What to do with law 25?

By TREIZE

What to do with law 25?

By TREIZE

Have you heard about this new law that’s emerging in Quebec?

If yes, that’s great. I assume you’re here to validate your knowledge or seek assistance. I’ll be happy to delve into it with you in this article.

If not, take a few minutes to read this; it will save you time and probably some money! Get ready to dive into the wonderful world of legislation with us. We’ll decipher this law together, maybe laugh, perhaps shed a tear or two, and hopefully, help you understand what this law means for you and your business and the actions to take moving forward. So, everyone fasten your seatbelts; we’re embarking on the journey of exploring Law 25.

If you’re not particularly interested and just want us to assist you with it, please fill out the form, and we’ll get back to you promptly with a service offer.

SUMMARY OF LAW 25

Law 25 is the Law modernizing legislative provisions on the protection of personal information in the private sector, a bill with a very long name (which we’ll spare you) and more commonly known as Bill 25. This law aims to protect the personal information of Quebec residents by holding companies that collect personal data accountable.

WHAT IS LAW 25?

Law 25 is a new law in Quebec that modernizes legislative provisions regarding the protection of personal information in the private sector. This law aims to adapt the rules for the protection of personal information to better safeguard citizens.

Who is affected by bill 25?

This reform is of major significance as it impacts every business, every public organization, and every citizen. It promises increased protection of personal information and new rights for citizens, as well as more responsible and transparent management of personal information by public organizations and businesses. As visitors, we will also be positively affected by Law 25 since websites will now have to request clear consent for each data collection performed on the site, all in understandable terms.

  • Do you have a multilingual website?
  • Do you have an online store?
  • Do you use a tool like Google Analytics to gather statistics about your website?
  • Do you have a Facebook pixel on your website for retargeting visitors?
  • Do you use a CRM like HubSpot, and is it connected to your website?

Do you recognize yourself in any of these elements? There’s a 99% chance that you’ll need to make adjustments to your website by September 22, 2023.

When will Law 25 come into effect?

The changes introduced by Law 25 are being implemented gradually over a three-year period, until 2024. The next significant date to remember is September 22, 2023.

WHY comply with law 25?

In the event that you choose not to consider the provisions of Bill 25, financial penalties may be imposed:

  • For individuals: from $500 to $50,000 depending on the seriousness of the breach.
  • For businesses and organizations: from $1,000 to $10,000,000 or 2% of the worldwide revenue for the previous fiscal year, whichever amount is higher.

The main obligations of Law 25

In addition to complying with current obligations regarding the protection of personal information, businesses must, among other things:

  1. Appoint a person responsible for personal information protection and publish their title and contact information on the company’s website.
  2. In the event of a confidentiality breach, maintain a record of all incidents and take prompt measures to reduce the risk of harm to affected individuals. A company must also notify the Commission and the affected individuals of any incident that poses a serious risk of harm.
  3. Prior to the Commission, disclose the verification or confirmation of identity carried out using biometric features or measures.
  4. Adhere to the new framework for the disclosure of personal information without the consent of the individual, in the context of a commercial transaction or for study, research, or statistical production purposes.

What needs to be done by September 22, 2023.

As of September 22, 2023, you should have completed the tasks listed below. Please note that some of these tasks were originally due by September 22, 2022, but the enforcement of penalties will begin in September 2023.

So, here’s a loooooooong list of important items to consider. I’ll warn you in advance, it’s lengthy, complex, and not the most exciting read, but don’t get discouraged; we’ll discuss solutions a little further down. Feel free to skip it altogether and move on to the section below. 😉

  1. Designate a person responsible for the protection of personal information and publish the title and contact information of the responsible person on the company’s website or, if it does not have a website, make them accessible by any other appropriate means.
  2. In the event of a confidentiality incident involving personal information:
    1. Take reasonable measures to reduce the risks of harm to the affected individuals and prevent similar incidents from occurring.
    2. Notify the Commission and the affected individual if the incident poses a serious risk of harm.
    3. Maintain a record of incidents, a copy of which must be provided to the Commission upon request.
  3. Adhere to the new framework for the disclosure of personal information without the consent of the individual for the purposes of study, research, statistics, and in the context of a commercial transaction.
  4. Conduct a Privacy Impact Assessment (PIA) before disclosing personal information without the consent of the individuals for study, research, or statistical production purposes.
  5. Prior to the Commission, disclose the verification or confirmation of identity carried out using biometric features or measures.
  6. Have established policies and practices governing the governance of personal information and publish detailed information about them in plain and clear language on the company’s website or, if it does not have a website, by any other appropriate means.
  7. Comply with the new rules regarding consent for the collection, disclosure, or use of personal information.
  8. Dispose of personal information when the purpose of its collection is fulfilled, or anonymize it for use in serious and legitimate purposes, subject to the conditions and retention period provided by law.
  9. Comply with your new obligations of information and transparency towards citizens.
  10. Adhere to the new rules governing the use of personal information.
  11. By default, provide settings ensuring the highest level of privacy for the product or technological service offered to the public.
  12. Comply with the new rules regarding the collection of personal information concerning a minor.
  13. Respect the right to cease dissemination, reindexing, or delisting (or the right to be forgotten).
  14. Adhere to the new rules for the communication of personal information:
    1. Outside of Quebec.
    2. Without the consent of the individual (exercise of a mandate or performance of a service or business contract).
    3. Facilitating the grieving process.

In concrete terms, what must be done to comply with it?

At TREIZE, we’ve put together a perfect package to assist you in implementing the various measures required. We handle everything related to your WordPress website and ensure you’re well-equipped for everything else. Interested? Fill out this brief form, and we’ll get back to you promptly with a comprehensive service offer!

Offre de service pour la Loi 25

Receive a service offer

"*" indicates required fields

 

In conclusion, Law 25 is fast approaching, and it will bring about significant changes. It may be intimidating, but it’s ultimately for the benefit of citizens. The protection of our personal information is important.

REfErences
Profile picture ofCaroline Bui

Caroline Bui

Customer Experience Manager