In 2020, Quebec lawmakers introduced Bill 64. On Sept. 22, 2021, it was adopted as Law 25, marking the beginning of a distinct modernization in Canada’s privacy landscape.
In this guide, I walk you through Quebec’s Law 25 so you can determine if it applies to your business and what steps to take to ensure legal compliance.
- What Are Quebec’s Bill 64 and Law 25?
- Quebec’s Law 25 Key Terms and Definitions
- Who Does Quebec’s Law 25 Apply To?
- Who Does Quebec’s Law 25 Protect?
- Law 25 Provisions That Entered Into Force in September 2022
- Law 25 Provisions That Entered Into Force in September 2023
- Law 25 Provisions That Entered Into Force in September 2024
- How Can Termly Help With Data Privacy Compliance?
- Summary
What Are Quebec’s Bill 64 and Law 25?
Bill 64 was introduced in the province of Quebec in an effort to modernize privacy protections regarding personal information. After it passed, it became known as Law 25.
It creates new requirements for businesses, including new considerations related to protecting the personal data of Quebec residents, appointing Data Protection Officers (DPOs), and performing privacy impact assessments (PIAs).
When Does Quebec’s Law 25 Go Into Effect?
Quebec’s Bill 64 passed under the name ‘Law 25’ in Sept. 2021.
Its provisions enter into force over a staggered three-year period. Some are already in place and have been since Sept. 2022.
Additional parts of the law became effective as of Sept. 22, 2023, and again in Sept. 2024.
Quebec’s Law 25 Key Terms and Definitions
There are some key terms and definitions described in Quebec’s Law 25 that businesses must understand in order to comply with the new privacy protection guidelines. I’ll briefly cover those for you now.
Law 25 uses the definition of “personal information” as it appears in the Quebec Private Sector Act, which says:
Personal information is any information which relates to a natural person and allows that person to be identified.
According to Part 15 of Law 25, “confidentiality incident” means:
- (1) Access not authorized by law to personal information;
- (2) Use not authorized by law of personal information;
- (3) Release not authorized by law of personal information; or
- (4) Loss of personal information or any other breach of the protection of such information.
Law 25 defines “profiling” in Part 19 as:
“…the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.”
Who Does Quebec’s Law 25 Apply To?
Law 25 applies to companies and small to medium-sized businesses that sell goods or offer services in Quebec and to companies targeting Quebec residents, regardless of location.
The Law’s material scope also includes personal information held by a professional order as defined by the Professional Code (chapter C-26).
Law 25 does not apply to journalistic, historical, or genealogical material collected, held, used, or communicated for the legitimate information of the public.
It also does not apply to a public body or information held on behalf of a public body by a person other than the public body.
Who Does Quebec’s Law 25 Protect?
Quebec’s Law 25 protects the personal information of citizens of Quebec, CA.
It also outlines their rights over how that data gets collected and used.
Law 25 Provisions That Entered Into Force in September 2022
In September of 2022, the following provisions outlined by Law 25 entered into force:
- Appointment of a privacy officer: This mandatory provision outlined in Section 3.1 of the Law states that, by default, the person with the highest authority shall be responsible for complying with Law 25 and protecting personal information. However, you may delegate these responsibilities in writing wholly or partly to another person.
- Breach notification to regulators and individuals: Section 3.5 of the Law states that a company must promptly notify the Commission d’Accès à l’Information (CAI) in the case of a confidentiality incident that presents a risk of serious injury to individuals. A company must also notify any person whose personal information is impacted by the incident, as ordered by the CAI. Additionally, if a confidentiality incident involving personal information happens, a company must take reasonable measures to reduce the risk of injury and prevent new incidents of the same nature from occurring.
- Personal information and consent: Communicating personal information without consent is possible for a study, research purposes, the production of statistics, and under certain conditions. But, according to Section 21 of the act, you should carry out a Privacy Impact Assessment or PIA.
- Biometric database notifications: Amendments enacted by Law 25 impact the Quebec IT Act and require organizations to disclose to the CAI any use of biometric processes at least 60 days before creating a biometric database.
If your business qualifies under Quebec’s Law 25, you must comply with all of these guidelines, or else you violate the Law.
