In 2020, Bill 64 was introduced in Quebec, Canada. On September 22, 2021, the Bill was adopted as Law 25.
The first phase of Law 25 came into effect on September 22, 2022. Additional data handling requirements will come into effect on September 22, 2023, and then on September 22, 2024.
Read the blog to learn how to ensure compliance with Law 25 over the next few years.
What Is Quebec’s Law 25?
Historically, the data privacy regulation in Quebec consisted of a set of provincial and federal legislation. Quebec’s Quebec Privacy Act, called Bill 64, was introduced in the Canadian province of Quebec to modernize and unify personal data privacy protection. After it passed, it became called Law 25.
Law 25 increases privacy protections for residents of Quebec province. The law was driven by the need to align Quebec’s privacy laws with the European Union's General Data Protection Regulation (GDPR) and to address evolving privacy changes posed by technological development.
The law will go into force in several stages. The first phase of Law 25 came into effect on September 22, 2022. Additional data handling requirements will come into effect on September 22, 2023, and then on September 22, 2024.
Who Does Law 25 Apply to?
The law applies to:
- Organizations established in Quebec that are collecting, using, or processing personal information of Quebec residents.
- Organizations doing business in Quebec that are collecting, using, or processing personal information of Quebec residents.
This means that most international online shopping stores or other websites if they have even a single from the Quebec province, will be covered by the new law and require compliance.
The law covers all “natural persons” inside Quebec, there are no citizenship restrictions.
What Are the Requirements of Law 25?
Law 25 will go into effect in three distinct phases: on September 22, 2022, on September 22, 2023, and on September 22, 2024. The biggest changes in the handling of data privacy take effect in the first phase, in 2022.
Requirements by 22 September 2022 (1st Phase)
Appoint a Privacy Officer. Companies must designate a person in charge of the protection of personal information and publish their title and contact details on the company's website.
Mandatory Breach Reporting. In the event of a personal data breach, a company must take reasonable actions to reduce the risk of harm to the persons affected and to prevent new incidents of the same nature from occurring. Companies must keep a record of the incident. The company must also notify The Quebec Commission on Access to Information (CAI) as well as any individuals concerned.
Strengthened consent requirements. Law 25 requires obtaining explicit and informed user consent (in French) before collecting or processing their personal information.
Privacy Impact Assessment. Companies must conduct a Privacy Impact Assessment (in French) before communicating personal information outside Quebec without the user’s consent for study, research, or statistical purposes.
Biometrics disclosure. Companies must disclose in advance to CAI any verification or confirmation of identity using biometric characteristics by completing this form (in French).
Requirements by 22 September 2023 (2nd Phase)
Transparency and consent systems. Companies must establish transparency and opt-in systems for cookies and other tracking technologies for collecting, storing, and sharing user personal information. Companies, using technologies allowing individuals to be identified, located, or profiled must first inform users of the use of such technologies and get consent. This includes the use of internet cookies or other tracking technologies.
Scan your website for free to see all your website cookies in use.
Anonymization. Companies must implement a system to destroy or anonymize personal data once the data is no longer needed. Anonymization means that the person can no longer be identified.
Right to erasure. Companies must develop guidelines to respond to user requests for the removal of personal information. They must train their staff to respect this requirement.
Right to correction. Companies must provide the right to access and correction of personal information for users.
Right not to be subject to automated decision-making. Companies that use personal information to execute a decision based on automated processing must inform the user about the automated processing and get user consent before the processing takes place.
Agreements with third parties. Companies may share personal information with a third party, any person or company if the information is necessary to provide the services entrusted to that person. Personal information could be shared without the user’s consent. However, companies must sign an agreement with third parties regarding the usage of personal information. The agreement should be written and specify the measure the third party must take to protect the confidentiality of the personal information communicated, to ensure that the information is used only for performing the contract, and to ensure that the third party deletes personal information after the expiry of the contract.
Requirements by 22 September 2024 (3rd Phase)
Right to portability. Companies must generate a digital copy of all personal information they hold about a user upon request.
- Cookie Scanner
- Cookie Banner translation into 30+ languages
- Management and storage of user consent
- Cookie Banner integration with the most popular CMS platforms like WordPress, Shopify, Wix, Kajabi, Joomla, and other features.
What Are the Penalties for Non-Compliance?
Starting in 2023, failure to comply with the law could result in:
The private-sector entities are subject to fines ranging from CAD $15,000 to CAD $25,000,000 or 4% of their global turnover for the preceding fiscal year, whichever is greater. The maximum penalty for individuals is $100,000.
Right of action
Consumers have the right to bring claims against companies regarding breaches of privacy law, including unlawful or illegal use of personal information, and inadequate privacy notices.
There are some limited exceptions for the Law 25. Companies could use personal information without user consent if this is necessary for the detection or prevention of fraud, or if it is necessary in order to provide a product or service expressly requested by the individual concerned.
Under Quebec's Law 25, “Personal information concerns a physical person and allows that person to be identified. It is confidential. Barring exceptions, it cannot be communicated without the consent of the person concerned.”
Please note that personal information does not apply to information relating to a legal person (for example information concerning a business).
Under Quebec’s Law 25, sensitive information includes medical, biometric, or otherwise intimate details that give rise to a reasonable expectation of privacy.
Confidentiality incident means:
- Access not authorized by law to personal information.
- Unauthorized use by law of personal information.
- Communication of personal information not authorized by law.
- Loss of personal information or any other breach of the protection of such information.
There are 3 main categories of biometric parameters:
- Morphological biometrics, based on the identification of specific physical traits. It includes the fingerprints, the shape of the hand, the face, the retina, and the iris of the eye.
- Behavioral biometrics, based on the analysis of certain behaviors of a person, such as the tracing of the signature, the voice, the way of typing on a keyboard, etc.
- Biological biometrics, based on the analysis of a person's biological traces, such as DNA, blood, saliva, urine, and odours.
- Biometrics disclosure is no longer allowed to verify a person’s identity without the user’s explicit consent.
Companies cannot collect any personal information from a child under the age of 14 without parental consent. The only exception is the clear benefit to the child, for example, in an emergency situation.
Frequently Asked Questions
What is Quebec's Law 25?
When does Quebec's Law 25 go into effect?
Quebec’s Law 25 is the data privacy law in Quebec, Canada, and it will go into force in several stages. The first phase of Law 25 came into effect on September 22, 2022. Additional data handling requirements will come into effect on September 22, 2023, and then on September 22, 2024. CookieScript can help you to prepare to comply with Quebec’s Law 25.
Who does Law 25 apply to?
The law applies to organizations established in Quebec and/ or organizations doing business in Quebec, that are collecting, using, or processing personal information of Quebec residents. The law covers all “natural persons” inside Quebec, and there are no citizenship restrictions. International shopping stores or websites, having users from the Quebec province, are covered by Law 25.
What are the penalties for non-compliance under Law 25?
How to comply with Quebec’s Law 25?
What is considered personal information under Law 25?
Under Quebec’s Law 25, “Personal information concerns a physical person and allows that person to be identified. It is confidential. Barring exceptions, it cannot be communicated without the consent of the person concerned.” CookieScript can help you to prepare to comply with Quebec’s Law 25.