Data Privacy & Compliance
Privacy law in three jurisdictions — one law firm that knows California, Ontario, and Quebec. We turn compliance obligations into clean policies, contracts, and data governance programs.
Do You Actually Need This?
Privacy compliance is not a one-size-fits-all exercise — these four signals tell you your company needs legal counsel now.
You collect personal data from California, Ontario, or Quebec residents.
CCPA, PIPEDA, and Quebec Law 25 all require specific disclosures, consent mechanisms, and data subject rights infrastructure. Operating without compliant privacy notices exposes you to regulatory fines, civil suits, and reputational damage.
A SaaS vendor, enterprise client, or acquirer has asked for a Data Processing Agreement.
DPAs are now standard in B2B tech deals. If you don't have a compliant DPA template, you will either delay the deal or sign someone else's template — often on terms that heavily favor the counterparty.
You have had — or suspect — a data security incident.
Breach notification timelines under CCPA (without delay), PIPEDA (as soon as feasible), and Quebec Law 25 (72 hours to the Commission) are strict. Acting without legal counsel from the first hour often increases both the regulatory and litigation exposure.
You are building a product that processes sensitive categories of data.
Health data, biometric data, financial data, and children's data each trigger heightened legal requirements under multiple frameworks. A privacy-by-design legal review before you build is exponentially cheaper than retrofitting compliance after launch.
What You Get
- Policy Document
Privacy Policy & Notice Drafting
A jurisdiction-specific privacy policy and cookie notice for your website and product — written to satisfy CCPA, PIPEDA, and Quebec Law 25 requirements simultaneously.
- Data Audit
Data Mapping & Privacy Audit
A documented inventory of every personal data flow in your product or business — what you collect, where it goes, who processes it, and the legal basis for each processing activity.
- Contract Review
Vendor DPA & Data Agreement Review
Review and negotiation of Data Processing Agreements with your SaaS vendors, cloud providers, and data processors — ensuring your vendor stack doesn't expose you to liability downstream.
Flat Fee. No Surprises.
Privacy Policy
From $1,500one-time document- Custom privacy policy (CCPA + PIPEDA + Law 25)
- Cookie notice
- One revision round
- HTML-ready delivery
- Recommended
Compliance Audit
From $2,500one-time engagement- Data mapping & inventory
- Gap analysis (all 3 jurisdictions)
- Privacy policy + cookie notice
- Prioritized remediation plan
DPA Review
From $800per agreement- Review of vendor or client DPA
- Redline with comments
- Negotiation support
- Final execution review
Your Questions Answered
CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds: annual gross revenue over $25 million, buying/selling/receiving personal data of 100,000+ California consumers/households per year, or deriving 50%+ of revenue from selling personal data.
Quebec Law 25 (Law 25) is Quebec's comprehensive privacy law reform, fully in force as of September 2023. It requires explicit consent for non-essential cookies, data protection impact assessments for high-risk processing, 72-hour breach notification to the Commission d'acces a l'information, and privacy policies in French for Quebec-facing businesses.
A DPA is a contract between a data controller (you) and a data processor (your vendor) that governs how the vendor processes personal data on your behalf. Under GDPR, CCPA, and Quebec Law 25, written DPAs are required when sharing personal data with third-party processors.
Notification obligations depend on jurisdiction. California (CCPA): notify affected individuals "without unreasonable delay." Federal Canada (PIPEDA): notify individuals and the OPC "as soon as feasible." Quebec (Law 25): notify the CAI within 72 hours and affected individuals "with diligence." Legal counsel should be involved from the first hour.
You can use a single privacy policy that addresses all three jurisdictions, but it must include jurisdiction-specific sections for CCPA rights, Quebec Law 25 rights, and PIPEDA rights. A generic policy copied from a template almost never meets all three frameworks simultaneously.
