skip to Main Content
What Is Quebec Bill 25 & How It Affects Your Website

What is Quebec Bill 25 & How It Affects Your Website

September 22, 2022, marks the start of a three-year rollout of Quebec’s new privacy legislation, Law 25 (formerly Bill 64). The Law tightens existing frameworks by granting citizens more robust data protection rights while placing more rigorous obligations on organizations handling personal information.

If you own a website and use various digital channels to communicate and collect information about them, this legislation is sure to impact your business.

To meet the challenges of Bill 25, we invite you to read the information below to better understand the implications and effects of the law on your business.

What is Bill 25?

The primary purpose of Bill 25 is to require companies to obtain explicit consent before using an individual’s personal information. The Law gives people the automatic right to confidentiality and greater transparency about when organizations collect personal details.

Personal details, as explained by the Personal Information Protection and Electronic Documents Act (PIPEDA), include “any factual or subjective information, recorded or not, about an identifiable individual,” such as:

  • age, name, ID numbers, income, ethnic origin, or blood type
  • opinions, evaluations, comments, social status, or disciplinary actions
  • employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, or intentions such as buying goods or services or applying for a new job

What Does Bill 25 Mean for Your Business?

Companies must adjust procedures for managing customer data and create policies for maintaining privacy to be in compliance by the end of 2024.

Managing Privacy

The automatic confidentiality that Law 25 provides means businesses will need to deactivate profiling, identification, or tracking technologies. Organizations must provide people with the opportunity to clearly ‘opt in’ for such features.

Bill 25 allows exceptions to default confidentiality, giving firms the authority to collect personal details in specific situations, such as:

  • when the information is necessary to detect fraud or improve security.
  • when necessary to deliver a product or service requested by an individual.

Getting Consent

Obtaining permission to collect an individual’s data involves more than an ‘opt in’ button. Companies need to tell people in clear, simple language:

  • why they are collecting information
  • how they gather it
  • how people can access or amend details captured
  • how to withdraw permission

You must also identify the people within the company or any third parties who can access the data. If an organization transfers information outside of Quebec, the individual must be aware. Companies will need parental consent to gather data for children under age 14.

If people want to withdraw permission to use their data, you must explain how the company will remove details from business systems. Under the new law, people now have the right to receive a digital copy of all personal information collected from them by any organization.

Establishing Privacy Policies

Corporate websites must display a privacy policy for visitors, written in clear, easily understood language. In addition, your organization will need internal policies and comprehensive frameworks for effectively managing personal details used during business operations.

Privacy programs establish guidelines for:

  • Roles and responsibilities for team members managing private information
  • Action plans for managing privacy complaints
  • Audits of third-party compliance with privacy policies
  • Retention and disposal guidelines for personal information

If your website does not currently display a detailed privacy policy, make sure to provide your digital agency with a clear privacy policy that includes the relevant Bill 25 new requirements.

Completing Privacy Impact Assessments (PIAs)

Evaluating compliance with requirements set by Bill 25 must happen under the following circumstances:

  • When companies buy, build, or revamp information systems
  • Before an electronic service occurs that involves personal details
  • Before disclosure of any information outside of Quebec

Appointing Data Protection Officers (DPOs)

Bill 25 requires organizations to designate an individual responsible for ensuring compliance with the new legislation. A company’s CEO is responsible for oversight but can name someone else as the DPO with the name, title, and contact information available on the business website.

Conducting Confidentiality Incident Management

Bill 25 mandates that organizations report privacy incidents or breaches to the Commission d’accès à l’information (CAI) du Québec (the organization responsible for access to information) and individuals affected. Companies must track violations of confidentiality and show the measures taken to lessen the risk of similar incidents happening again.

A breach includes the unlawful use of personal details, inadequate privacy notices, and failure to notify people about automated decisions or confidentiality breaches.

What are the Penalties for Not Complying with Bill 25?

The financial impact of not adhering to the rules established by Bill 25 can be significant.

  • Individuals could pay between $5,000 and $100,000 for violating the law.
  • Public institutions face fines of between $3,000 and $30,000, with larger organizations subject to penalties of $15,000 to $150,000.
  • Private companies risk up to 4 percent of sales or between $15,000 and $25,000,000 (whichever is the larger amount).

Companies may face additional liability under the Civil Code of Quebec.

Quebec Bill 25 summary information also reveals that people can take private or collective legal action when breaches happen, or companies infringe on their privacy intentionally or through error. Individual claims can be at least $1,000.

Bill 25 Affects Companies Beyond Quebec

If your company operates outside of Quebec, you may think you’re unaffected by Bill 64. But organizations interacting with personal data from Quebec-based customers must have policies and procedures in place to comply with the law and pass any PIAs conducted by Quebec companies.

Additionally, Canadian legislators recently introduced Bill C-27, a compilation of the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act. If enacted into law, Bill C-27 would replace the PIPEDA with a more modern, robust privacy and data protection legal framework. The penalties for non-compliance with Bill C-27 are harsher than the fines associated with Bill 25.

Preparing Your Organization for Bill 25

Bill 25 and emerging legislation reflect consumer fatigue and concern with corporate use of personal data. To comply with the law’s immediate requirements, you’ll need to:

  • appoint a DPO if you want to separate oversight from your CEO’s responsibilities
  • begin reporting privacy breach incidents to the CAI and affected individuals

Then, take the following steps to help meet the regulatory expectations as we shift into 2023:

  1. Complete an internal review of processes your company currently uses to collect, use, maintain and disclose personal details.
  2. Review business rules to identify markets outside of Quebec where your organization may transfer personal information.
  3. Talk with the DPO about roles, responsibilities, and delegation protocol for privacy management.
  4. Update current privacy policies to align with Bill 25 guidelines.
  5. Examine third-party relationships or contracts to ensure personal information processing is handled correctly and consistently across your supply chain.
  6. Adjust your company’s current data consent practices to deliver the simple, clear, easily found messaging outlined in Bill 25.
  7. Restructure your organization’s incident reporting to comply with the new law.
  8. Improve the transparency of individual access or data rights requests by making forms easy to find, complete, and send to your company.
  9. Establish the ‘right to be forgotten’ process that removes individuals from data systems upon request.
  10. Set a timetable for finalizing privacy policies, programs, and PIAs.

Although the journey to complying with Quebec Bill 25 has a few twists and turns, the effort is essential to building and retaining trust with the people who purchase your products or services. Trust leads to loyalty and long-term success for your organization.

As your digital marketing agency in Montreal, WSI can assist you in ensuring that your business complies with the various obligations of Bill 25 affecting your website and online presence. However, we strongly recommend that you contact your lawyer or legal counsel for more details on the new provisions of this law and how to prepare yourself.

View our Resources page to learn more about this topic and download a suggested Privacy Policy to include on your Website. This policy should be reviewed by your legal counsel to ensure that it is suitable for your requirements.

Note: This article is for informational purposes only and should not be considered legal advice. Please consult your legal counsel for more information on the requirements of the new Bill 25.

Back To Top