Articles

What Is Quebec’s Law 25?

Written by Matt Davis, CIPM (IAPP) | September 1, 2023

Jurisdictions across the globe are implementing their own unique take on data privacy legislation, and Canada’s Quebec province is no exception. Read on to learn all about what makes this law unique and how you can comply. 

What’s the Difference Between Law 25 and Bill 64? 

You may have heard of another Canadian privacy law called Bill 64—in fact, Law 25 and Bill 64 are one and the same. In the Canadian legal system, prospective laws are referred to as bills until assented to by the lieutenant governor. Law 25 is also known as the Privacy Legislation Modernization Act. 

Who Does Law 25 Apply To? 

Like the GDPR, Quebec’s Law 25 not only applies to Quebec-based businesses but also external businesses processing the personal information of any number of Quebec residents. 

Unlike most U.S. state privacy laws, that means there is no minimum threshold to meet before the law’s requirements apply. So, if your organization processes the data of any of Quebec’s nearly 9 million residents, you’ll need to comply. 

Law 25’s Phased Approach 

Law 25’s requirements come into force in three stages: some requirements are in effect as of September 22nd, 2022; most came into effect as of September 22nd, 2023; and the remainder come into effect September 22nd, 2024. Here are the various requirements and their associated dates. We’ll discuss notable features and requirements later on in this article. 

September 22nd, 2022 

Businesses must:  

  • Designate a privacy officer. 
  • Establish an incident management plan. 
  • Build a privacy incident log. 
  • Disclose any privacy incidents to the Commission d’accès à l’information (CAI). 
  • Disclose the use of biometric processes to develop a database at least 60 days in advance to the CAI. 

September 22nd, 2023 

Business must: 

  • Establish a governance framework for how they will handle and protect personal information 
  • Publish a privacy policy. 
  • Develop a process for handling personal information complaints. 
  • Provide an opt-in mechanism for the collection of personal information. 
  • Provide sufficient notice upon collection of personal information. 
  • Establish appropriate contractual agreements with any third parties who will receive personal information. 
  • Destroy or anonymize personal information upon consumer request (i.e., exercise the right to be forgotten). 
  • Correct inaccurate personal information upon consumer request. 
  • Not subject consumers to automated decision-making upon request. 
  • Permit consumers to withdraw their consent. 
  • Conduct privacy impact assessments under certain circumstances 
  • Inform data subjects when their personal information may be transferred outside of Quebec. 

September 22nd, 2024 

Business must: 

  • Provide data subjects with collected personal information in a portable format upon request. 

Law 25’s Requirements 

Although Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA), Law 25 is more comprehensive and stricter in its establishment and enforcement of data privacy rights. 

It bears a significant resemblance to many of the other banner data privacy regulations such as the GDPR and CCPA/CPRA. However, Law 25 also has some significant departures from other laws, especially if you’re used to the general template used in U.S. data privacy laws. 

What’s Unique About the Law 

Especially when compared to the U.S.’s state privacy laws, Law 25 features several notable regulatory features. 

Only Explicitly Opt-In Privacy Law in North America 

Like the GDPR and other data privacy laws, Quebec’s data privacy law requires businesses to give consumers the choice of activating any technologies that may be used to track their personal information. Among others, that includes the use of cookies on your website. Naturally, before you can offer individuals the choice of opting into this data tracking, you must inform them of the usual sort of information provided upon collection: 

  • The purpose of collection. 
  • The means of collection. 
  • Consumer rights. 
  • And so on. 

Businesses that are already compliant with the GDPR will be familiar with this approach to consent management, but businesses who are more familiar with the CCPA/CPRA may not realize that they cannot automatically load cookies or deploy other tracking technologies unless a consumer indicates they may do so.  

The Need to Appoint a Privacy Officer 

Law 25's privacy officer requirements are similar to—though still distinct from—the GDPR’s requirements around a data protection officer. Essentially, the Privacy Officer is responsible for overseeing certain compliance activities in an organization such as: 

  • The fulfillment of data subject access requests (DSARs). 
  • Data breach reporting. 
  • The conduct of privacy impact assessments (PIAs). 
  • And more. 

By default, the highest-ranking individual in an organization is considered to be its privacy officer unless you assign another individual to serve in that role. So, if you choose to do nothing and fail to appoint a privacy officer, the CAI will still consider your CEO to be your de facto privacy officer. 

Private Right of Action 

Unlike most data privacy laws in the world, including PIPEDA, and the GDPR, Law 25 provides a private right of action. That means citizens can take legal action (including collective action) against businesses that breach or infringe their rights under Law 25, whether intentionally or from gross fault. Potential damages start at $1,000 per individual. 

Confidentiality by Default 

Inspired by the concept of privacy by design, Law 25 requires organizations to adhere to confidentiality by default. In essence, any public-facing systems that collect personal information must have privacy settings configured to the highest level of confidentiality by default, without any action needed by the consumer. This spills over into the concept of opt-in consent; by default, you can’t collect personal information unless the consumer provides affirmative consent first. 

