In 2020, Quebec lawmakers introduced Bill 64. On Sept. 22, 2021, it was adopted as Law 25, marking the beginning of a distinct modernization in Canada’s privacy landscape.
While portions of this Law took effect in 2022, additional requirements start in Sept. 2023 and then again in 2024.
In this guide, I’ll walk you through the ins and outs of Quebec’s Law 25 so you can determine if it applies to your business and what steps you need to take to ensure legal compliance over the next few years.
- What Are Quebec’s Bill 64 and Law 25?
- Quebec’s Law 25 Key Terms and Definitions
- Who Does Quebec’s Law 25 Apply To?
- Who Does Quebec’s Law 25 Protect?
- Law 25 Provisions That Entered Into Force in September 2022
- Law 25 Provisions That Enter Into Force in September 2023
- Law 25 Provisions That Enter Into Force in September 2024
- How Can Termly Help With Data Privacy Compliance?
What Are Quebec’s Bill 64 and Law 25?
Bill 64 was introduced in the province of Quebec in an effort to modernize privacy protections regarding personal information. After it passed, it became known as Law 25.
It creates new requirements for businesses, including new considerations related to protecting the personal data of Quebec residents, appointing Data Protection Officers (DPOs), and performing privacy impact assessments (PIAs).
When Does Quebec’s Law 25 Go Into Effect?
Quebec’s Bill 64 passed under the name ‘Law 25’ in Sept. 2021.
Its provisions enter into force over a staggered three-year period. Some are already in place and have been since Sept. 2022.
Additional parts of the law are effective as of Sept. 22, 2023, and again in Sept. 2024.
Quebec’s Law 25 Key Terms and Definitions
There are some key terms and definitions described in Quebec’s Law 25 that businesses must understand in order to comply with the new privacy protection guidelines. I’ll briefly cover those for you now.
Law 25 uses the definition of “personal information” as it appears in the Quebec Private Sector Act, which says:
“Personal information is any information which relates to a natural person and allows that person to be identified.”
According to Part 15 of Law 25, “confidentiality incident” means:
- (1) Access not authorized by law to personal information;
- (2) Use not authorized by law of personal information;
- (3) Release not authorized by law of personal information; or
- (4) Loss of personal information or any other breach of the protection of such information.
Law 25 defines “profiling” in Part 19 as:
“…the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.”
Who Does Quebec’s Law 25 Apply To?
Law 25 applies to companies and small to medium-sized businesses that sell goods or offer services in Quebec. It also applies to companies targeting Quebec residents, regardless of whether it’s located in the province.
The Law’s material scope also includes personal information held by a professional order as defined by the Professional Code (chapter C-26).
Law 25 does not apply to journalistic, historical, or genealogical material collected, held, used, or communicated for the legitimate information of the public.
It also does not apply to a public body or information held on behalf of a public body by a person other than the public body.
Who Does Quebec’s Law 25 Protect?
Quebec’s Law 25 protects the personal information of citizens of Quebec, CA.
It also outlines their rights over how that data gets collected and used.
Law 25 Provisions That Entered Into Force in September 2022
In September of 2022, the following provisions, as outlined by Quebec’s Law 25, entered into force:
- Appointment of a privacy officer: This mandatory provision outlined in Section 3.1 of the Law states that, by default, the person with the highest authority shall be responsible for complying with Law 25 and protecting personal information. However, you may delegate these responsibilities in writing wholly or partly to another person.
- Breach notification to regulators and individuals: Section 3.5 of the Law states that a company must promptly notify the Commission d’Accès à l’Information (CAI) in the case of a confidentiality incident that presents a risk of serious injury to individuals. A company must also notify any person whose personal information is impacted by the incident, as ordered by the CAI. Additionally, if a confidentiality incident involving personal information happens, a company must take reasonable measures to reduce the risk of injury and prevent new incidents of the same nature from occurring.
- Personal information and consent: Communicating personal information without consent is possible for a study, research purposes, the production of statistics, and under certain conditions. But, according to Section 21 of the act, you should carry out a Privacy Impact Assessment or PIA.
- Biometric database notifications: Amendments enacted by Law 25 impact the Quebec IT Act and require organizations to disclose to the CAI any use of biometric processes at least 60 days before creating a biometric database.
If your business qualifies under Quebec’s Law 25, you must comply with all of these guidelines, or else you violate the Law.
