Law 25 in Quebec in a nutshell: how to navigate the new data protection landscape and adapt your marketing strategy

In an increasingly digital world where personal data has become a valuable resource, the need to protect the confidentiality and integrity of this information has never been more important.

In this context, the province of Quebec, Canada, recently introduced Bill 25, an innovative law aimed at strengthening the protection of consumers' personal data . This new regulation, which is inspired by the European Union's General Data Protection Regulation (GDPR), represents a major turning point for businesses across all sectors.

Law 25 covers several key areas, from the explicit consent needed for data collection, to the protection of minors' data, to the rights of individuals to access their information and request its deletion.

It also has a significant impact on digital marketing strategies, placing tighter restrictions on how businesses can use consumer data for targeted advertising.

This text explores the various aspects of this law, its scope, the changes needed for businesses, and how tools such as customer relationship management (CRM) software can help with compliance. It also discusses the practical implications for businesses of different sizes and sectors, and provides useful advice on how to navigate this new regulatory landscape.

Whether you are a business executive looking to understand what this law means for your organization, or simply someone interested in the evolution of data protection, this text is for you.

Law 25 and its deadlines in summary

By September 22, 2022:

• Designation of a person responsible for the protection of personal information : This involves identifying a person or an internal team who will be responsible for ensuring compliance with personal data protection obligations. She will serve as the point of contact for employees and customers in the event of questions or problems relating to data protection.

• Implementation of privacy incident measures: These measures include policies and procedures to identify, report and manage any data breach. This could include how the company should inform data subjects and the data protection authority.

• Compliance with the new rules for the communication of personal information without consent for study, research or statistical purposes: These new rules could require the anonymization of data for certain uses, in order to protect the identity of the people concerned.

• Privacy Impact Assessment (PIA): This is a systematic assessment of the risks that a new product, system, initiative or program could pose to the privacy of individuals. This helps identify and mitigate potential risks at an early stage.

• Prior notification to the Commission in case of verification or confirmation of identity by biometric characteristics or measures: If the company plans to use biometric characteristics to verify the identity of a person (e.g. fingerprints , facial recognition), it must inform the Commission before doing so.

By September 22, 2023:

• Establishment of policies and practices governing the governance of personal information: This involves the development of internal policies and procedures to ensure data protection at all levels of the organization.

• Carrying out a PIA when communicating personal information outside Quebec: If data is transferred out of the jurisdiction, a privacy impact assessment must be carried out to ensure that the data will be treated with the same level protection.
  
  
• Compliance with new rules regarding consent: Companies must obtain informed, specific and unambiguous consent before collecting, using or disclosing personal data.
  
  
• Destruction or anonymization of personal information: When data is no longer needed, it should either be destroyed or anonymized so that the individual can no longer be identified.

• Compliance with new information and transparency obligations towards citizens: This means that companies must be clear about how they use personal data and must provide this information in an understandable way.

• Compliance with new rules for sharing personal information without consent: Generally, consent is required to share personal data. However, there may be exceptions where consent is not required. These new rules will clarify when and how this can happen.

• Compliance with the new rules for communicating personal information outside Quebec: Data transferred outside Quebec must be protected in the same way as if it were kept in Quebec.

• Compliance with new rules for the use of personal information: These rules specify how data can be used, including restrictions on use for secondary purposes without the consent of the individual.

• Default provision of maximum privacy settings for the technology products or services offered : This means that the default privacy settings of the products or services should be set to the highest level of data protection.
  
  
• Compliance with new rules for collecting personal information about a minor: Data about minors often has a higher level of protection, and new rules specify how this data should be collected and used.
  
  
• Respect for the right to cessation of dissemination, reindexing or deindexing (right to be forgotten): Individuals have the right to request that their data be deleted or deindexed from search engines .

• Compliance with the new rules for communicating personal information to facilitate the grieving process: In certain cases, it may be necessary to share personal information to facilitate the grieving process. These new rules will specify how this must be done.

Need assistance with deploying a cookie banner? Make an appointment for a free exploratory call to discuss our Cookie solutions which are implemented by Google Tag Manager

By September 22, 2024:

Respond to requests for personal information portability: Individuals have the right to request a copy of their data in a usable format and to transfer that data to another organization. Businesses must be able to meet these demands.

These concrete measures are necessary to ensure that companies comply with current data protection legislation . Adequate staff training is essential to ensure their effective implementation and compliance.

OPT-IN VS OPT-OUT

In the context of Law 25 in Quebec, which strengthens data protection rules, the concepts of "opt-in" and "opt-out" are extremely important in understanding how companies can obtain and use personal data from their clients.

Opt-in : This is a proactive approach to consent management . In other words, the company can only collect or use an individual's personal data if the individual has explicitly given consent. This could be as simple as checking a box on an online form or signing a consent agreement. In the context of Bill 25, this is generally the preferred approach, because it respects the principle of prior consent.

