Quebec’s Law 25: 5 new requirements from September 2023
Posted: February 22, 2023
Quebec’s Law 25 brings a new standard of privacy and data protection to the province that arguably exceeds Canada’s federal law.
Some of Law 25’s provisions have already taken effect, but many of the most important rules will apply from September 2023.
Here are five important requirements that take effect from September 22, 2023, including transparency obligations, rules around “profiling” (which could be important for marketing teams), privacy impact assessments, policy requirements, and consumer rights.
1. Transparency Requirements
From 22 September 2023, the bill requires organizations to provide “clear and simple” information about their personal information collection practices, both when collecting personal information and on request.
This information includes:
The purposes for which you are collecting personal information
The means by which you are collecting it.
Information about the rights of access and rectification (see below).
Information about the right to withdraw consent.
If applicable, the name of the third party for whom you are collecting personal information.
If applicable, the possibility that the personal information could be transferred outside of Quebec.
On request, you must also inform the individual of:
The personal information collected from them.
The categories of persons who have access to the information within your organization.
How long the personal information will be kept.
Contact information for your “person in charge” (you should have appointed your person in charge by September 2022).
2. Profiling and Automated Decisions
The law provides new rules regarding “profiling”, which is defined as:
“the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behavior”.
Note that this definition could extend to using marketing cookies, which can be used to “analyze… personal preferences, interests or behavior”.
From 22 September 2023, if you use “technology that includes functions allowing the person concerned to be identified, located or profiled”, you must first inform the person of:
The use of such technology
The means available, if any, to deactivate the functions that allow a person to be identified, located or profiled.
The bill does not explicitly mention cookies. However, this provision could be interpreted as a requirement for a cookie banner or popup that:
Explains how to opt out of cookies.
3. Privacy Impact Assessments
From 22 September 2023, organizations must conduct a privacy impact assessment for any project involving a new technology (including existing technologies used in new ways) that processes personal information.
You must involve your “person in charge” in the privacy impact assessment from the very beginning.
As part of the assessment, you must consider how individuals will be able to access personal information collected by the new system in a “structured, commonly used technological format”.
The privacy impact assessment must be proportionate to:
The sensitivity of the personal information concerned.
The purposes for which you’re using the personal information.
The “quantity and distribution” of the personal information.
The medium on which the personal information is stored.
Your person in charge may suggest the following measures:
Measures to protect personal information in any document relating to the project.
A description of people’s responsibilities within the project.
Training activities for people involved in the project.
Appointing a person responsible for implementing these sorts of measures.
4. Policies and Practices
The law’s rules on “governance policies and practices regarding personal information” will also take effect from 22 September 2023.
You must produce a set of policies and practices governing how your organization collects and uses personal information. Your policies and practices must:
Provide a framework for keeping and deleting personal information.
Define the roles and responsibilities of your employees in managing personal information.
Provide a process for dealing with complaints about your personal information practices.
Your policies and practices must:
Be proportionate to the nature and scope of your business.
Be signed off by your person in charge.
Be published in “simple and clear terms” on your website.
5. Rights to Rectification and Erasure
The law provides new consumer rights similar to the “right to rectification” and the “right to erasure” under the EU’s General Data Protection Regulation (GDPR). These rights are effective from 22 September 2023, so you should prepare to receive requests from individuals.
Under the first of these provisions, people may request that “inaccurate, incomplete or equivocal” personal information about them is corrected.
People may also request that you “cease disseminating” their personal information or “de-index any hyperlink attached to (their) name”.
You must comply with a request if disseminating the personal information is illegal, or
Disseminating the personal information causes the person “serious injury” to their “reputation or privacy”.
The injury is clearly greater than:
The public interest in knowing the information.
The right to free expression.
Stopping the dissemination of the personal information does not exceed what is necessary to avoid perpetuating the injury.
There are several factors that you can take into consideration when assessing whether to comply with such a request, including (but not limited to):
Whether the person is a public figure.
How sensitive the information is.
The context in which the information is disseminated.
Download: A comprehensive guide to privacy law in Canada
This free ebook guide empowers you with expertise and guidance to champion a privacy-centric approach in your business (and avoid fines!). We cover the foundations of privacy legislation in Canada, introducing PIPEDA and other relevant laws.
An understanding of the Canadian privacy law landscape
Canadian compliance challenges specific to certain industries
The role of technology in ensuring PIPEDA compliance