In an increasingly digitized world where privacy has become a major concern, Québec’s Law 25 represents a new step in safeguarding privacy and regulating the management of personal data. For businesses and organizations operating in Québec, it’s crucial to understand the implications of this law and take the necessary measures to comply with it.
Need advice and support to comply with Law 25?
What is Law 25 in Québec?
In Québec, Law 25 refers to a set of new provisions aimed at strengthening the privacy protection of citizens. In effect since September 2022, its goal is to better regulate the collection, use, and retention of personal data. This law impacts not only online activities but also all aspects of a business, including customer records and data of former employees.
Law 25 aims to ensure increased protection of Quebecers’ personal information by imposing new obligations on businesses and organizations operating in Québec.
For more information, refer directly to the official press release from the Government of Québec.
Why Was Law 25 Enacted?
Law 25 was enacted with the primary goal of enhancing the privacy protection of residents of Québec. The reasons for adopting this law are manifold:
- Protection of individual rights: The law aims to ensure that fundamental rights to privacy and the protection of personal data are respected.
- Adaptation to new technologies: It seeks to update regulations to adapt to new digital realities.
- Prevention of abuses: The law aims to prevent potential abuses in the collection, use, and disclosure of personal data by businesses and organizations.
- Transparency and accountability: It requires greater transparency from entities collecting personal data and increased responsibility in their management and protection.
- Building trust: By securing citizens’ personal data, the law strengthens public trust in the use of online services and technologies.
- Compliance with international standards: It also harmonizes Québec’s legislation with international data protection standards, including the General Data Protection Regulation (GDPR) of the European Union.
What Is Personal Information?
Personal information refers to data concerning an “identifiable individual.” This includes information that, alone or combined with other data, allows identification of an individual.
Generally, personal information may include, but is not limited to:
- Phone number
- Race, nationality, or ethnic origin
- Age or marital status
- Medical, educational, or professional history
- Financial transactions
- Identifiers (e.g., social insurance number or driver’s license number)
- Location data
- IP address
- Electronic identifiers
For more information, consult the Overview of Privacy Laws in Canada – Office of the Privacy Commissioner of Canada.
Impacts of Law 25 on Cookies
- Explicit Consent Required: Websites must now obtain clear and informed authorization from users before collecting data via cookies.
- User Control Mechanisms: Law 25 encourages the implementation of mechanisms allowing users to control cookies. This can include options to accept, reject, or manage cookies according to their preferences.
- Limited Storage Duration: Some cookies may have limited storage durations. This means that data collected through these cookies can only be retained for a specified period.
- Data Protection Measures: Companies are obligated to take measures to protect collected data and implement privacy policies. They are also responsible for ensuring that third-party service providers comply with cookie regulations.
- Penalties for Non-Compliance: Law 25 includes sanctions for non-compliance, meaning organizations failing to adhere to cookie rules can face fines and other coercive measures (see below).
When Does Law 25 Take Effect?
Since September 22, 2022, Law 25 has brought significant changes to user consent management, imposing new obligations on businesses annually.
Obligations in Effect Since September 22, 2022:
- Designate a personal information protection officer within the company and publish their title and contact information on the website.
- Implement a privacy incident notification system.
- Submit, before the Commission, attestation or validation of identity obtained through the use of biometric features or devices.
- Comply with rules governing the disclosure of personal data without the consent of the individual concerned in the context of a commercial transaction or related to studies, research, or statistics production.
Obligations in Effect Since September 22, 2023:
- Adopt and disseminate governance rules.
- Conduct an assessment of privacy-related elements.
- Obtain consent explicitly, clearly, and freely.
Companies are subject to criminal penalties for non-compliance with Law 25.
Obligations in Effect from September 22, 2024:
For 2024, Law 25 will introduce the right to portability. This right grants individuals living in Québec control over their computerized personal data, allowing them to obtain it in an adaptable format and share it in accordance with the law.
For more information on obligations, refer to the implementation Planning of Bill 64 modernizing legislative provisions regarding the protection of personal information (only in French).
To Whom Does Law 25 Apply?
Law 25 applies to all private businesses that collect, process, or share personal information. In other words, it is applicable to any private organization operating in Québec that handles personal data as part of its activities.
It is highly likely that it concerns you!
What Fines Are Stipulated If One Does Not Comply with Law 25?
