Law 25 in summary for SMEs: data protection and marketing strategy

In an increasingly digitalized world where personal data has become a valuable resource, the need to protect the confidentiality and integrity of this information has never been more important.

In this context, the province of Quebec, Canada, recently introduced Bill 25, an innovative law aimed at strengthening the protection of consumers’ personal data . This new regulation, which is inspired by the European Union’s General Data Protection Regulation (GDPR), represents a major turning point for companies across all sectors.

Law 25 covers several key areas, ranging from the explicit consent required for data collection to the protection of minors' data, to the rights of individuals to access their information and request its deletion.

It also has a significant impact on digital marketing strategies, imposing tighter restrictions on how companies can use consumer data for targeted advertising.

This text explores the various aspects of this law, its scope, the changes required for businesses, and how tools such as customer relationship management (CRM) software can help with compliance. It also discusses the practical implications for businesses of different sizes and sectors, and provides useful advice on how to navigate this new regulatory landscape.

Whether you are a business leader looking to understand what this law means for your organization, or simply someone interested in how data protection is evolving, this text is for you.

Law 25 and its deadlines in summary

By September 22, 2022:

• Designation of a person responsible for the protection of personal information : This involves identifying an internal person or team who will be responsible for ensuring compliance with personal data protection obligations. This person will serve as a point of contact for employees and customers in the event of questions or problems related to data protection.

• Implementing measures in the event of a privacy incident: These measures include policies and procedures to identify, report and manage any data breach. This could include how the company must notify affected individuals and the data protection authority.

• Compliance with new rules for the communication of personal information without consent for study, research or statistical purposes: These new rules could require the anonymization of data for certain uses, in order to protect the identity of the persons concerned.

• Privacy Impact Assessment (PIA): This is a systematic evaluation of the risks that a new product, system, initiative or program could pose to individuals' privacy. It helps identify and mitigate potential risks at an early stage.

• Prior notification to the Commission in case of verification or confirmation of identity by biometric characteristics or measures: If the company plans to use biometric characteristics to verify the identity of an individual (e.g. fingerprints, facial recognition), it must inform the Commission before doing so.

By September 22, 2023:

• Establishing policies and practices governing the governance of personal information: This involves developing internal policies and procedures to ensure data protection at all levels of the organization.

• Conducting an EFVP when communicating personal information outside Quebec: If data is transferred outside the jurisdiction, a privacy impact assessment must be carried out to ensure that the data will be treated with the same level of protection.
  
  
• Compliance with new rules regarding consent: Businesses must obtain informed, specific and unambiguous consent before collecting, using or disclosing personal data.
  
  
• Destruction or anonymization of personal information: When data is no longer required, it must either be destroyed or made anonymous so that the individual can no longer be identified.

• Compliance with new information and transparency obligations towards citizens: This means that companies must be clear about how they use personal data and that they must provide this information in an understandable way.

• Compliance with new rules for sharing personal information without consent: Generally, consent is required to share personal data. However, there may be exceptions where consent is not required. These new rules will clarify when and how this can happen.

• Compliance with the new rules for communicating personal information outside Quebec: Data transferred outside Quebec must be protected in the same way as if it were kept in Quebec.

• Compliance with new rules for using personal information: These rules specify how data can be used, including restrictions on use for secondary purposes without the individual's consent.

• Default provision of maximum privacy settings for technology products or services offered : This means that the default privacy settings of products or services must be set to the highest level of data protection.
  
  
• Compliance with new rules for collecting personal information about a minor: Data about minors often has a higher level of protection, and new rules specify how this data must be collected and used.
  
  
• Respect for the right to cease dissemination, reindexing or deindexing (right to be forgotten): Individuals have the right to request that their data be deleted or deindexed from search engines .

• Compliance with new rules for sharing personal information to facilitate the grieving process: In some cases, it may be necessary to share personal information to facilitate the grieving process. These new rules will specify how this should be done.

Need assistance with deploying a cookie banner? Schedule a free exploratory call to discuss our Cookie solutions that are implemented through Google Tag Manager

By September 22, 2024:

Responding to requests for portability of personal information: Individuals have the right to request a copy of their data in a usable format and to transfer that data to another organization. Businesses must be able to respond to these requests.

These concrete measures are necessary to ensure that companies comply with current data protection legislation . Proper training of staff is essential to ensure their effective implementation and compliance.

OPT-IN VS OPT-OUT

In the context of Quebec's Bill 25, which strengthens data protection rules, the concepts of "opt-in" and "opt-out" are extremely important for understanding how companies can obtain and use their customers' personal data.

Opt-in : This is a proactive approach to consent management . In other words, the company can only collect or use an individual’s personal data if they have explicitly given their consent. This could be by checking a box on an online form or signing a consent agreement. In the context of Bill 25, this is generally the preferred approach, as it respects the principle of prior consent.

