4.7.2026
0
min read

Bill 25: What Your Union Needs to Know About Digital Communications

Bill 25 applies to your union. Here is what it means concretely for your member lists, your communications, and the digital tools your organization uses.

What Bill 25 Requires from Your Union

Bill 25, in force since September 2023, applies to any organization that collects, uses, or communicates personal information in Quebec. Your union falls fully under this definition. Your members' names and contact details, participation data from votes and assemblies, information related to individual representation: all of this constitutes personal information under the law.

A Designated Privacy Officer

Your organization must appoint a person responsible for the protection of personal information. By default, this is the person with the highest authority, until a formal delegation is documented. In many unions, no one knows exactly who holds this role today.

An Incident Register

If personal information is compromised, your organization must document the incident. Depending on the severity, you must also notify the Commission d’accès à l’information and the individuals concerned. Without a structured communication channel, documenting what circulated and to whom becomes nearly impossible.

Rules on Consent and Retention

Information collected must serve specific purposes and cannot be kept indefinitely. In practice, that means having an answer to this question: do the members whose name is still on your distribution list still have the status that justifies being there?

A Right of Access for Your Members

A member can request to consult the personal information you hold about them. If that information is spread across five different channels, reconstructing what exists and where it is takes considerable time.

Fortisia hosts your member data on servers in Canada and manages access by role, with a reviewable history of every change.

Book a demo

The Real Problem: Your Data Moves Through Tools That Don’t Belong to You

On the ground, what we hear most often: “We have nothing to hide.” Bill 25 is not about bad intentions. It is about control.

When your union communications run through a Facebook group, your members’ data is processed by Meta on servers in the United States, subject to the American CLOUD Act. Privacy settings can change without notice. If a member leaves your union and is removed from the group, their past interactions remain on Meta’s servers.

Messenger, WhatsApp, and personal email have the same structural problem: they were designed for individual use, not for the governance of an organization representing hundreds or thousands of workers.

In practice, three concrete gaps result from this.

No traceability. Who received what, when? Hard to document when your communications are spread across five different channels. In the event of a dispute, you have nothing to show.

Access that does not manage itself. A retired member, a worker in dispute, a delegate whose mandate has ended: are they still in your groups? In most unions, no one follows up systematically. Access accumulates.

Hosting outside Canada by default. Facebook, Google, WhatsApp: servers are in the United States. Your transparency and control obligations under Bill 25 become much harder to satisfy in this context.

3 points to keep in mind in your union communications

Retaining Your Data

How long do you keep your member lists? Your assembly minutes? Exchanges related to your negotiations? In many organizations, the honest answer is: until someone deletes the file. That is not a retention policy. That is improvisation.

Access Control by Role

Does your regional delegate need to see the contact details of all your members? Does your mobilization coordinator need access to your confidential negotiation documents? Access control by role and group is not a technical detail. Bill 25 makes it a duty of care.

Your External Service Providers

When you use Mailchimp for mass emails or SurveyMonkey for surveys, you remain responsible for the protection of shared data. These platforms have their own privacy policies, their own servers, their own retention practices. That deserves verification, not a checked box.

What It Costs to Ignore This

A privacy incident in your union is not primarily a fine. It is damage to the trust relationship with the members you represent.

The most common situations do not trigger legal sanctions. They trigger something harder to repair: a former member still accessing your internal communications because no one updated their access. A member list sent from a personal address during an executive transition. A negotiation document shared in the wrong group. These gaps are avoidable. When they happen, your executive spends time managing the fallout instead of working on the files that matter.

Where to Start

A few concrete steps can significantly reduce your exposure without rebuilding everything at once.

Designate a responsible person officially, with documented delegation. Review access to your communication tools: who is in which groups, when were your lists last updated. Establish a minimal retention policy, even a basic one. Centralize your official communications in an environment where your organization controls who sees what, where data is hosted in Canada, and where governance belongs to you.

Fortisia automatically removes access when a member’s status changes, and keeps a record of changes for your traceability requirements.

Book a demo

A union that takes Bill 25 seriously does not do so only to avoid a sanction. It does so because its members entrust it with their personal information as part of their working lives. That trust is earned with every decision.

How we help

No more member data scattered across Facebook groups, Messenger threads, and unstructured email chains.

Fortisia centralizes your union’s communications in a structured environment, hosted in Canada, with access defined by role, group, and local section.

Your members get direct access to:

  • Your official executive communications
  • Your important documents in a secure space
  • A channel controlled by your organization, not an algorithm
  • Role-based access management without manual list handling

Result: your data stays in Canada, your access is documented, your governance holds up.

Book a demo

Frequently Asked Questions

Does Bill 25 really apply to your union, not just businesses?

Yes. Bill 25 applies to any organization that collects, uses, or communicates personal information in Quebec, regardless of its legal nature. If you manage a member list, participation data, or representation documents, you are subject to the same requirements as a private company.

What counts as personal information in your union context?

Your members’ names, addresses, phone numbers, email addresses, employment status, and union participation information are all personal information under the law. Representation documents that identify a member individually also fall into this category.

What does your union risk by not designating a privacy officer?

The Commission d’accès à l’information can impose administrative monetary penalties. But beyond fines, the absence of a designated officer means no one is monitoring incidents, documenting practices, or responding to your members’ access requests. The operational risk is often more immediate than the legal one.

Can your union be compliant with Bill 25 while using Facebook for communications?

Technically possible, but very difficult to maintain. The law requires control over data shared with third parties, access traceability, and the ability to respond to your members’ requests. Facebook does not allow these requirements to be met rigorously: your data moves to American servers, access is difficult to audit, and privacy settings change without notice. Fortisia hosts your data in Canada, with documented and auditable role-based access control.

How often should your union review its personal information protection practices?

The law does not set a specific frequency, but an annual review is good practice. Natural triggers include changes to digital tools, adding a new service provider, an executive election, or a privacy incident, even a minor one.

Ready to upgrade your union?

Discover how Fortisia can improve communication between you and your members.