What is Law 25?
Since 22 September 2023, Law 25 has been mandatory for organisations operating in Québec. Failure to comply could result in significant penalties being imposed on your company.
Law 25 is a reform of Québec’s legislation on the protection of personal information. It modernises the obligations of businesses and public bodies regarding the collection, use, retention and communication of personal data.
Among other things, it requires the explicit consent of individuals, transparency regarding the use of data, notification of confidentiality incidents and the appointment of a person responsible for the protection of personal information. Its aim is to better protect citizens’ privacy in a constantly evolving digital environment.
Your obligations
The broad outlines...
1. Person responsible for the protection of personal information
- Appoint a person responsible for data protection (often the company director).
- Their contact details should be published on the website.
2. Clear and explicit consent
- Consent to the collection, use or disclosure of personal information must be informed and given for specific purposes.
- The consent of minors under the age of 14 must be given by a parent or legal guardian.
3. Transparent privacy policy
- Develop and publish a clear, accessible and up-to-date privacy policy.
- Inform users of the purpose of the data collection and the rights they have over their data.
4. Register and governance of personal information
- Keep a register of the information collected and its use.
- Implement practices to manage the data life cycle (collection, storage, destruction).
5. Default confidentiality
- The most protective settings should be activated by default (for example, no unnecessary tracking or excessive collection).
6. Managing confidentiality incidents
- Keep a register of incidents.
- Notify the Commission d’accès à l’information (CAI) and the persons concerned if the incident presents a serious risk of harm.
References
- Gouvernement du Québec
La Loi 25 en vigueur dans son entièreté (French only) - Commission d’accès à l’information (CAI)
Principaux changements aux lois sur la protection des renseignements personnels (French only) - Barreau du Québec
La Loi 25 en vigueur dans son entièreté (French only)
