Quebec’s Law 25: A New Privacy Law with Major Ramifications

By Romain Gauthier

The second phase of Quebec’s Law 25 comes into effect in September 2023.

So what exactly is Law 25 and why should marketers worldwide care?
Law 25 applies to any company that collects, holds, uses or communicates to third parties information about Quebec residents, including those based outside the province.

It introduces new data protection rights for individuals and increased obligations for organizations handling personal information. It updates Quebec’s privacy laws, impacting the Public Sector Act and the Private Sector Act.

Personal information is defined as any information that identifies a natural person (e.g., name, eMail, IP address, cookie ID of your analytics or martech stack, etc.). Consent is required before collecting personal data, consent is required in particular :

When a company wishes to collect personal information from a third party and not directly from the data subject (except where permitted by law);

When a company wishes to process personal information for other purposes than the ones initially defined;

When a company wishes to communicate personal information to a third party (except where permitted by the law);

How does Law 25 affect businesses based outside of Quebec?
At first glance, one might think that the new legal provisions of Law 25 bear little relevance for businesses outside Quebec. However, the truth is that the consequences of this legislation will reach well beyond the provincial boundaries for two primary reasons:

• Global Data Protection Laws: Law 25 is consistent with these international regulations, and according to the Commission for Access to Information (CAI), it applies to any organization situated outside of Quebec if they have customers that access their products or services within the province. In essence, just one individual from Quebec visiting a global website can bring the service provider within the jurisdiction of Law 25.
• Pioneering Legal Framework: Law 25 serves as a groundbreaking legislative model in Canada, and indicates the general trajectory for data regulation throughout the country. As Canada adopts a regionalized approach to data regulation, it remains uncertain whether this will trigger a “domino effect”, where adjacent governments begin implementing similar policies.

Looking at countries that have already implemented it, the consent collection required of businesses by privacy laws can result in data collection decreases ranging from 10 percent to 90 percent, for the worst implementations.

What are the penalties for non-compliance with Law 25?
The maximum amount of the administrative monetary penalty is $50,000 in the case of a natural person and, in other cases, $10,000,000 or 2 percent of the worldwide turnover of the previous financial year, whichever is higher.

In the event of a criminal offense: it is punishable by a fine of between $5,000 and $100,000 in the case of an individual and, in other cases, between $15,000 and $25,000,000 or the amount corresponding to 4 percent of the worldwide turnover of the previous financial year, whichever is higher.

The responsibility for enforcing these monetary penalties lies with the Commission for Access to Information (CAI).

How does Law 25 differ from other data protection laws in Canada?
Law 25 aligns Québec’s privacy laws with the GDPR, a leading data protection framework. Compared to the CCPA in the US, Law 25 has:

• Scope: Broader protection for natural persons, no residency requirements
• Privacy by default: Stricter with “confidentiality by default” compared to GDPR’s “privacy by design” and CCPA’s “after-the-event” approach
• Impact assessments: Requires Privacy Impact Assessments (PIRs) broadly, while GDPR is less stringent and CCPA does not mandate them

What rights do Quebec residents have under Law 25?
The right to privacy by default is a significant shift, Law 25 reverses the previous de facto position on online privacy, granting consumers the automatic right to confidentiality over their personal information.

• Privacy by default: Automatic confidentiality for personal information; profiling/tracking technology deactivated without express consent.
• Transparency: Companies must disclose purposes, means of collection, access/correction rights, third-party involvements, and possible data transfers outside Quebec.
• Withdraw consent: individuals also have the right to withdraw consent to the communication or use of the information collected.

What steps can companies take?
Just a few months before the implementation of phase 2 of Quebec’s Law 25, Didomi suggests a minimum of 6 proactive steps for businesses to ensure their compliance:

1. Designate a Data Protection Officer – Every Quebec company, regardless of its size, should have had a Data Protection Officer since September 22, 2022. If this is not the case, the person with the highest hierarchical rank within the company will automatically be designated by the law.
2. Align the various internal services and teams on the responsibility for compliance – Due to a lack of understanding of what the new law concretely implies, it often happens that the different internal services pass the buck on compliance responsibility. Is it the role of the marketing team, information technology, or the legal department? If you don’t have the answer to this question, leadership needs to step up to counter the lack of alignment.
3. Conduct an impact analysis of your internal processes – The collection of consent will inevitably lead to changes in online and offline processes. It is recommended to map out your technological environment and data flows, and then analyze the interdependencies of your different technological environments. How will the necessity to collect consent impact your current processes?
4. Develop a forecast plan to deal with the impact of consent collection on the measurement of your performance – The volume of data collected will inevitably be impacted by the collection of consent, and it is vital to prepare for this, by quantifying this impact to manage internal and external expectations. The worst implementations could cause up to a 90 percent decrease in data collection, so this upstream impact analysis is crucial for better-adjusting strategies accordingly.
5. Select a technology solution provider to support you in this change – It may sometimes be tempting to develop an internal consent management solution. However, this approach is often time-consuming and not sustainable over time with the evolution of laws from a local and international perspective. Turning to proven solutions allows you to maximize data collection and have peace of mind regarding the necessary adaptability changes in relation to new laws (e.g., CPRA in California, LGPD in Brazil, etc.)
6. Conduct pre-production tests – Whether you are deploying a web-based consent management solution, for a mobile application, or for connected objects, it is imperative to conduct pre-production tests to validate that the technology is working correctly. Didomi strongly advises doing these tests at the beginning of summer 2023, before the implementation of phase 2 of the law.

At Didomi, we believe that privacy laws present an opportunity for organizations to do better, and differently. Locally, it’s also important to keep in mind all the benefits of quickly complying with Quebec’s Law 25. Indeed, increasing transparency can boost a brand’s revenue, as trust is the starting point for consumer engagement. With or without regulation, privacy protection concerns all citizens today. That’s why it’s essential for every company to surround itself with the best experts to adapt to this new reality.

Romain Gauthier is the CEO and co-founder of Didomi. Didomi helps companies around the world turn various global regulations into real business opportunities that allow them to stand out from the competition. https://www.didomi.io/en-us/