Opt-out : This approach allows the company to collect or use an individual’s personal data unless the individual explicitly disagrees or requests to be excluded. This is a more passive approach, where silence or inaction is interpreted as consent. However, under Bill 25, this approach is generally insufficient to comply with the new consent rules.

Thus, Law 25 strongly favors the "opt-in" approach to the collection and use of personal data. This means that companies must obtain explicit and informed consent before collecting or using their customers' personal data. They must also be able to demonstrate that they have obtained this consent if questioned by regulatory authorities.

Impact of Law 25 on different types of businesses or legal forms

This privacy law has implications for all types of businesses, regardless of their status or structure. Specific obligations may vary depending on the size of the business, the type of data it processes and how it uses that data.

Nonprofit organizations (NPOs) : These organizations often handle sensitive data, including information about beneficiaries, donors, volunteers, and employees. They must comply with the same regulations as for-profit companies when it comes to data protection. This can mean an investment in terms of time and resources to ensure compliance, which can be a challenge for NPOs that often have limited resources.

Private companies : For these companies, compliance with the new law may require a significant investment in terms of implementing new policies, training staff and adapting IT systems. However, there is also a commercial benefit to ensuring good management of personal data. Companies that demonstrate that they take data protection seriously can gain the trust of their customers, which can provide a competitive advantage.

Public companies : Public companies, particularly those that provide public services or handle sensitive data, will also need to comply with the new regulations. As with private companies, this may require an investment of time and resources. However, compliance with data protection legislation can also improve public confidence in how these companies handle their personal information.

Small and medium-sized enterprises (SMEs) : SMEs may be particularly affected by the new law, as they often have fewer resources to manage compliance. However, it is important to note that even small businesses can handle significant volumes of personal data, and it is therefore crucial that they comply with the law.

It is important to note that the law applies to all organizations that process personal data, whether they are located in Quebec or not. Therefore, organizations based outside Quebec, but that process the personal data of Quebec residents, will also have to comply with the legislation.

Proper management of your customer and prospect database requires HubSpot

A CRM (Customer Relationship Management) like HubSpot can help businesses comply with Quebec's new privacy law in several ways:

Data Organization : A good CRM can organize and manage customer data efficiently. It provides visibility into the origin, usage, and storage of data, which is crucial to meet the requirements of the new law. Additionally, it makes it easy to update, correct, or delete data, in response to customer requests.

Customer Consent : Modern CRMs can help manage customer consent by recording and tracking consent for different data uses. For example, HubSpot can help track who has consented to what type of marketing communication , and can easily withdraw that consent if the customer requests it.

Data Security : HubSpot has built-in data security measures, like encryption, that can help protect sensitive customer data. The law requires that organizations take steps to protect personal data, and using a secure CRM like HubSpot can help meet this requirement.

Data Access and Portability : If a customer requests to see their data or transfer it to another organization, a CRM can facilitate this process by bringing all relevant data together in one place.

Data Deletion : If a customer requests deletion of their data, a CRM like HubSpot allows for easy and permanent deletion of customer information across the system.

It is important to note that if a business is using a CRM to store and manage customer data, they should always ensure that the CRM provider is also legally compliant. In HubSpot’s case, they have a comprehensive privacy policy and procedures to help their customers be compliant with data protection laws .

What is the impact of Law 25 on advertising and technology platforms?

Quebec’s Bill 25 has major implications for small and medium-sized businesses (SMEs) that use advertising platforms like Google Ads , Facebook Ads and LinkedIn Ads for their marketing campaigns. Here are some concrete changes:

1. Prior consent : SMEs must ensure that they have obtained prior consent from users before collecting or using their data for advertising campaigns . This means that SMEs will likely need to modify their registration or contact forms to include checkboxes or other mechanisms that allow users to provide informed consent.

2. Ad targeting : Many SMEs use behavioural targeting to display relevant ads to users based on their online behaviour . However, under Bill 25, these practices could be restricted if they involve the collection or use of personal data without consent. SMEs will need to be careful about how they use these platforms for ad targeting.

3. Cookies and other trackers : SMBs that use cookies or other trackers to track user behavior and display targeted ads must also obtain user consent before deploying them. This may require implementing a cookie banner or other consent mechanism on their website .

4. Transparency : SMEs should be transparent about how they collect and use user data for advertising. This may require updating privacy policies and consent notices to include detailed information about advertising practices.

5. Managing user requests : Under Law 25, users have the right to request access to their data, rectify it, delete it or object to its processing for marketing reasons. SMEs will need to put systems in place to manage these requests effectively.

It is important to note that these changes do not only apply to SMEs based in Quebec, but to any company that collects or uses data from Quebec residents, regardless of its location. Therefore, SMEs should be aware of the implications of this law, even if they are based outside of Quebec.

What content should be modified on my website in order to comply with Law 25?

