Webinar Round Up: Key considerations for Quebec Law 25 compliance

In our recent Cassie webinar hosted by Commercial Manager David McInerney, we delved into Quebec’s Law 25 and took the opportunity to talk to Saïd Azdoud, Manager of Privacy and Data Protection at Deloitte.

Tapping into Saïd’s extensive experience in the regulatory world, the discussion revealed some interesting compliance challenges still being faced by companies and looked ahead at the impact of the final enforcement due in September 2024.

If you missed the webinar, don’t worry; you can catch it on demand.

Here are the key takeaways…

Why is Quebec Law 25 important?

Law 25 is the latest in many global privacy laws. With the increasing digitization of our lives, businesses are entrusted with vast amounts of personal information, making the responsible and ethical handling of this data paramount. Consent management therefore serves as a cornerstone of building trust between businesses and their customers.

Data breaches and privacy concerns are making headlines worldwide, making customers more concerned with how their data is handled than ever. Most notably, in 2019, police in Quebec uncovered a cyberattack on Desjardins, one of Canada’s major banks. The attacker stole and sold personal information to a third party. This ended up affecting over 9.7 million victims worldwide in a two-year period. It was after this event, and the overall increase in cybercrime, that Law 25 was initiated.

What are the key considerations for companies enforcing Quebec Law 25 and maintaining compliance?

How Quebec Law 25 aligns with global standards

Many Quebec organizations with global activities and entities in diverse jurisdictions will have already established frameworks based on regulations like GDPR and CCPA. Using the privacy program implemented for GDPR (or other recent privacy regulations) helps in having a structured foundation. Leveraging this will help companies to not start from scratch.

However, not all the requirements of GDPR/CPRA are like those in Law 25. Companies will be required to map legislation and adapt the program with the Quebec privacy law requirements in mind.

There will be a huge learning curve for Quebec-based businesses, but they have the advantage of being able to learn from what has already happened in Europe. GDPR created a huge shift for businesses. They now have significant experience in the implementation and development of privacy programs. Quebec organizations can use this experience and implement their privacy programs in a far more efficient manner.

Larger businesses have largely already embraced these changes as the Quebec government modernizes the aging privacy laws, holding companies accountable for the data they collect. Many businesses already have established frameworks based on global regulations. This can, however, cause confusion surrounding the intricacies of applying different laws over different regions.

For small businesses, compliance challenges come due to a variety of factors; from allocating budget, considering the cost of resources, training, potential fines for non-compliance, and the cost of maintaining compliance over time.

Different sectors will also have different challenges, having to adhere to different levels of compliance. For instance, the healthcare and financial sectors are dealing with highly sensitive information, meaning they will have to manage compliance in a more detailed way.

With these challenges, it is important to consider the best way to react to the new digital privacy laws.

Early adoption vs reactive approach

We are now 6 months into Law 25, with the next steps being taken in September 2024. What is the course of action that we are going to see – early adoption or a reactive approach? It can be tempting to see what fines will happen and then work towards compliance retrospectively.

It is vital for businesses to not just meet the minimal requirements as and when they are required but get ahead of the curve on digital privacy. The digital landscape is continually evolving and changing – adopting now is key to maintaining compliance going forward. Reduce your risk of fines and increase trust with customer bases.

Global companies, so far, have been more likely to be early adopters, seeing privacy programs as a strategic asset.

Marketing consent strategies in light of Law 25

The digital landscape is changing at a lightning-fast pace as new regulations are enforced, and customers become more reticent about giving away their data online. Marketing now faces the struggle of acquiring this data, which is vital for engaging customers and driving sales. The willingness to adhere to the strict rules of consent, while necessary for compliance, has resulted in diminishing opt-ins. This can mean that businesses struggle to rely on direct marketing strategies to engage with customers and drive sales.

That said, there are ways to balance this. There are many strategies to consider that encourage customers to opt-in while still respecting their privacy rights.

This could include:

• Clear and transparent communication about how personal data will be used
• Offering incentives for opting-in
• Providing easy ways for customers to manage their consent preferences

This can all be done with a comprehensive CMP tool. It is vital to choose one that is designed with marketing in mind to empower businesses to integrate regulations while ensuring the best possible outcomes for collecting relevant data.

Preparing for the future

What is on the horizon for compliance regulations?

From September 2024, there will be additional enforcement on Law 25 with ‘Offer a right to data portability’. Organizations will be required to provide personal information about an individual request. They may also be required to disclose the information to another organization authorized to collect personal information at the individual’s request.

Guidelines around this point are expected from CAI as we approach September.

Technological changes are also entering the market. Things like artificial intelligence and blockchain could offer new ways to handle consent. Businesses will need to remain aware of all of these, and how they could bring up new privacy issues.

We are now at a turning point for how we handle consent – new technologies, changing laws, and people becoming more aware of their rights. Organizations need to be able to keep up with all of these changes.

Questions raised during the webinar

Does Law 25 apply to hospitals, health institutions, and social services?

No, Law 25 doesn’t apply to health institutions and social services. There is already Quebec’s health privacy legislation, which was adopted last April in the form of Bill 3. Bill 3 contains several requirements that are directly inspired by Law 25, and so does follow a similar framework. Bill 3 also applies to private organizations that provide health and social services, such as private clinics, pharmacies, medical laboratories, palliative care hospices and private seniors’ residences. Bill 3 also applies to a service provider that processes health information on behalf of a health body.

What’s next when it comes to Bill C-27 and its advancement?

We are waiting for Bill C-27 to come into force as it is still under revision. The Standing Committee of Industry and Technology is studying the bill and then it will go through the Senate for another session. As it stands, we don’t know yet when this will come into effect, but it is likely to be next year.

Has CAI issued any fines at this point?

Not that we are aware of [correct as of 4th April 2024]. CAI will give companies a bit of time to be compliant as it is taking more of an educational approach at this point. If a company is proactive in complying with Law 25, we can anticipate that the penalties will not be too heavy, at least initially.