The second phase of Law 25 is about to come into effect. It applies to all businesses that collect or use the personal data of Québec-based users so there’s a good chance it concerns you. Is your business ready for the new requirements? Let’s take a closer look!
Introduction to Law 25
Law 25 amends two existing laws to give users greater control over their personal information and to ensure more transparent data management by businesses—much like its European counterpart, the General Data Protection Regulation (GDPR). In effect, Law 25 modernizes Québec’s privacy framework in response to the evolving digital landscape and the emergence of new technologies, which bring fresh challenges to data protection.
The implementation of the law is spread out over three years to give businesses time to comply gradually. Since September 2022, organizations have been required to appoint a person responsible for the protection of personal information whose duties include maintaining an “incident log.”
The second phase came into effect on September 22, 2023, introducing stricter requirements for valid consent, updated privacy policies, internal procedures, and the use of artificial intelligence. The final phase of the law focuses on data portability rights and will take effect in September 2024.
Businesses that fail to meet the requirements of Law 25 risk facing significant penalties from Québec’s Commission d’accès à l’information. Make sure you take the necessary steps to stay compliant. That said, some adjustments may take time to implement, so if you’re not fully prepared yet, it’s best to focus on the essentials first. Let’s go over the key actions to prioritize in the coming weeks.
Consent management: Set up a CMP
As mentioned earlier, Law 25 introduces new obligations regarding user consent and data management. Businesses must now obtain prior, explicit, free, informed, and specific consent from users before collecting and storing their personal information.
To meet these new requirements, using a Consent Management Platform (CMP) has become essential for all businesses. These tools allow organizations to collect user consent in a transparent and explicit manner by clearly explaining the purpose of data collection. Users can then easily access and update their preferences at any time, as required by the law.
CMPs record the consents obtained, along with the exact versions of the consent statements accepted by each user. They also generate reports to help businesses demonstrate their compliance with data protection regulations in the event of an audit or a request from regulatory authorities.
To collect data, CMPs display cookie banners or pop-ups that you can configure and customize through your interface. In addition to helping you comply with the new regulations, using such a tool improves the online user experience, builds trust between your business and its customers, and demonstrates transparency.
You’ll also need to plan for alternatives in case users do not consent to data collection, and adjust the default settings of any technologies that previously collected data automatically.
There are many CMP platforms available, each offering different features and options depending on your needs. For our specialists, it’s essential to choose a CMP that allows you to easily track, in real time, key metrics like consent, acceptance, and refusal rates so you can optimize your performance over time. Check out our article to help you make an informed decision: our team tested some of the most recommended CMPs in the industry for you.
Data governance: Review your privacy policy
Law 25 requires businesses to update or create a clear and detailed privacy policy written in plain, accessible language to inform users about how their data will be used and what their rights are. It is now also mandatory to establish a data governance framework and document all related procedures, in alignment with what is outlined in the privacy policy.
To prepare these documents, it’s essential to assess your current needs and practices in order to implement a data strategy that aligns with Law 25. This involves defining your internal policies for data retention, destruction, and anonymization; identifying and communicating the roles and responsibilities of individuals within your organization; and detailing how access requests, incidents, and complaints related to personal information are handled.
Third-party platforms and artificial intelligence
You’re likely using various software tools such as Facebook, Google Analytics, or a CRM that process your users’ data. It’s also possible that you use artificial intelligence and algorithms to support certain decisions. In both cases, your users must be clearly informed through your privacy policy and must give their explicit consent.
Demandez l’aide de votre équipe juridique pour préparer et rédiger vos différentes politiques en vous assurant de respecter les nouvelles exigences de la Loi.
Seek support from your legal team to prepare and draft your various policies, ensuring they meet the new requirements of the law.
Web analytics and data tracking: What’s next?
The introduction and enforcement of Law 25 represent a major step forward in protecting personal information but they also make conversion tracking more challenging.
New solutions have been available for some time now to help measure campaign success while respecting user privacy particularly through server-side tracking and the use of first-party data.
This includes tools like Facebook’s Conversion API or Google Ads’ Enhanced Conversions. Work with your media agency to support you through this transition and take advantage of the new opportunities that Law 25 brings!
The information provided in this article is for informational purposes only and does not constitute legal advice. To ensure full compliance with Law 25, we recommend consulting a lawyer or qualified legal expert.
