What is Law 25?

Law 25 declares new legislative provisions regarding the protection of personal information. This law aims to protect the Quebec population by making companies responsible for the personal information they hold.

Part of the new legislative provisions of Law 25 came into force on September 22, 2022. It should be noted that other provisions will take effect in September 2023 and 2024, including the obligation to implement a policy governing the governance of personal information.

 

What are the impacts on your business?

The Commission d’access à l’information du Québec is the body responsible for monitoring the application of Law 25. In the event of non-compliance with the law, the Commission can impose significant sanctions, amounting to up to $25 million or 4% of the company’s global revenue. The sanctions for breaches of this new Law are explained here.

 

Why adopted this new measure?

Adopted this new law means that you must mention your practices aimed at protecting the information and privacy of Internet users who browse your site. The goal is to be transparent with your users. This formality, called Law 25, applies to the use and communication of any information collected, as well as to the way in which your website collects the information in question. This policy which must be put in place applies as long as you hold the information.

 

How to comply?

To help you comply with Law 25, which will gradually come into force in September 2022, we recommend that you take the following measures on your website or contact us to help you:

 

Privacy Policy: Make sure you have a clearly visible Privacy Policy on your website. This policy should transparently describe how you collect, use, store and protect users’ personal data. Be sure to also include the contact information of the person responsible for data protection.

Informed consent: Obtain explicit consent from users before collecting their personal data. Make sure users understand what data is collected, what it is used for, and how it will be stored and protected.

Data Security: Implement appropriate security measures to protect personal data collected on your website from unauthorized access, leakage or theft.

User Rights: Respect user rights such as the right to access, rectify, erase and object to the collection and processing of their personal data. Make sure you have a mechanism for users to exercise these rights.

Cookies and Tracking Technologies: If your site uses cookies or other tracking technologies, clearly inform users of their use and obtain their consent where necessary. In accordance with Law 25, users must have the opportunity to refuse these technologies.

Data Retention Period: Set appropriate retention periods for collected personal data. Retain this data only for as long as necessary for the purposes for which it was collected.

Training and Awareness: Train your team on best practices for privacy protection and Law 25 compliance. Raise awareness about the importance of data security.

Compliance Audit: Conduct regular compliance audits to ensure your website continually complies with Act 25 requirements.

Point of Contact: Ensure that users have an easy way to contact you with questions about the collection and processing of their personal data.

 

Why respect this new Bill 25?

Compliance can be complex, but following the law is essential to protect the rights and privacy of your users. If you have any questions or need assistance implementing these measures, I encourage you to consult a data protection lawyer or compliance expert.

Bill 25 aims to protect the personal data of Quebec citizens, and we are here to support you in your efforts to respect this important legislation.

Bill 25 applies to any person who collects, holds, uses or communicates to third parties personal information about others during the operation of a business, regardless of its size.

 

Does this Law concern you?

If you answer yes to any of these statements below, it means that you are probably subject to it:

  • You have a newsletter form on your site
  • Do you have a contact request form on your site?
  • You or a third party have installed a script for analyzing and tracking traffic from Google (Google Analytics), Google Ads, Facebook (pixel), LinkedIn, X or others
  • Do you have an online business?
  • You host advertising on your site
  • Do you have a blog and allow non-anonymous comments
  • Do you have a social media button?
  • Does your site contain a Youtube video or another source embedded on a page?

Our team can help you create your Compliance Policy page and implement it on your site. We can also implement your cookie management system and information collected on your site compatible with Google’s consent mode.