Law 25 Provisions That Enter Into Force in September 2023
On Sept. 22, 2023, additional requirements outlined by Law 25 become effective.
If your business falls under this law, you must implement the following obligations before then:
- Provide transparency and opt-in mechanism for cookies and other tracking technologies: Section 8.1 of the Law states that any company collecting personal information using technology that includes functions allowing individuals to be identified, located, or profiled must first inform them of the use of such technology and of the means available to activate the functions that allow the person to be identified, located or profiled. This includes your use of internet cookies or other similar tracking technologies.
- Implement a framework for the governance of personal information: Section 3.2 of Law 25 says companies must establish and implement governance policies and practices regarding personal information that ensure the protection of such information. Your policies and procedures must, in particular, provide a framework for (1) the keeping and destruction of the information, (2) define the roles and responsibilities of the members of its personnel throughout the life cycle of the information and (3) provide a process for dealing with complaints regarding the protection of the information. Additionally, information on these policies and practices should be available in simple language on the enterprise’s website.
- Conduct a Privacy Impact Assessment: You must conduct a PIA for any project to acquire, develop, or overhaul an information system or electronic service delivery system involving collecting, using, communicating, keeping, or destroying personal information. This appears in Section 3.3 of the Law.
- Set out contractual agreements for communicating personal information to third parties: Under Section 18.3 of Quebec’s Law 25, a company may, without the consent of the person concerned, communicate personal information to any person or body if the information is necessary for carrying out a mandate, performing a contract of enterprise, or for services entrusted to that person or body by the person carrying out an enterprise. The contract should be made in writing and specify the measure the third party must take to protect the confidentiality of the personal information communicated, to ensure that the information is used only for performing the contract, and to ensure that the third party does not keep the data after the expiry of the contract.
The following consumer rights also become applicable in September 2023:
- The right to erasure and de-indexation of any hyperlink attached to a person’s name (Sections 28 and 28.1)
- The right to access and correction of personal information (Section 18.6)
- The right not to be subject to automated decision-making. (Section 12.1)
In the case of consumers’ right not to be subject to automated decision-making, the law states that a company that uses personal information to render a decision based exclusively on automated processing must inform the person concerned no later than when it informs the person of the decision.
Additionally, the company must inform the person concerned of the:
- Personal information used to render the decision
- Reasons, factors, and parameters used in the decision; and
- Right of the data subject to have the personal information used in the decision corrected
If your company falls under the scope of Quebec’s Law 25, you must prepare to meet all of these obligations before Sept. 22, 2023, which is when these rules become enforceable.
Law 25 Provisions That Enter Into Force in September 2024
An additional aspect of Quebec’s Law 25 becomes effective as of Sept. 22, 2024, which involves consumers’ right to data portability.
Specifically, businesses will have to start following these guidelines, as outlined in Section 27:
“Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred using personal information concerning him, must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant’s request, to any person or body authorized by law to collect such information.”
If your business is impacted by Quebec’s Law 25, you have around one year to develop an appropriate protocol for providing consumers with a portable copy of their personal data.
How Can Termly Help With Data Privacy Compliance?
Termly can help simplify your privacy compliance process by providing legally backed policy generators and an adaptable Consent Management Platform (CMP).
It’s really that easy.
But if you have questions along the way, there are helpful tips written by our legal team, plus our awesome customer service team is around to assist you.
Below, see an example of one of the questions our generator asks.
Data privacy legislation like Quebec’s Law 25 outlines specific rules about obtaining consumer consent to use or process personal data legally. So we also offer a Consent Management Platform or CMP that you can configure to meet opt-out or opt-in guidelines.
See what it looks like below.
Whether you need to comply with Quebec’s Law 25, or other data protection regulations like the Personal Personal Information Protection and Electronic Documents Act (PIPEDA), the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Termly has your back.
If you need to follow the business obligations outlined by Quebec’s Law 25, use this guide to help prepare before the September 22 deadline.
Remember, to comply with this law, you must:
- Obtain consumer opt-in consent where appropriate, like when placing cookies on their devices or when processing sensitive personal information, or provide means for users to opt out of certain data processing activities.
- Perform privacy impact assessments as needed.
- Appoint a data protection officer (DPO).
- Follow all contractual obligations with any third-party entities who have access to your users’ data.
- Ensure users can follow through on all of their data privacy rights.
- Prepare for the data portability rights entering into force later in 2024.