Quebec’s Bill 64 (Law 25) – Everything You Need to Know for Privacy Compliance

by Robert Burko
3 mins read
A businessman performing Law 25 on a padlock icon on a screen.

If you’re reading this, you’ve probably heard about Quebec’s Law 25 (initially introduced as Bill 64) and have questions: What is it? How does it impact my business or brands? What do I need to do to be compliant? How soon is this all happening?

These are all good questions that deserve good answers, especially since non-compliance fines can be pretty steep! Fear not; we have created this comprehensive guide to equip you with everything you need to navigate this landmark legislation in plain English. (Side note, you may not like everything you read, but please don’t shoot the messenger. The good folks at Elite Digital only have one goal: to help YOU!)

If you’re wondering, “I am not based in Quebec; does Law 25 affect me?” The answer is yes, so keep reading. Anyone who does business with people who live in Quebec is within the reach of this new privacy legislation.

This new legislation brings some dramatic changes to the privacy landscape within Canada and could be a framework that gets adopted for other provinces. At Elite Digital, we firmly believe in the vital importance of consumer privacy. Still, this article will focus on how business owners, marketers, brand managers and other stakeholders can prepare for what is to come.

What is Quebec’s Bill 64 (Law 25)

Bill 64, now named Law 25, is a legislative act that aims to transform the privacy regime in Quebec, Canada, completely. The provincial government of Quebec initially introduced it in June 2020 and formally adopted it into law in September 2021. The Bill includes a wide assortment of new rules for businesses based within Quebec and those doing business within the province. This is important to note because any company that operates nationally across Canada, including Quebec, needs to pay attention. The Bill has a three-year roll-out period started in 2022, with the following significant wave coming into effect on September 23, 2023. 

Some of the significant updates Law 25 brings to the privacy world in Quebec include strengthened privacy rights for individuals, along with new business requirements, such as privacy policies, risk assessments, and data breach notification.

If you’re familiar with the General Data Protection Regulations (GDPR) that governs the EU, Law 25 brings things closer to the same privacy requirements.

Key Highlights That Came into Effect on September 22, 2022

Let’s take a quick trip down memory lane in case you missed the memo last year because various new requirements are already in effect today.

As of September 22, 2022, the following new rules are live:

  • Designate a person within your organization that is in charge of the protection of personal information (i.e. You need a “Privacy Officer.”)
    • Keep in mind any individual can be designated as a privacy officer. Law 25 defaults the responsibility of overseeing compliance to the highest senior employee (such as the CEO). If a privacy officer other than the CEO is established, organizations must publish that individual’s name, title, and contact information on their website so they can be contacted.
  • In the event of a confidentiality breach involving personal information:
    • Take all reasonable measures to minimize the risk of damage being caused to the persons concerned and to prevent new incidents of the same type from occurring;
    • Notify the Commission d’accès à l’information du Québec (CAI) and the impacted parties by completing this form (which is in French);
    • Keep a register of confidentiality incidents and security breaches, also send a copy of it to the Commission at its request.
  • Respect the new rules for the communication of personal information without the consent of the person concerned (the document is in French) for study, research or statistical purposes and in the context of a commercial transaction.
  • Conduct a Privacy Impact Assessment (document is French), also referred to as a “PIA,” before communicating personal information without the consent of the person impacted for study, research or statistical purposes.
  • Notify the Commission before carrying out an identity verification or confirmation by using biometric characteristics or measurements by completing this form (the form is in French).

Hopefully, you can already check all those boxes, and we can turn our attention to what’s coming up so you fully understand all the implications of Law 25.

Pin Paper Padlock Symbol on Yellow Background in reference to Quebec's Law 25

Understanding Privacy Changes

The privacy changes introduced by Bill 64 (Law 25) have VERY far-reaching implications. Let’s be very clear; this is not something you can ignore. At Elite Digital, we have been helping our clients prepare for this new rulebook to ensure they remain on the right side of the law and avoid hefty fines (and bad press).

Let’s jump into some key aspects so that you’re well on your way to knowing everything you need.

Scope of the Privacy Changes

Bill 64 extends its reach beyond traditional data protection principles. Out with the old way, in with the very new way. It introduces elements that address emerging technologies, such as artificial intelligence (AI) and the Internet of Things (IoT). This forward-thinking and future-proof outlook ensures Quebec’s privacy laws remain relevant in the digital age.

Impact on Individuals and Businesses

Individual people and consumers will benefit from increased control over their personal information. They will have the right to access, correct, and withdraw consent to their data. These are all things a business may have let you do before, but now it’s legally mandated.

On the flip side, businesses face the new challenge of adapting their privacy policies, practices, procedures, and data management systems to align with the new requirements. As most companies understand the value and importance of good customer data, you must take the proper steps to continue harnessing that data compliantly. Law 25 doesn’t prevent using data but impacts how it’s collected and used to add more transparency.

Compliance Requirements

To comply with Law 25, businesses must review and update their privacy policies, conduct privacy impact assessments, evaluate all personal data intake flows and establish appropriate security measures. If you need help with this, Elite Digital can assist you in conducting a thorough review of your privacy practices and help implement necessary changes. As Canada’s leading digital marketing agency, we can help set you on the right path.