If you were to be found at fault regarding Law 25, sanctions have been established and will be enforced by the Access to Information Commission. These significant penalties can reach a maximum amount of 25 million dollars or the equivalent of 4% of the global turnover.
The amount of this penalty will be assessed in proportion to various factors, including the severity of the violation and the financial capacity of the concerned company.
That is why it is essential to make every effort to comply with this law.
For more information on the planned sanctions, consult the Access to Information Commission of Québec.
What Are the Differences Between Law 25 and Law 64?
Law 25 is a law resulting from Bill 64, which was adopted by the National Assembly of Québec.
Law 25, also known as the law modernizing legislative provisions on the protection of personal information, is an update of the rules governing the protection of personal information in Québec. It strengthens the protection of personal data and harmonizes Québec laws with international standards, including the General Data Protection Regulation (GDPR) of the European Union.
This makes it a significant evolution compared to the previous Law 64.
How to Comply with Law 25?
Through all these obligations and phases of implementation, it can be complex to decipher what needs to be done concretely as a company. That’s why we have listed the actions to take to comply with Law 25.
Appoint a Privacy Officer Within the Company
Appointing a Privacy Officer within a company is an essential step to ensure compliance with data protection laws, including Law 25 in Québec. This person plays a central role in managing the personal data collected and processed by the company.
The responsibilities of the Privacy Officer generally include:
- Compliance monitoring: Ensuring that the company complies with all laws and regulations related to the protection of personal data.
- Development of policies and procedures: Working on the development of internal policies and procedures for the collection, processing, and storage of personal data. These policies aim to ensure that the company’s practices comply with legal requirements.
- Handling access requests: Processing requests for access to personal data from concerned individuals and ensuring that these requests are handled in accordance with the law.
- Data breach response: In the event of a personal data breach, coordinating the company’s response, including informing the relevant authorities and taking necessary measures to mitigate damage.
- Communication with authorities: Acting as the main point of contact between the company and data protection authorities.
Establish a Governance Framework for Personal Data Protection
Establishing a governance framework for the protection of personal data involves setting up an organizational structure and specific processes within a company or organization to ensure the proper management and protection of collected, processed, and stored personal information.
Destroy or Anonymize Personal Information
The destruction or anonymization of personal information aims to make the collected personal information unusable or non-identifiable after it has been collected and processed by your company.
The destruction of personal data involves its complete and permanent deletion from your company’s systems.
This can be achieved through file deletion, physical disintegration of storage media (such as hard drives), or other appropriate destruction methods. The goal is to ensure that the data cannot be recovered or used.
Anonymization involves transforming personal data in a way that it can no longer be directly associated with a specific person.
This can be accomplished by removing or encrypting identifying elements. Once anonymized, the data can no longer be used to identify a particular individual.
Analyze Risks Related to Privacy When Using and Transmitting Personal Data
This analysis is an essential step in identifying and evaluating threats to security and privacy.
Here are the main steps:
- Determine what personal information is collected, processed, or transmitted by the company.
- Identify threats to the security and confidentiality of the data. Threats can be internal (such as human errors) or external (such as cyberattacks).
- Identify weaknesses in the systems, processes, or practices of the company that could be exploited or lead to data breaches.
- Measure the potential impact of threats on personal information. This includes examining the consequences for the individuals concerned and the repercussions on the company.
- Evaluate the likelihood that threats will materialize based on identified vulnerabilities.
- Implement measures to mitigate risks. This includes implementing security controls, training staff, reviewing privacy policies, etc.
- Continuously monitor risks and adjust mitigation measures based on the evolution of threats and risks.
Obtain Prior Consent from an Individual to Use Their Personal Information for Commercial Prospecting
It is essential to obtain prior consent from an individual to use their personal information for commercial prospecting.
Tangibly, this means that your company must obtain the explicit and voluntary agreement of the individuals you wish to solicit before being able to use their personal information.
How Can Code Marketing Help You Comply with Law 25?
Faced with these legal requirements, the implementation of a Consent Management Platform (CMP) becomes essential for any company or organization collecting data online.
The CMP simplifies the consent management process by ensuring that users clearly understand information about data collection and allowing them to give, refuse, or modify their consent easily.
Don’t know of any data collection platforms? Here are some:
- CookieYes (free version available under certain conditions)
- Platform recommended by Code Marketing.