and every device in the fleet is generating that data continuously, shift after shift.
Your managed MDM administration for Quebec-compliant device policies needs to start with a data inventory, not a template import.
Decommissioning—certified data erasure and the breach register
A bin of 200 retired Honeywell handhelds sits in a Quebec depot’s back room for six months waiting for someone to “deal with them.” Each device contains location histories, productivity data, and potentially cached transaction records. Under Law 25, every day those devices sit unwiped is a day the organisation is storing personal information without a documented retention purpose.
The obligation doesn’t end when a device leaves a worker’s hands. Data on decommissioned devices is still personal information until it’s irreversibly destroyed—and Law 25 requires organisations to maintain a register of all confidentiality incidents. A lost or stolen device containing personal information constitutes a confidentiality incident. Without certified data erasure with chain-of-custody documentation, you cannot demonstrate that decommissioned devices no longer contain regulated data.
The gap between “we factory reset them” and “we have NIST 800-88 certified erasure documentation” is the gap between hoping you’re compliant and being able to prove it when the CAI asks.
Understanding what Law 25 requires at each lifecycle stage is the foundation—but the next question operations leaders ask is how these requirements differ from what they’re already doing under PIPEDA. The short answer: if your mobile device compliance strategy is “we follow PIPEDA, so we’re covered,” you have a Quebec problem.
How Law 25 differs from PIPEDA for mobile device fleets
The assumption we encounter most often: “We’re PIPEDA-compliant, so our Quebec operations are covered.” This reasoning fails because Law 25 exceeds PIPEDA in three specific ways that directly affect how you manage enterprise devices—and the gap isn’t subtle.
The first difference is the privacy impact assessment requirement. PIPEDA recommends PIAs as a best practice. Law 25 mandates them before any project involving collection, use, or disclosure of personal information. That includes your MDM deployment. If your MDM platform is hosted outside Quebec—even in Ontario—you need a completed PIA documenting the transfer’s necessity and the receiving jurisdiction’s data protection adequacy before you enroll a single Quebec device.
The second difference is the penalty structure. PIPEDA’s maximum penalty through Federal Court action is $100,000 per violation. Law 25’s administrative penalties reach $10 million or 2% of worldwide revenue. For intentional violations or attempts to re-identify anonymised data, penal penalties climb to $25 million or 4% of worldwide revenue. This isn’t a minor difference in scale—it’s a 100x–250x increase in enforcement severity.
The third difference is employee monitoring consent. PIPEDA’s consent framework is flexible for employee data in many contexts. Law 25 requires explicit notice and consent before collecting employee personal information, with heightened requirements for monitoring that could reveal behaviour patterns, location, or productivity metrics—exactly what MDM platforms collect.
| Requirement | PIPEDA | Law 25 |
|---|---|---|
| Privacy impact assessment | Recommended best practice | Mandatory before personal information projects |
| Out-of-province data transfer | No PIA required | PIA required documenting necessity and adequacy |
| Maximum administrative penalty | $100,000 (Federal Court) | $10M or 2% worldwide revenue |
| Employee monitoring consent | Flexible framework | Explicit notice and consent required |
We manage fleets for organisations that operate in every province. The Quebec devices get a different MDM profile, a different staging checklist, and a different decommissioning documentation package—not because we want to complicate things, but because the law requires it. A national retailer with 3,000 devices needs to treat their 600 Quebec devices as a distinct compliance domain with its own lifecycle management across distributed Quebec locations.
What a privacy impact assessment looks like for a mobile device programme
Your legal team tells you a PIA is required for your Quebec device programme. You picture a 200-page legal document that takes six months to produce. In practice, a mobile device PIA is a structured inventory of what data your devices collect, why, where it goes, how long it’s kept, and what happens when the device is retired.
The hard part isn’t the document. It’s discovering that you don’t actually know the answers.
A mobile device PIA needs to address five operational questions:
- What personal information does each device type collect, and through what mechanisms (MDM polling, application logging, carrier data)?
