The Quebec National Assembly passed Bill 64, now known as Law 25, on September 21, 2021. It's an act respecting the protection of personal information in the private sector.

This privacy law shows that Québec has not only brought its legislation up to date, but it has also aligned its private and public sector privacy regimes. This demonstrates a clear commitment to ensuring that the province's residents have access to robust data protection safeguards.

Law 25 went into effect in September 2022 with additional provisions being rolled out in September of 2023, and 2024.

This article will cover who Law 25 applies to, what it requires, how to comply, and what penalties are on the table for non-compliance.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Who Must Comply With Law 25?

All organizations with customers, employees, or operations in Québec must comply with the law.

What Does Law 25 Require?

In order to comply with Law 25, businesses must:

  • Establish data governance processes
  • Create company-wide data management policies
  • Implement technological solutions to de-index or transfer personal data upon request
  • Publish internal guidelines to support staff and service providers in the implementation of the new privacy regime

Failure to do any of the things listed above could result in significant financial penalties.

When Does Quebec's Privacy Law Come into Force?

When Does Quebec's Privacy Law Come into Force?

While some provisions will come into force sooner than others, the Act as a whole will be implemented in September 2024. This gives organizations time to prepare for the new requirements and ensure they are compliant with the law.

The following time frame provides a snapshot of various amendments and when they come into effect:

2022
  • The appointment of a person in charge of the protection of personal information
  • Mandatory reporting of confidentiality incidents
  • Communication of personal data for concluding a commercial transaction
  • Communication of personal information for research purposes
  • Amendments to the biometrics provisions of the QC IT Act
2023
  • Governance policies and practices regarding personal information
  • Privacy impact assessments
  • Transparency and privacy notices
  • Identification, geolocation tracking, and profiling technologies
  • New consent requirements
  • New consent exceptions
  • Privacy by default
  • Automated decision-making
  • Transfers of personal information outside Québec
  • Outsourcing personal information
  • Retention and destruction of personal information
  • Right to be forgotten
  • New enforcement mechanisms
2024
  • Right to data portability

2022 Compliance Requirements

2022 Compliance Requirements

The Establishment of a "Privacy Officer"

Every business must now appoint a person to protect personal information. That individual will have the title of "Privacy Officer."

In order to fulfill this role, the Privacy Officer must have an understanding of the Act and be familiar with the various ways in which personal information can be protected.

Specifically, the Privacy Officer must be able to address issues surrounding:

  • Questions or complaints about how the organization handles personal information
  • Requests to correct personal information
  • Access to information requests

The cybersecurity duty falls on the shoulders of the CEO by default. As the highest authority within an organization, it is up to that individual to ensure that their company is doing everything possible to protect its data.

With that said, the law permits the CEO to delegate the responsibility to someone inside or outside the organization. Still, the CEO must do it in writing, and records must be kept as to who is precisely responsible.

Once the Privacy Officer is established, that individual's title and contact information must be posted on the organization's website.

Here's an example of this, from the U.S. DOI:

USA Dept of the Interior: Privacy Officers contact information chart excerpt

Interestingly, Law 25 does not require the Privacy Officer to be located in Québec or know French. However, businesses should consider it a best practice to ensure that their Privacy Officer has a working knowledge of both.

Reporting Data Breaches

As soon as a business has reason to believe that a breach has occurred involving personal data in its custody, it must take reasonable measures to reduce any risk of harm and to prevent similar incidents from occurring.

This includes notifying individuals who may have been impacted by the breach and taking steps to protect their privacy.

Discover Card data breach notice

Law 25's definition of "confidentiality incident" is "access to, use, or communication of personal information not authorized by law, as well as the loss or any infringement of the protection of such information."

This is a stricter definition of a data breach than that used by other Canadian privacy laws. Law 25 widens the scope to include the unauthorized use of personal information.

Additionally, as soon as an organization becomes aware of a risk of serious injury, it is required to notify the Commission d'accès à l'information (CAI) and any person whose personal information may be affected.

The organization that was a victim of a breach may also notify credit institutions and other third parties without gaining the consent of impacted individuals. If it believes doing so can help reduce the risk of harm to impacted customers. During the process, the business may only disclose necessary personal information.