Opt-out : This approach allows the company to collect or use an individual's personal data, unless the individual explicitly disagrees or requests to be opted out. This is a more passive approach, where silence or inaction is interpreted as consent. However, under Bill 25, this approach is generally insufficient to comply with the new consent rules.

Thus, Law 25 strongly favors the “opt-in” approach to the collection and use of personal data. This means that businesses must obtain explicit, informed consent before collecting or using their customers' personal data. They must also be able to demonstrate that they have obtained this consent if questioned by regulatory authorities.

Impact of Law 25 on different types of businesses or legal forms

This privacy law has implications for all types of businesses, regardless of their status or structure. Specific obligations may vary depending on the size of the business, the type of data it processes, and how it uses that data.

Nonprofit Organizations (NPOs) : These organizations often process sensitive data, including information about beneficiaries, donors, volunteers, and employees. They must comply with the same regulations as for-profit companies when it comes to data protection. This can mean an investment in time and resources to ensure compliance, which can be a challenge for NPOs who often have limited resources.

Private companies : For these companies, compliance with the new law may require a significant investment in terms of implementing new policies, training staff and adapting IT systems. However, there is also a business benefit to ensuring proper management of personal data. Businesses that show they take data protection seriously can gain the trust of their customers, which can provide a competitive advantage.

Public companies : Public companies, particularly those that provide public services or process sensitive data, will also have to comply with the new regulations. As with private businesses, this may require an investment of time and resources. However, compliance with data protection legislation can also improve public confidence in how these companies manage their personal information.

Small and medium-sized enterprises (SMEs) : SMEs could be particularly affected by the new law, as they often have fewer resources to manage compliance. However, it is important to note that even small businesses can process significant volumes of personal data, and it is therefore crucial that they comply with the law.

It is important to note that the law is applicable to all organizations that process personal data, whether located in Quebec or not. Therefore, organizations based outside of Quebec, but which process the personal data of Quebec residents, will also have to comply with the legislation.

Proper management of your customer and prospect database requires HubSpot

A CRM (Customer Relationship Management) like HubSpot can help businesses comply with Quebec's new law on the protection of personal information in several ways:

Data Organization : A good CRM can organize and manage customer data effectively. It provides visibility into the origin, use and storage of data, which is crucial to meeting the requirements of the new law. Additionally, it makes it easy to update, correct or delete data, in response to customer requests.

Customer Consent : Modern CRMs can help manage customer consent by recording and tracking consent for different data uses. For example, HubSpot can help track who has consented to what type of marketing communications , and can easily withdraw that consent if the customer requests it.

Data security : HubSpot has built-in data security measures, like encryption, that can help protect sensitive customer data. The law requires organizations to take steps to protect personal data, and using a secure CRM like HubSpot can help meet this requirement.

Data access and portability : If a customer requests to see their data or transfer it to another organization, a CRM can facilitate this process by bringing all relevant data together in one place.

Data Deletion : If a customer requests deletion of their data, a CRM like HubSpot allows for easy and permanent deletion of the customer's information throughout the system.

It is important to note that if a business uses a CRM to store and manage customer data, it should always ensure that the CRM provider is also legally compliant. In the case of HubSpot, they have a comprehensive privacy policy and procedures to help their customers be compliant with data protection laws .

What is the impact of Law 25 on advertising and technology platforms?

Quebec's Law 25 has major implications for small and medium-sized businesses (SMEs) that use advertising platforms like Google Ads , Facebook Ads and LinkedIn Ads for their marketing campaigns. Here are some concrete changes:

1. Prior consent : SMEs must ensure that they have obtained prior consent from users before collecting or using their data for advertising campaigns . This means that SMEs will likely need to modify their registration or contact forms to include checkboxes or other mechanisms for users to provide informed consent.

2. Ad Targeting : Many SMBs use behavioral targeting to show relevant ads to users based on their online behavior . However, under Bill 25, these practices could be restricted if they involve the collection or use of personal data without consent. SMEs will need to be careful about how they use these platforms for advertising targeting.

3. Cookies and other trackers : SMEs that use cookies or other trackers to track user behavior and display targeted advertising must also obtain user consent before deploying them. This may require setting up a cookie banner or other consent mechanism on their website .

4. Transparency : SMEs should be transparent about how they collect and use user data for advertisements. This may require updating privacy policies and consent notices to include detailed information about advertising practices.

5. Managing user requests : Under Law 25, users have the right to request access to their data, rectify it, delete it or object to its processing for marketing reasons. SMEs will need to put systems in place to manage these requests effectively.

It is important to note that these changes do not only apply to SMEs based in Quebec, but to any company that collects or uses data from Quebec residents, regardless of its location. Therefore, SMEs must be aware of the implications of this law, even if they are based outside of Quebec.

What content must be modified on my website in order to comply with Law 25?