- What is the documented business purpose for each category of data collected?
- Where is that data stored, processed, and transmitted—including cloud hosting jurisdictions?
- How long is each data category retained, and what triggers deletion?
- What happens to personal information when the device is retired, lost, or reassigned?
The Commission d’accès à l’information (CAI) has authority to investigate and impose administrative monetary penalties. PIAs aren’t filed with the CAI, but they must be available upon request. When a CAI investigation begins—triggered by a breach, a complaint, or a routine audit—the first document they’ll ask for is your PIA. “We didn’t do one” is the worst possible answer.
The PIA question that trips up every operations team we work with: “What data does your MDM platform actually collect?”
Most can name three or four categories—location, app inventory, maybe device health metrics. When we pull the actual data export from their MDM console, the list is typically 30–50 categories. Wi-Fi access point associations. Bluetooth pairing history. Charging patterns. Screen-on duration by application. Geofence entry and exit timestamps. Most of which the operations team didn’t know existed, let alone authorised or documented a purpose for.
Your PIA is only as accurate as your understanding of what your devices actually collect. If you’ve never pulled a complete data export from your MDM platform and mapped every category to a stated business purpose, your PIA has gaps you haven’t discovered yet.
Where your managed mobility provider becomes a compliance decision
Under Law 25, your managed mobility provider’s operating model is your compliance posture. Where they host your MDM data, whether their service desk speaks French, whether they can produce certified data erasure documentation—these aren’t vendor selection nice-to-haves. They’re regulatory requirements with direct liability implications.
Consider the hosting question. Most US-based managed mobility providers host MDM data in US data centres. Using a US-hosted MDM platform for Quebec devices triggers the mandatory PIA requirement for out-of-province data transfers—and creates ongoing sovereign risk. Personal information stored in the US is subject to US CLOUD Act access requests, a disclosure pathway that doesn’t exist for data hosted in Canada.
Consider the language question. Bill 96 requires French-default workplace interfaces and French-language IT support for Quebec employees. If your managed mobility provider’s service desk can’t handle a 2 a.m. call from a Trois-Rivières warehouse supervisor in French, you have a compliance gap that no amount of internal policy can close.
Consider the decommissioning question. Law 25 requires organisations to maintain a register of all confidentiality incidents. A device retired without certified data erasure is a device whose compliance status cannot be documented. If that device is later lost, stolen, or discovered with recoverable data, you have no evidence that personal information was destroyed—and no defence against a CAI investigation.
PiiComm stages devices for Quebec deployments in Canadian facilities with French-default configurations, consent-aware MDM enrollment, and data collection policies scoped to Law 25’s minimisation requirements. The 24/7 bilingual (English/French) service desk isn’t a convenience—for Quebec operations, it’s a Bill 96 compliance requirement. When devices reach end of life, PiiComm’s certified data erasure with chain-of-custody documentation produces NIST 800-88 compliant records that satisfy Law 25’s breach register and data retention obligations.
The question isn’t whether you can find a managed mobility provider. It’s whether your provider’s operating model creates compliance exposure or closes it.
A Law 25 mobile device compliance checklist for operations leaders
You don’t need to become a privacy lawyer to get your Quebec mobile fleet compliant. You need to verify seven operational realities about how your devices are configured, managed, and retired.
- PIA documentation exists for your Quebec MDM deployment. Not a template from legal—a completed assessment that maps every data category your MDM actually collects to a documented business purpose, with data flow diagrams showing where that information travels.
- Devices boot in French by default. Language settings, MDM enrollment screens, user-facing prompts, and printed documentation all present in French first. English-default configurations for Quebec-deployed devices violate Bill 96.
- MDM enrollment includes a consent disclosure. Before a worker starts using a device, they see—in French—what data the device will collect, why, and how it will be used. “Implied consent through continued employment” is not compliant under Law 25.
- Data collection is scoped to documented purposes. Every data category your MDM collects has a written justification. If you can’t explain why you need Wi-Fi association history or app usage duration, you shouldn’t be collecting it.
