As of September 22, 2023, a new stage of law 25 considerably changes the Quebec digital landscape, particularly for companies that manage websites. Here is an overview of this law, its implications and its consequences .
The province of Quebec has taken important steps to strengthen the protection of the personal information of its citizens. To find out more about this modernization initiative and understand its implications, I invite you to consult the official page of the Government of Quebec on the Modernization of the Protection of Personal Information .
Consequences of Law 25
The incentives for doing the work are significant: for non-compliance, a company could be fined up to $25 million, or 4% of global turnover.
What do you need to do to comply with LAW 25?
1. Personal information governance policies and practices
It is now essential for every company to have clearly established and posted policies and practices regarding the management of personal information. This information must be expressed in simple terms, accessible to all, and easily found on the website.
It is wise to consult a lawyer specializing in digital law or data protection to ensure that all steps are correctly implemented and that the company is fully compliant with Law 25 for its documentation and life policy. private.
- Conduct a comprehensive audit of the data you collect, store and process.
- Identify what information is shared outside of Quebec and perform a Privacy Factor Assessment (PIA) accordingly.
2. Privacy Impact Assessment (PIA)
Before sharing personal information outside Quebec, a careful assessment must be made. This measure aims to guarantee that the data of Quebec citizens is protected, even outside the borders of the province.
- Develop (or update) policies and practices governing the governance of personal information.
- Publish these policies on your website in simple, accessible language.
3. New rules around consent
Companies must ensure that the consent given by the user for the collection, communication or use of their data is clear and informed.
- Make sure your website collects informed consent before collecting personal information.
- The consent process must be clear, simple and must not mislead. It could include explicit checkboxes for various uses.
4. Destruction or anonymization of data
As soon as the reason for which the data was collected is satisfied, companies have an obligation to destroy this information or anonymize it.
- Have procedures in place to destroy data once it is no longer needed or to anonymize it if it is used for serious and legitimate purposes.
Companies must now provide more transparency about how they use personal data.
- Make sure users can easily understand how their data is used, stored and shared.
- Propose mechanisms to respond to user requests for information.
6. Communication without consent
In certain specific circumstances, such as the performance of a contract, data can be shared without consent, but companies must comply with strict rules.
Establish strict rules for exceptional circumstances where data can be shared without consent.
7. Communication of data outside Quebec
The law introduces new constraints for the sharing of information outside Quebec, in order to guarantee optimal protection of citizens.
- Review and strengthen your security measures to protect personal information.
- Configure your products or services to provide the highest level of privacy by default.
8. Use of personal information
Stricter guidelines now govern the use of data, ensuring better protection for individuals.
- If your site is aimed at or accessible to minors, put additional measures in place to protect their data.
- This could include a parental consent process or specific warnings.
9. Default Privacy Settings
Any public-facing technology product or service must now offer the highest level of privacy by default.
- Set up a mechanism allowing users to request cessation of distribution, reindexing or deindexing of their data.
10. Protection of minors
Minors' data benefits from enhanced protection, with specific obligations for the companies that collect it.
- Develop a procedure to allow relatives of a deceased person to access certain information, as required by law.
11. Right to be forgotten
Citizens can now demand the cessation of dissemination, re-indexing or de-indexing of certain data concerning them.
- Train your employees and all stakeholders on these new obligations.
- Make sure the entire team is aware and trained to follow the rules.
12. Facilitation of the grieving process
This provision, unique in its kind, allows relatives of a deceased person to access certain information to facilitate the grieving process.
- Schedule regular reviews of your policies and practices to ensure they remain compliant with the law and reflect industry best practices.
To deepen your understanding of the implications of Bill 25 in Quebec and discover how to effectively adapt your marketing strategy to this new regulation, I highly recommend reading this detailed article published on BOFU: LAW 25 IN QUEBEC IN SUMMARY: HOW TO NAVIGATE IN THE NEW DATA PROTECTION LANDSCAPE AND ADAPT YOUR MARKETING STRATEGY ."
Bill 25 considerably strengthens the rights of Quebec citizens in terms of protecting their personal data. Companies must now be more proactive, transparent and respectful in the management of personal information. Although these new provisions require adaptation efforts, they contribute to establishing a more secure and respectful digital environment for all.