In order to comply with the requirements of Quebec's Bill 25 , several pages and sections of a website may require modifications, particularly those that deal with the collection, use and storage of user data. Here are the most common pages that may require an update:

1. Privacy Policy : This page should provide a clear and transparent explanation of what types of data you collect, how you use it, who you share it with, and how long you retain it. It should also include information about users’ data protection rights and how they can exercise those rights.

2. Terms and Conditions : While terms and conditions are not typically privacy-focused, they may need to be modified to include information about how you handle personal data and what users' obligations are regarding that data.

3. Consent/Registration Page : If you have a registration page or other page where users provide their data, you will need to ensure that it contains a clear explanation of how you intend to use that data and gives users the opportunity to give consent.

4. Contact and Form Pages : If you collect information through contact forms or other types of forms, these pages should clearly state why you are collecting the information and how you intend to use it .

5. Cookie banner / cookie policy page : If you use cookies or other tracking technologies , you will need to provide clear information about these technologies and obtain user consent before deploying them.

In addition to what has already been discussed, there are several other important aspects to consider in relation to Law 25.

1. Role of a Data Protection Officer (DPO) : It is important to consider whether to hire or appoint a DPO in your company , especially if you process a large volume of sensitive data. The DPO oversees the data protection strategy and ensures compliance with data protection laws.

2. Transferring data abroad : Bill 25 may impact how you transfer data outside of Quebec or Canada. You will need to ensure that the recipient country offers an equivalent level of data protection.

3. Data Breach Management : The law requires that you promptly report any data breach to the relevant authority and, in some cases, to the affected individuals. Therefore, it would be crucial to have a process in place to manage such incidents.

4. Staff training and awareness : To ensure compliance with the law, it is essential that all members of your staff understand the importance of data protection and know how to handle personal data correctly.

5. Data Protection by Design : This is an approach that involves considering the protection of personal data from the very first stages of any new project, product or service .

6. Data Protection Impact Assessments (DPIAs) : For certain types of processing, particularly those that pose a high risk to the rights and freedoms of individuals, you may be required to carry out a DPA before you start processing.

7. Relationship with subcontractors : You will need to check that your subcontractors also comply with the law. It may be necessary to renegotiate your contracts to include specific clauses on data protection.

Each of these topics may require more detailed exploration depending on your specific business and how you handle personal data.

Conclusion

In conclusion, the new law 25 on the protection of personal data in Quebec represents a major change for companies, whether private, public or non-profit. Its scope goes far beyond the simple management of customer databases. It significantly impacts digital marketing campaigns, customer relationship management software like HubSpot, and much more.

When it comes to digital marketing, businesses will need to ensure that their campaigns on platforms such as Google Ads , Facebook Ads and LinkedIn Ads are compliant with consent and data protection regulations. It is now essential to focus on an opt-in rather than opt-out approach, ensuring that every interaction with the customer respects their privacy rights.

In the context of data management, tools like HubSpot can play a key role in helping businesses centralize, secure, and manage their customer data in a compliant manner. This includes documenting consents, managing data access requests, and implementing appropriate security measures.

Finally, good data management is not just about regulatory compliance. It is also about respecting customer privacy, trust and strong customer relationships.

In today's competitive landscape, where marketing personalization is essential but must be balanced with privacy concerns, effective data management can be a real competitive advantage.

Adapting to Law 25 may seem like a daunting task, but it can also be an opportunity to rethink and improve your data management processes and marketing strategies . The goal is not just to comply with the law, but also to create a corporate culture focused on respecting your customers' personal data.

Glossary of technical terms concerning Quebec law 25 and more broadly the protection of personal data in the web context

1. Personal data (or personal data) : Any information relating to an identified or identifiable natural person. This may include name, email address, IP address, etc.

2. Consent : Authorization freely given by the individual concerned for his or her personal data to be processed. Consent must be explicit and informed.

3. Cookies : Small files placed on a user's device when they visit a website . They can be used to track the user's activities on the site, to personalize the user's experience, etc.

4. Opt-in/Opt-out : Mechanisms that give the user the opportunity to choose whether or not to receive marketing communications . Opt-in means that the user must give their explicit consent, while with opt-out, they are presumed to have given their consent unless they declare otherwise.

5. Encryption : The process of converting information into a secret code to prevent unauthorized access.

6. Privacy Policy : A document that explains how a company collects, uses, discloses, and manages user data.

7. Anonymization : The process of transforming data to prevent the identification of an individual. Once anonymized, the data is no longer considered personal.

8. Pseudonymization : The process of replacing fields in data records with artificial identifiers or pseudonyms to prevent direct identification.

9. Data Subject Rights : The rights that individuals have regarding their personal data, such as the right of access, rectification, deletion (right to be forgotten), etc.

10. Data Controller : The entity (usually a company or organization) that determines the purposes and means of the processing of personal data.

11. Processor : The entity that processes personal data on behalf of the controller.

12. Data portability : The right of individuals to receive their personal data in a structured, commonly used and machine-readable format and to transfer it to another controller.