- Out-of-province data transfers are documented. If your MDM platform is hosted outside Quebec, you have a completed PIA documenting the transfer’s necessity and the receiving jurisdiction’s protections.
- Device decommissioning produces certified records. Retired devices receive NIST 800-88 compliant data erasure with chain-of-custody documentation—not “factory reset” and a hope.
- Your service desk can support Quebec workers in French. IT support calls, troubleshooting, and device replacement requests from Quebec employees must be handled in French.
If you can check all seven boxes with documented evidence, your Quebec device fleet is in strong compliance posture. If you can’t, you’ve identified the gaps that need attention before the CAI does.
For operations leaders ready to close those gaps, talk to a PiiComm mobility strategist about Law 25 compliance for your Quebec device fleet.
Frequently asked questions about Quebec Law 25 and managed mobility
Does Quebec Law 25 apply to enterprise mobile devices like scanners and handhelds?
Yes. Law 25 applies to all personal information collected by any means, including MDM platforms on enterprise devices. Location data, productivity metrics, app usage logs, and device identifiers all constitute personal information under the law—regardless of whether the device is a smartphone, scanner, or rugged tablet.
Do I need a privacy impact assessment for my Quebec mobile device fleet?
Yes. A PIA is mandatory before any project involving collection, use, or disclosure of personal information—including MDM deployments, device monitoring programmes, and new application rollouts. The PIA must document what data is collected, why, where it’s stored, and how long it’s retained.
Does Law 25 apply to employee data collected through MDM?
Yes. Law 25 covers employee personal information and requires notice and consent before collection and processing. Location tracking, productivity monitoring, app usage logging, and device health metrics collected from employee-assigned devices all require documented consent and purpose limitation.
What are the penalties for Law 25 non-compliance related to mobile devices?
Administrative penalties reach $10 million or 2% of worldwide revenue. Penal penalties for intentional violations reach $25 million or 4% of worldwide revenue. A systemic MDM misconfiguration affecting hundreds of devices isn’t treated as a single incident—it’s a pattern that can attract maximum penalties.
Does Law 25 require devices in Quebec to be configured in French?
Bill 96 requires French-default workplace interfaces and communications. Device boot screens, MDM enrollment prompts, and user-facing documentation must present in French first. Law 25’s consent requirements must also be presented in French for Quebec employees to be valid.
What happens to personal data on mobile devices when they’re retired in Quebec?
Devices must be wiped using certified data erasure methods compliant with standards like NIST 800-88. Organisations must maintain a register of confidentiality incidents—a lost or stolen device with unwiped data constitutes an incident. Without certified erasure documentation, you cannot prove compliance.
How does Law 25 differ from PIPEDA for mobile device management?
Law 25 mandates PIAs before out-of-province data transfers—PIPEDA does not. Law 25’s penalties are 100x–250x higher than PIPEDA’s Federal Court enforcement cap. Law 25 also requires explicit consent for employee monitoring that reveals behaviour patterns or productivity metrics.
Does hosting my MDM platform outside Quebec trigger Law 25 obligations?
Yes. Transferring personal information outside Quebec—even to another Canadian province—requires a completed PIA documenting the transfer’s necessity and the adequacy of the receiving jurisdiction’s protections. US-hosted platforms create additional sovereign risk under the US CLOUD Act.
Moving forward
Law 25 didn’t create new categories of risk for enterprise mobile devices. It made existing risks visible and enforceable. The scanners on your Quebec warehouse floors have always collected personal information. The difference now is that someone is paying attention—and the consequences for getting it wrong are material.
The operations leaders who navigate this well won’t be the ones who treat Law 25 as a legal department problem. They’ll be the ones who recognise that compliance lives in the configuration files, the staging checklists, and the decommissioning documentation—not in a policy binder.
Your Quebec device fleet is either a compliance asset or a compliance liability. The gap between the two is smaller than most organisations expect, but it requires knowing where to look.