The caveat here is that a business cannot notify third parties if doing so might interfere with law enforcement and regulatory investigations.

The threshold for when an organization must report a "risk of serious injury" appears to be equivalent to the reporting threshold of a "real risk of significant harm" under PIPEDA:

  • This means that the business must consider
  • The sensitivity of the data concerned
  • The anticipated repercussions of its use
  • The likelihood that such data will be used for harmful purposes

Finally, in order to keep your business safe and in compliance with the law, you will need to log every confidentiality incident. By keeping a register of these incidents, you will be able to provide information to the CAI upon request.

Keep in mind that starting in late 2023, the CAI will have the authority to order any individual involved in a confidentiality incident to take any measure needed to protect the rights of those concerned.

This includes, but is not limited to:

  • Suspending or terminating access to information system
  • Removing content from online platforms
  • Prohibiting or restricting contact with persons concerned

Communication of Personal Information for Commercial Transactions

During commercial transactions, personal information may be communicated to other parties without the consent of the persons concerned.

The parties in question must agree prior to the communication, stipulating that the receiving party must:

  • Use the data only for concluding the commercial transaction
  • Not communicate the data without the consent of the person concerned
  • Take the necessary measures required to protect the confidentiality of the data
  • Destroy the data if the commercial transaction is not concluded, or
  • If using the data is no longer necessary for concluding the commercial transaction

After the commercial transaction concludes, the law requires that the receiving party notify the persons impacted within a reasonable period of time that it now holds personal data concerning them in connection with the transaction.

This notification must include how and why the recipient intends to use their personal information.

This amendment brings Law 25's approach to commercial transactions in line with PIPEDA, Alberta's PIPA, and BC's PIPA.

Communication of Personal Information for Research Purposes

Suppose your organization is interested in conducting research or studies that involve personal information. In that case, you will now be able to do so without having to go through the process of seeking authorization from the CAI or obtaining consent from individuals.

Under the law, businesses may communicate personal information without prior consent to any body or person who intends to use it for research purposes. However, the organization must reach the following conclusions and conduct an assessment of privacy factors before doing so.

The organization must:

  • Believe that the objective of the study or research or of the production of statistics can be achieved only if the data is communicated in a form allowing the persons concerned to be identified
  • Believe that it is unreasonable to require the person or body to obtain the consent of the persons concerned
  • Believe that the objective of the research or study of the production of statistics outweighs, in light of the public interest, the consequences of communicating and using the data on the privacy of the persons concerned
  • Ensure the personal information is used in such a manner as to ensure confidentiality, and
  • Ensure only the necessary information is communicated

2023 Compliance Requirements

2023 Compliance Requirements

Establish and Implement a Privacy Framework

Businesses will have to establish and implement a privacy framework comprising practices and policies that are proportional to the extent and nature of the company's activities to protect personal information.

Law 25 sets out specific policies regarding the protection and destruction of personal data, the responsibilities and roles of staff members throughout the information life cycle, and the implementation of a process to handle complaints.

The Privacy Officer must approve the privacy framework. In addition, the organization must publish on its website, in clear and straightforward language, detailed information about these policies and practices. This will help customers make knowledgeable decisions about their personal data when interacting with your company.

Ensure Transparency

The GDPR has brought about a new era of transparency and control for individuals with respect to their personal data. Law 25 continues the trend by demanding increased levels of accountability on the part of organizations.

Under the law, companies now have expanded disclosure obligations, including:

  • The purposes for which personal data is collected
  • The means by which the data is collected
  • Rights of access and rectification
  • The individual's right to withdraw consent to the communication or use of the information
  • Whether there is the possibility that the data may be communicated outside Québec, and
  • The categories of third parties or names of the third parties, or
  • To whom it is necessary to communicate the data

This can all be accomplished by drafting and posting a compliant Privacy Policy.

Your Privacy Policy should be linke to your site's footer, like so:

Business Wire website footer with Privacy Statement link highlighted updated

Here's an example of a Privacy Policy clause that outlines user rights, incluing the right of access an the right to withdraw consent:

Sharp UK Privacy Policy: Your Rights clause with Withdraw Consent section highlighted

The addition of this new provision will certainly add complexity for organizations as they strive to comply with Québec's data protection law. However, by taking a risk-based approach and working closely with their third-party processors, organizations should be able to manage the additional obligations imposed by this amendment.

