Every Verimont audit applies a rigorous four-vector structure across four vectors of North American data sovereignty. No overlap between categories. No gaps in coverage. The result is a liability map that holds under regulatory scrutiny.
The front door. Every commercial website is a data collection machine. The question Law 25 asks is simple: did you ask first? This vector audits the precise sequence of events between a user's first request and the organisation's first data collection action.
Law 25, s.8.1: "Any person who collects personal information must, before doing so, take reasonable steps to inform the person concerned of the purpose for which the information is collected and obtain their consent."
The paperwork. Regulatory frameworks do not just mandate behaviour — they mandate accountability structures. If your organisation processes personal data and cannot name the person responsible for it, you are already in violation, regardless of how good your consent management is.
PIPEDA, s.4.1: "An organisation is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organisation's compliance."
The back end. Where data physically lives determines which government can compel its disclosure. Canadian subject data routed through US infrastructure is subject to the US CLOUD Act — a federal law that allows US authorities to demand access to data held by US-domiciled corporations, regardless of where that data resides.
Law 25, s.17: "Before communicating personal information outside Québec, a person carrying on an enterprise must conduct a privacy impact assessment and ensure that the information will receive adequate protection."
The exit. Knowing what data you hold is the minimum. Having operational infrastructure to delete it, export it, and respond to requests within mandated timelines is the requirement. Most organisations that pass vectors I–III fail here.
Law 25, s.28: "A person carrying on an enterprise must, at the request of the person concerned, communicate to the person, in a structured, commonly used technological format, the personal information collected from the person."
Bill 64, now in full force. The most demanding provincial privacy legislation in Canada. Applies to any organisation processing personal information of Quebec residents, regardless of where the organisation is based.
Federal Canadian privacy law governing commercial organisations. Bill C-27 (CPPA) proposes significant reforms including a statutory tort of privacy violation and fines up to $10M or 3% of global turnover.
Not Canadian law — but profoundly relevant to Canadian data sovereignty. The CLOUD Act allows US federal agencies to compel US-domiciled cloud providers to disclose data stored anywhere in the world.