Other Requirements of Law 25 

Quebec’s data privacy law also features many of the same concepts and mechanisms present in most other data privacy regulations, including the following. 

Privacy Impact Assessments 

Like many privacy laws, Law 25 requires businesses to conduct a privacy impact assessment (PIA) under certain circumstances, such as: 

  • When data is being transferred outside of Quebec. 
  • When developing, acquiring, redesigning, or otherwise messing around with a system that handles personal information in any way. 
  • When evaluating whether personal information may be used for research purposes without the data subject’s consent. 
  • And more. 

Subject Rights 

As is the case with any data privacy law worth its salt, Law 25 provides consumers with certain data subject rights. For the most part, these rights do not differ from other major data privacy laws, and include: 

  • The right to privacy by default. 
  • The right to access collected personal information. 
  • The right to know about any third parties who may receive personal information. 
  • The right to know when an automated process has been used to make a decision with their personal information and opt out of automated decision-making processes. 
  • The right to correct personal information. 
  • The right to know certain information about the organization’s data processing activities, such as what information is collected and why. 
  • The right of erasure (notably, most U.S. state laws do not include this right; instead, it’s a mainstay of the GDPR). 
  • The right to receive personal information in a portable format. 

Third-Party Data Protection Requirements 

When transferring data to third parties, not only must businesses inform consumers about those transfers, but they must also put agreements in place to ensure that those third parties will treat personal information with the appropriate degree of protection. That includes: 

  • Certain technical, physical, and organizational measures will be put in place when handling personal information. 
  • Personal information may not be used for additional purposes. 
  • Personal information will not be retained after the expiration of the contract. 
  • And more. 

Additionally, third parties must formally write out their planned safeguards and allow for the auditing of their safeguards. 

International Data Transfer Requirements 

Transmitting personal data from within Quebec to outside of the province now requires businesses to assess whether that data will receive the same or a stronger level of protection. That includes conducting a PIA, adopting a contract with the receiving third party, and informing the relevant data subject. 

Security 

As is the case with all major data privacy regulations, businesses must take reasonable steps to protect personal information. To do so effectively, you’ll want to map your data, implement cybersecurity measures, and establish an incident response plan. 

Law 25 Penalties and Enforcement 

Law 25 provides several mechanisms for enforcing violators of the law.  

First, the CAI may issue administrative monetary penalties for less serious violations. These can reach two percent of worldwide turnover or $10 million CAD. 

If the offenses are serious enough to be brought before the court, then the Court of Quebec may impose a fine of four percent of worldwide turnover or $25 million. 

Lastly, as mentioned previously, individuals can exercise their private right of action against violators. These damages amount to, at minimum, $1,000 per individual. Citizens may also take collective action against violators in this way. 

How Does Law 25 Differ From PIPEDA? 

In many ways, Quebec’s Law 25 is a stronger data privacy regulation compared to Canada’s overall PIPEDA.  

For one, PIPEDA doesn’t afford residents with the same rights as Quebec’s data privacy law, such as the right to request the deletion of data or to receive personal data in a portable format. 

Law 25 also has stricter consent requirements. Because of its confidentiality by default principle, no tracking technologies can be activated unless the consumer expressly consents to their use first. Under PIPEDA, businesses can use tracking technologies to collect personal information so long as the consumer is informed, the information is not sensitive, its intended use would be reasonably expected, and there is little likelihood of harm. As it turns out, many instances of personal data collection meet those standards, so businesses in Canada could adhere to opt-out consent standards. That’s not the case with Law 25. 

Lastly, PIPEDA has been criticized as lacking sufficient and sufficiently severe enforcement. With its three-pronged approach to enforcement, Law 25 has more teeth. 

There are other differences between the two laws, of course, but these are likely to be of the greatest relevance for businesses concerned about compliance. 

How Osano Can Help 

With Law 25’s latest provisions coming into effect, it’s more important than ever to acknowledge consumer consent choices. Unfortunately, many consent management solutions fail to adequately manage cookies, scripts, and iFrames based on user preferences. Sometimes this is due to poor design, sometimes needlessly complex implementations, and sometimes it’s a mix of both. 

Not only does Osano Cookie Consent automatically discover and categorize site tags, it’s also easy to implement and requires little-to-no configuration by the end user—that means you won’t have to worry about accidentally implementing a consent management solution that leaves you out of compliance.  

What’s more, Osano Cookie Consent prepares you for compliance with every privacy law in the world, ensuring your business can expand to new jurisdictions as needed. The Osano platform also provides capabilities to support the other aspects of your privacy program beyond consent management, too, ranging from subject rights requests to data mapping, vendor management, and more. 

Schedule a demo to see how Osano can support your organization’s compliance with Law 25 and global data privacy regulations.