Law 25 Provisions That Entered Into Force in September 2023
On Sept. 22, 2023, these additional requirements outlined by Law 25 became effective:
- Publish a confidentiality policy (aka, privacy policy): Section 8.2 of the Law stipulates that anyone who collects personal information through technological means must publish a confidentiality policy (aka privacy policy) drafted in clear and straightforward language. You must publish it on your websites or app and disseminate it by any appropriate means. A notice is also required for any amendments you make to your policy.
- Provide transparency and opt-in mechanism for cookies and other tracking technologies: Section 8.1 of the Law states that any company collecting personal information using technology that includes functions allowing individuals to be identified, located, or profiled must first inform them of the use of such technology and of the means available to activate the functions that allow the person to be identified, located or profiled. This includes your use of internet cookies or other similar tracking technologies.
- Implement a framework for the governance of personal information: Section 3.2 of Law 25 says companies must establish and implement governance policies and practices regarding personal information that ensure the protection of such information. Your policies and procedures must, in particular, provide a framework for (1) the keeping and destruction of the information, (2) define the roles and responsibilities of the members of its personnel throughout the life cycle of the information and (3) provide a process for dealing with complaints regarding the protection of the information. Additionally, information on these policies and practices should be available in simple language on the enterprise’s website.
- Conduct a Privacy Impact Assessment: You must conduct a PIA for any project to acquire, develop, or overhaul an information system or electronic service delivery system involving collecting, using, communicating, keeping, or destroying personal information. This appears in Section 3.3 of the Law.
- Set out contractual agreements for communicating personal information to third parties: Under Section 18.3 of Quebec’s Law 25, a company may, without the consent of the person concerned, communicate personal information to any person or body if the information is necessary for carrying out a mandate, performing a contract of enterprise, or for services entrusted to that person or body by the person carrying out an enterprise. The contract should be made in writing and specify the measure the third party must take to protect the confidentiality of the personal information communicated, to ensure that the information is used only for performing the contract, and to ensure that the third party does not keep the data after the expiry of the contract.
The following consumer rights also became applicable:
- The right to erasure and de-indexation of any hyperlink attached to a person’s name (Sections 28 and 28.1)
- The right to access and correction of personal information (Section 18.6)
- The right not to be subject to automated decision-making. (Section 12.1)
In the case of consumers’ right not to be subject to automated decision-making, the law states that a company that uses personal information to render a decision based exclusively on automated processing must inform the person concerned no later than when it informs the person of the decision.
Additionally, the company must inform the person concerned of the:
- Personal information used to render the decision
- Reasons, factors, and parameters used in the decision; and
- Right of the data subject to have the personal information used in the decision corrected
Law 25 Provisions That Entered Into Force in September 2024
An additional aspect of Quebec’s Law 25 became effective as of Sept. 22, 2024, which involves consumers’ right to data portability.
Specifically, businesses have to follow these guidelines, as outlined in Section 27:
“Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred using personal information concerning him, must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant’s request, to any person or body authorized by law to collect such information.”
If your business is impacted by Quebec’s Law 25, develop an appropriate protocol for providing consumers with a portable copy of their personal data.
How Can Termly Help With Data Privacy Compliance?
Termly can help simplify your privacy compliance process by providing legally backed policy generators and an adaptable Consent Management Platform (CMP).
Our Privacy Policy Generator asks you simple questions about your business. It uses your answers to kick out an easy-to-read, compliant policy that can link directly to your website or app. If you ever need to update it or make changes, simply go back into your Termly dashboard, edit your policy, and click Publish.
Below, see an example of one of the questions our generator asks.
Data privacy legislation like Quebec’s Law 25 outlines specific rules about obtaining consumer consent to use or process personal data legally. So we also offer a Consent Management Platform or CMP that you can configure to meet opt-out or opt-in guidelines.
See what it looks like below.
Whether you need to comply with Quebec’s Law 25, or other data protection regulations like the Personal Personal Information Protection and Electronic Documents Act (PIPEDA) or the General Data Protection Regulation (GDPR), Termly has your back.
Summary
Businesses the need to comply with Quebec’s Law 25 must ensure they meet all requirements outlined by the law, including:
- Posting a compliant privacy policy
- Obtaining consumer opt-in consent where appropriate
- Performing privacy impact assessments as needed.
- Appointing a data protection officer (DPO).
Remember to also follow all contractual obligations with third-party entities who have access to your users’ data and ensure users can follow through on all of their privacy rights.
Make compliance with laws like Quebec’s Law 25 extra simple by using Termly’s free privacy policy template or Generator and set your business up for success.