In order to comply with the requirements of Quebec Law 25 , several pages and sections of a website may require modifications, particularly those that deal with the collection, use and storage of user data. Here are the most common pages that might need updating:

1. Privacy Policy : This page should give a clear and transparent explanation about the types of data you collect, how you use it, who you share it with and how long you keep it. It should also include information on users' data protection rights and how they can exercise these rights.

2. Terms and Conditions : Although terms and conditions are generally not focused on privacy, they may need to be modified to include information about how you process personal data and users' obligations regarding that data.

3. Consent/Registration page : If you have a registration page or other page where users provide their data, you will need to ensure that it contains a clear explanation of how you intend to use this data and gives users the possibility of giving their consent.

4. Contact and form pages : If you collect information through contact or other types of forms, these pages should clearly state why you are collecting this information and how you intend to use it .

5. Cookie banner / cookie policy page : If you use cookies or other tracking technologies , you will need to provide clear information about these technologies and obtain user consent before deploying them.

In addition to what has already been discussed, there are several other important aspects to take into account in relation to Law 25

1. Role of a Data Protection Officer (DPO) : It is important to consider whether to hire or appoint a DPO in your business , particularly if you process a significant volume of sensitive data. The DPO supervises the data protection strategy and ensures compliance with data protection laws.

2. Transfer of data abroad : Bill 25 may impact how you transfer data outside of Quebec or Canada. You will need to ensure that the receiving country offers an equivalent level of data protection.

3. Handling data breaches : The law requires that you promptly report any data breach to the relevant authority and, in some cases, affected individuals. It would therefore be crucial to put a process in place to manage these incidents.

4. Staff training and awareness : To ensure compliance with the law, it is essential that all members of your staff understand the importance of data protection and know how to properly handle personal data.

5. Taking data protection into account by design : This is an approach which involves taking into account the protection of personal data from the first stages of any new project, product or service .

6. Data protection impact assessments (DPIAs) : For certain types of processing, in particular those which pose a high risk to the rights and freedoms of individuals, you may be required to carry out a DIA before commencing processing.

7. Relationship with subcontractors : You will need to check that your subcontractors also comply with the law. It may be necessary to renegotiate your contracts to include specific data protection clauses.

Each of these topics may require more detailed exploration depending on your specific activities and how you process personal data.

Conclusion

In conclusion, the new law 25 on the protection of personal data in Quebec represents a major change for companies, whether private, public or non-profit. Its scope goes well beyond the simple management of customer databases. It significantly impacts digital marketing campaigns, customer relationship management software like HubSpot, and much more.

When it comes to digital marketing, businesses will need to ensure that their campaigns on platforms such as Google Ads , Facebook Ads and LinkedIn Ads comply with consent and data protection provisions. It is now essential to emphasize an opt-in rather than opt-out approach, ensuring that every interaction with the customer respects their privacy rights.

In the context of data management, tools like HubSpot can play a key role in helping businesses centralize, secure and manage their customer data in a compliant manner. This includes documenting consents, managing data access requests and implementing appropriate security measures.

Finally, good data management is about more than regulatory compliance. It is also synonymous with respect for customer privacy, trust and solid relationships with them.

In today's competitive landscape, where personalization of marketing is essential but must be balanced with respect for privacy, effective data management can be a real competitive advantage.

Adapting to Bill 25 may seem like a daunting task, but it can also be an opportunity to rethink and improve your data management processes and marketing strategies . The goal is not just to comply with the law, but also to create a company culture focused on respecting your customers' personal data.

Glossary of technical terms concerning Quebec law 25 and more broadly the protection of personal data in the web context

1. Personal (or personal) data : Any information concerning an identified or identifiable natural person. This could be name, email address, IP address, etc.

2. Consent : Authorization freely given by the individual concerned for their personal data to be processed. Consent must be explicit and informed.

3. Cookies : Small files placed on a user's device when they visit a website . They can be used to track user activities on the site, to personalize user experience, etc.

4. Opt-in/Opt-out : Mechanisms giving the user the opportunity to choose whether or not they wish to receive marketing communications . Opt-in means that the user must give explicit consent, while with opt-out the user is presumed to have given consent unless they declare otherwise.

5. Encryption : The process of converting information into a secret code to prevent unauthorized access.

6. Privacy Policy : Document explaining how a company collects, uses, discloses and manages user data.

7. Anonymization : The process of transforming data to prevent the identification of an individual. Once anonymized, the data is no longer considered personal.

8. Pseudonymization : The process of replacing fields in data records with artificial identifiers or pseudonyms to prevent direct identification.

9. Data subject rights : The rights that individuals have regarding their personal data, such as the right to access, rectification, deletion (right to be forgotten), etc.

10. Data controller : The entity (usually a company or organization) which determines the purposes and means of the processing of personal data.

11. Processor : The entity that processes personal data on behalf of the controller.

12. Data portability : The right of individuals to receive their personal data in a structured, commonly used and machine-readable format, and to transfer it to another controller.