As previously stated, businesses that use technology to gather personal data will now have to post clear and easy-to-understand notices regarding their privacy practices.

Types of technology specifically mentioned during the data gathering process include the use of digital marketing technologies to track, identify, and profile individuals, such as certain kinds of cookies.

Here's an example of a Privacy Policy clause that outlines how some data types are collected using types of technology:

Scholastic Kids Privacy Policy: Information Collected clause excerpt

The term "technology" under Law 25 is also understood to include:

  • Mobile devices and applications
  • Streaming media services

Before collecting personal information, businesses must give their users prior notice that they are, in fact, using these kinds of technology.

They must also provide their users with a notice any time they amend their privacy notice.

You can send this notice in a variety of ways, including via a pop-up on your site, an email sent to users, and a note of update added to your Privacy Policy URL:

Generic mobile email Updates to our Privacy Policy in accordance with GDPR

Here's how you can add a note to your Privacy Policy URL:

Generic website footer with Privacy Policy link and updated date highlighted

You can also include a clause in your Privacy Policy that lets users know how you'll be notifying them, like so:

Smart Passive Income Privacy Policy: Privacy Poliicy Modifications and Updates clause

While this might sound inconvenient to some, it is intended to lead to more transparency and trust between businesses and consumers.

Privacy Impact Assessments

Law 25 takes a note from the GDPR and requires businesses to carry out a privacy impact assessment of all projects involving the use of personal information.

The nature of these projects includes those that involve the development, acquisition, or redesign of an electronic service or information system. Businesses must now put into place privacy by design measures.

Privacy By Default

Essentially, a company's privacy framework for public-facing services or products must be set (without requiring a user to do anything) at the highest confidentiality level possible by default.

There are new rules for consent under the law. For instance, if an organization provides notice of its purposes for collecting personal information at the time of collection, consent is assumed when the business carries out its purposes with personal information in hand except in cases of medical, biometric, or otherwise intimate information.

Law 25 reframes consent as being "clear, free, and informed and [...] given for specific purposes," which is slightly different from "manifest, free, and enlightened, and [...] given for specific purposes."

Here's an example of clear consent being obtained via an "I Agree" checkbox that a user will check to show consent:

Dr Kim Brown sign-up form with Agree checkbox highlighted

That said, it is vital to note that unless the additional use falls within one of the exceptions listed in the law, businesses must obtain consent from the person concerned.

The changes in the law allow for greater flexibility in how companies can use personal data.

For example, a company can use personal information for a different use than that for which it was originally collected without notifying customers if:

  • There is a direct and relevant connection with the initial purpose
  • It is obviously for the benefit of the customers concerned
  • It is necessary for the prevention and detection of fraud or the evaluation and improvement of protection and security measures
  • It is necessary for the supply or delivery of a product or the provision of a service requested by the person concerned, or
  • It is necessary for study or research purposes, or for the production of statistics, where the information is de-identified

Finally, businesses must ensure that parental consent is obtained when collecting, using, or communicating information obtained from children who are less than 14 years old.

Enforcement and Penalties for Non-Compliance

Enforcement and Penalties for Non-Compliance

The CAI will now have the ability to levy heavy administrative monetary penalties for violations of Law 25. This should act as a deterrent for companies from violating the Act and help ensure that consumers are better protected.

Penalties for non-compliance can be severe, reaching up to CA$50,000 for individuals and $10 million or 2% of an organization's global turnover.

While it is not likely that your business will be fined the maximum amount should you violate the law, it is crucial to be aware of potential penalties and what constitutes a violation.

By understanding how personal data must be collected, used, and stored according to Law 25, you can help keep your customer's data safe and protect your company from potential fines.

Summary

Quebec's privacy law is incredibly complex and comprehensive.

To stay compliant and avoid penalties, organizations must take a holistic view of their internal compliance processes and update these where necessary to mitigate the risks associated with data privacy violations.

By doing so, they can ensure that they are best positioned to protect their customers' private information while also mitigating financial risks.

The point is that time is ticking away for businesses to bring themselves into compliance with Quebec's privacy law. By creating a compliance plan, your organization can ensure that it is on track to meet the requirements of Law 25.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy