Privacy Impact Assessment Guide: 7 Best Practices to Master PIAs
One of data privacy’s greatest challenges is that it can all feel...Read Now
September 1, 2023
Jurisdictions across the globe are implementing their own unique take on data privacy legislation, and Canada’s Quebec province is no exception. Read on to learn all about what makes this law unique and how you can comply.
You may have heard of another Canadian privacy law called Bill 64—in fact, Law 25 and Bill 64 are one and the same. In the Canadian legal system, prospective laws are referred to as bills until assented to by the lieutenant governor. Law 25 is also known as the Privacy Legislation Modernization Act.
Like the GDPR, Quebec’s Law 25 not only applies to Quebec-based businesses but also external businesses processing the personal information of any number of Quebec residents.
Unlike most U.S. state privacy laws, that means there is no minimum threshold to meet before the law’s requirements apply. So, if your organization processes the data of any of Quebec’s nearly 9 million residents, you’ll need to comply.
Law 25’s requirements come into force in three stages: some requirements are in effect as of September 22nd, 2022; most came into effect as of September 22nd, 2023; and the remainder come into effect September 22nd, 2024. Here are the various requirements and their associated dates. We’ll discuss notable features and requirements later on in this article.
Although Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA), Law 25 is more comprehensive and stricter in its establishment and enforcement of data privacy rights.
It bears a significant resemblance to many of the other banner data privacy regulations such as the GDPR and CCPA/CPRA. However, Law 25 also has some significant departures from other laws, especially if you’re used to the general template used in U.S. data privacy laws.
Especially when compared to the U.S.’s state privacy laws, Law 25 features several notable regulatory features.
Businesses that are already compliant with the GDPR will be familiar with this approach to consent management, but businesses who are more familiar with the CCPA/CPRA may not realize that they cannot automatically load cookies or deploy other tracking technologies unless a consumer indicates they may do so.
Law 25's privacy officer requirements are similar to—though still distinct from—the GDPR’s requirements around a data protection officer. Essentially, the Privacy Officer is responsible for overseeing certain compliance activities in an organization such as:
By default, the highest-ranking individual in an organization is considered to be its privacy officer unless you assign another individual to serve in that role. So, if you choose to do nothing and fail to appoint a privacy officer, the CAI will still consider your CEO to be your de facto privacy officer.
Unlike most data privacy laws in the world, including PIPEDA, and the GDPR, Law 25 provides a private right of action. That means citizens can take legal action (including collective action) against businesses that breach or infringe their rights under Law 25, whether intentionally or from gross fault. Potential damages start at $1,000 per individual.
Inspired by the concept of privacy by design, Law 25 requires organizations to adhere to confidentiality by default. In essence, any public-facing systems that collect personal information must have privacy settings configured to the highest level of confidentiality by default, without any action needed by the consumer. This spills over into the concept of opt-in consent; by default, you can’t collect personal information unless the consumer provides affirmative consent first.
Quebec’s data privacy law also features many of the same concepts and mechanisms present in most other data privacy regulations, including the following.
Like many privacy laws, Law 25 requires businesses to conduct a privacy impact assessment (PIA) under certain circumstances, such as:
As is the case with any data privacy law worth its salt, Law 25 provides consumers with certain data subject rights. For the most part, these rights do not differ from other major data privacy laws, and include:
When transferring data to third parties, not only must businesses inform consumers about those transfers, but they must also put agreements in place to ensure that those third parties will treat personal information with the appropriate degree of protection. That includes:
Additionally, third parties must formally write out their planned safeguards and allow for the auditing of their safeguards.
Transmitting personal data from within Quebec to outside of the province now requires businesses to assess whether that data will receive the same or a stronger level of protection. That includes conducting a PIA, adopting a contract with the receiving third party, and informing the relevant data subject.
As is the case with all major data privacy regulations, businesses must take reasonable steps to protect personal information. To do so effectively, you’ll want to map your data, implement cybersecurity measures, and establish an incident response plan.
Law 25 provides several mechanisms for enforcing violators of the law.
First, the CAI may issue administrative monetary penalties for less serious violations. These can reach two percent of worldwide turnover or $10 million CAD.
If the offenses are serious enough to be brought before the court, then the Court of Quebec may impose a fine of four percent of worldwide turnover or $25 million.
Lastly, as mentioned previously, individuals can exercise their private right of action against violators. These damages amount to, at minimum, $1,000 per individual. Citizens may also take collective action against violators in this way.
In many ways, Quebec’s Law 25 is a stronger data privacy regulation compared to Canada’s overall PIPEDA.
For one, PIPEDA doesn’t afford residents with the same rights as Quebec’s data privacy law, such as the right to request the deletion of data or to receive personal data in a portable format.
Law 25 also has stricter consent requirements. Because of its confidentiality by default principle, no tracking technologies can be activated unless the consumer expressly consents to their use first. Under PIPEDA, businesses can use tracking technologies to collect personal information so long as the consumer is informed, the information is not sensitive, its intended use would be reasonably expected, and there is little likelihood of harm. As it turns out, many instances of personal data collection meet those standards, so businesses in Canada could adhere to opt-out consent standards. That’s not the case with Law 25.
Lastly, PIPEDA has been criticized as lacking sufficient and sufficiently severe enforcement. With its three-pronged approach to enforcement, Law 25 has more teeth.
There are other differences between the two laws, of course, but these are likely to be of the greatest relevance for businesses concerned about compliance.
With Law 25’s latest provisions coming into effect, it’s more important than ever to acknowledge consumer consent choices. Unfortunately, many consent management solutions fail to adequately manage cookies, scripts, and iFrames based on user preferences. Sometimes this is due to poor design, sometimes needlessly complex implementations, and sometimes it’s a mix of both.
Not only does Osano Cookie Consent automatically discover and categorize site tags, it’s also easy to implement and requires little-to-no configuration by the end user—that means you won’t have to worry about accidentally implementing a consent management solution that leaves you out of compliance.
What’s more, Osano Cookie Consent prepares you for compliance with every privacy law in the world, ensuring your business can expand to new jurisdictions as needed. The Osano platform also provides capabilities to support the other aspects of your privacy program beyond consent management, too, ranging from subject rights requests to data mapping, vendor management, and more.
Schedule a demo to see how Osano can support your organization’s compliance with Law 25 and global data privacy regulations.
Are you in the process of evaluating consent management platforms? Not all CMPs are created equal, and they can be difficult to accurately evaluate. Use this interactive scorecard to guide you.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.