September 22, 2022, marked the start of a three-year rollout of Quebec’s new privacy legislation, Law 25 (formerly Bill 64). The Law tightens existing frameworks by granting citizens more robust data protection rights while placing more rigorous obligations on organizations handling personal information.
If you own a website and use various digital channels to communicate and collect information about them, this legislation is sure to impact your business.
To meet the challenges of Law 25, we invite you to read the information below to better understand the implications and effects of the law on your business.
What is Law 25?
The primary purpose of Law 25 is to require companies to obtain explicit consent before using an individual’s personal information. The Law gives people the automatic right to confidentiality and greater transparency about when organizations collect personal details.
Personal details, as explained by the Personal Information Protection and Electronic Documents Act (PIPEDA), include “any factual or subjective information, recorded or not, about an identifiable individual,” such as:
- age, name, ID numbers, income, ethnic origin, or blood type
- opinions, evaluations, comments, social status, or disciplinary actions
- employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, or intentions such as buying goods or services or applying for a new job
What Does Law 25 Mean for Your Business?
Companies must adjust procedures for managing customer data and create policies for maintaining privacy to be in compliance by the end of 2024. View the related CFIB article on Law 25 compliance for private businesses.
The automatic confidentiality that Law 25 provides means businesses will need to deactivate profiling, identification, or tracking technologies. Organizations must provide people with the opportunity to clearly ‘opt in’ for such features.
Law 25 allows exceptions to default confidentiality, giving firms the authority to collect personal details in specific situations, such as:
- when the information is necessary to detect fraud or improve security.
- when necessary to deliver a product or service requested by an individual.
Obtaining permission to collect an individual’s data involves more than an ‘opt in’ button. Companies need to tell people in clear, simple language:
- why they are collecting information
- how they gather it
- how people can access or amend details captured
- how to withdraw permission
You must also identify the people within the company or any third parties who can access the data. If an organization transfers information outside of Quebec, the individual must be aware. Companies will need parental consent to gather data for children under age 14.
If people want to withdraw permission to use their data, you must explain how the company will remove details from business systems. Under the new law, people now have the right to receive a digital copy of all personal information collected from them by any organization.
Establishing Privacy Policies
Privacy programs establish guidelines for:
- Roles and responsibilities for team members managing private information
- Action plans for managing privacy complaints
- Audits of third-party compliance with privacy policies
- Retention and disposal guidelines for personal information
Completing Privacy Impact Assessments (PIAs)
Evaluating compliance with requirements set by Law 25 must happen under the following circumstances:
- When companies buy, build, or revamp information systems
- Before an electronic service occurs that involves personal details
- Before disclosure of any information outside of Quebec
Appointing Data Protection Officers (DPOs)
Law 25 requires organizations to designate an individual responsible for ensuring compliance with the new legislation. A company’s CEO is responsible for oversight but can name someone else as the DPO with the name, title, and contact information available on the business website.
Conducting Confidentiality Incident Management
Law 25 mandates that organizations report privacy incidents or breaches to the Commission d’accès à l’information (CAI) du Québec (the organization responsible for access to information) and individuals affected. Companies must track violations of confidentiality and show the measures taken to lessen the risk of similar incidents happening again.
A breach includes the unlawful use of personal details, inadequate privacy notices, and failure to notify people about automated decisions or confidentiality breaches.
What are the Penalties for Not Complying with Law 25?
The financial impact of not adhering to the rules established by Law 25 can be significant.
- Individuals could pay between $5,000 and $100,000 for violating the law.
- Public institutions face fines of between $3,000 and $30,000, with larger organizations subject to penalties of $15,000 to $150,000.
- Private companies risk up to 4 percent of sales or between $15,000 and $25,000,000 (whichever is the larger amount).
Companies may face additional liability under the Civil Code of Quebec.
Quebec Law 25 summary information also reveals that people can take private or collective legal action when breaches happen, or companies infringe on their privacy intentionally or through error. Individual claims can be at least $1,000.
Law 25 Affects Companies Beyond Quebec
If your company operates outside of Quebec, you may think you’re unaffected by Bill 64. But organizations interacting with personal data from Quebec-based customers must have policies and procedures in place to comply with the law and pass any PIAs conducted by Quebec companies.
Additionally, Canadian legislators recently introduced Bill C-27, a compilation of the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act. If enacted into law, Bill C-27 would replace the PIPEDA with a more modern, robust privacy and data protection legal framework. The penalties for non-compliance with Bill C-27 are harsher than the fines associated with Law 25.
Preparing Your Organization for Law 25
Law 25 and emerging legislation reflect consumer fatigue and concern with corporate use of personal data. To comply with the law’s immediate requirements, you’ll need to:
- appoint a DPO if you want to separate oversight from your CEO’s responsibilities
- begin reporting privacy breach incidents to the CAI and affected individuals
Then, take the following steps to help meet the regulatory expectations as we shift into 2023:
- Complete an internal review of processes your company currently uses to collect, use, maintain and disclose personal details.
- Review business rules to identify markets outside of Quebec where your organization may transfer personal information.
- Talk with the DPO about roles, responsibilities, and delegation protocol for privacy management.
- Update current privacy policies to align with Bill 25 guidelines.
- Examine third-party relationships or contracts to ensure personal information processing is handled correctly and consistently across your supply chain.
- Adjust your company’s current data consent practices to deliver the simple, clear, easily found messaging outlined in Law 25.
- Restructure your organization’s incident reporting to comply with the new law.
- Improve the transparency of individual access or data rights requests by making forms easy to find, complete, and send to your company.
- Establish the ‘right to be forgotten’ process that removes individuals from data systems upon request.
- Set a timetable for finalizing privacy policies, programs, and PIAs.
- A Cookies Consent bar should be integrated into your Website.
Although the journey to complying with Quebec Law 25 has a few twists and turns, the effort is essential to building and retaining trust with the people who purchase your products or services. Trust leads to loyalty and long-term success for your organization.
As your digital marketing agency in Montreal, WSI can assist you in ensuring that your business complies with the various obligations of Law 25 affecting your website and online presence. However, we strongly recommend that you contact your lawyer or legal counsel for more details on the new provisions of this law and how to prepare yourself.
Note: This article is for informational purposes only and should not be considered legal advice. Please consult your legal counsel for more information on the requirements of the new Law 25.