Fundamental Changes Coming into Effect in September 2023

Now that we all understand the fundamentals and how we got here, let’s look at where we’re going because this will add action items to your to-do list.

September 22, 2023, marks a significant milestone when several critical changes under Law 25 will come into effect. Circle this date on your calendar now!

Let’s explore some of these changes in detail.

Strengthening Consent

Under Bill 64, obtaining informed consent has become more critical than ever. Asking for permission is the only way! Businesses must ensure individuals fully understand their personal information’s purpose, collection, use, and disclosure. Consent for some uses or disclosures of sensitive personal information must be given expressly. On top of that, the consent of a parent/guardian must be obtained before collecting, using, or disclosing personal information about a minor under the age of 14.

Hand filling a Informed Consent form and stethoscope on desk in reference to Law 25

Implementing clear and user-friendly consent mechanisms on your website and other digital channels is essential. So, if you plan on paying a lawyer to write some convoluted documents that no one will understand, think again!

For consent to be considered valid under Law 25, it must meet the following criteria:

  • Free and informed
  • Requested for each purpose
  • Given for specific purposes
  • Presented in clear and easy-to-understand language
  • Requested separately from any other information
  • Given expressly and proactively for sensitive personal information (This means you cannot have a pre-checked box that defaults to sharing the information.)

In addition, individuals must be made aware of the following: 

  • Their right to withdraw and revoke consent (with private organizations). You may hear the term “de-indexation” being used.
  • The name of third parties inside and outside of Quebec that personal information may be shared with
  • Categories of people within the business who have access to personal information 
  • The duration for how long data will be retained
  • The contact information of the responsible individual, such as the Privacy Officer
  • Whether the request is mandatory or optional (public sector only)
  • Consequences for refusing to respond or withdrawing consent (public sector only)

Enhanced Individual Rights

The legislation affords individuals extended rights regarding their personal information. People have more control over their personally identifiable information (PII). They will have the right to deletion, data portability, and restrictions on automated decision-making.

Businesses that use algorithms and other technology to identify or profile an individual will have to disclose that they are engaging in such activity and how their profiling technology can be activated/deactivated. This way, people who do not want to be profiled can opt out of that personalization. This is a necessary disclosure as we move to a more personalized web experience tailored to each individual. It’s also worth mentioning that this includes monitoring within the workplace, so as of September 2023, it needs to be clear to employees how/if they are being monitored.

Data Breach Notification

Law 25 introduces mandatory data breach notification requirements. In the event of a data breach that poses a risk of significant harm, businesses must swiftly notify impacted individuals and the relevant authorities. Historically speaking, the media often covers considerable data breaches, but minor data breaches happen all the time, and in many cases, no one knows about them. This means your information could have been “hacked,” yet you’re unaware. With this new change, you must make that disclosure to yourself.

This should be an excellent wake-up call to your business to clamp down on security. We’ve seen many companies running a WordPress site that needs to be updated, which houses customer data, and that poses a considerable risk. Now is the time to be proactive and ensure your security is best-in-class so there’s never a breach to report, and there’s no risk of losing your customer’s trust.

Diagram showcasing digital lock, big data with encrypted computer code.

Transborder Data Flows

The new legislation imposes restrictions on transborder data flows. People need to know where their data is going. Businesses transferring personal information outside of Quebec will need to ensure an adequate level of protection is maintained. Simply exporting personal data to a country with less strict privacy controls is not viable.

Destroying and Anonymizing Data

Another new requirement that businesses must have is the ability to destroy and/or anonymize data when such data is no longer required. Remember, as you saw above, you must disclose how data will be used. Once you’re done with it, and that objective is complete, you must purge or anonymize that information. Most organizations historically have not had a “self-destruct” button on data, it tends to live on forever, but now that needs to change.

Who enforces Law 25?

Law 25 is enforced by the Commission d’accès à l’information (CAI) du Québec, the provincial organization responsible for access to information in Québec.

What are the penalties for non-compliance?

If you don’t follow the rules, you must sit in the corner and think about what you’ve done…. But you must also reach into your pocket and shell out some serious cash.

Law 25 increases the fines for non-compliance with privacy legislation, with private-sector businesses subject to penalties ranging from CAD$15,000 to $25,000,000, or an amount corresponding to 4% of worldwide turnover for the preceding fiscal year (whichever is greater).

It remains to be seen how swiftly these penalties will be enforced. Still, as we’ve seen with other Canadian legislation, such as CASL (Canada’s Anti-Spam Legislation), the offenders get punished, especially for sending a message to others.

Conclusion

As you can see, Quebec’s Bill 64 (Law 25) brings monumental privacy changes that require careful consideration, meticulous review and proactive measures for all businesses residing within Quebec and doing business with anyone in Quebec. With many changes coming into effect in September 2023, the time to act is now! While some changes may be quick, others could require substantial changes to critical business processes and systems.

At Elite Digital, we have the expertise to guide you through these changes, ensuring compliance and data protection. Contact us today to discuss how we can help your business navigate the evolving landscape of privacy laws.

Related Posts