Quebec Law 25
The privacy and consent landscape continuously changes, but we are committed to helping you stay ahead and remain compliant. Today’s update addresses the Quebec Law 25 (The Privacy Legislation Modernization Act) within the Universal Consent Platform (UCP).
Law 25 (The Privacy Legislation Modernization Act) was adopted unanimously by the national assembly of Quebec on 21 September 2021. The first phase of Québec's Law 25 came into effect on September 22, 2022. In the weeks and months ahead, organizations doing business in the province of Québec will likely need to implement significant changes to the ways in which they collect, use, and disclose personal information.
In September 2021, Quebec’s Parliament enacted Law 25 (formerly Bill 64) (the “Law”), which updated Quebec’s data protection laws and added requirements for enterprises that do business within the province. Specifically, as of September 2022 companies should have 1) appointed a data protection officer, 2) disclosed to the Quebec data protection commission certain processing and uses of biometric data, and 3) updated incident response requirements. Starting in 2023, failure to comply may result in GDPR-like fines with monetary penalties potentially ranging from 2% to 4% of worldwide turnover.
What is Law 25?
Law 25 is the latest and most significant privacy legislation development in Canada. It follows the 2021 adoption of Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which enacted significant changes to the requirements governing the collection, use, and communication of personal information.
Under the provisions of Law 25 in effect on September 22, 2022, it is mandatory for organizations operating in Québec to:
- All organizations must have a Privacy Officer or equivalent position
- Specific measures around the use of Privacy Impact Assessment
- Publicly available privacy policies and requirements for internal privacy practices
- Mandatory privacy breach notifications, in line with existing federal requirements
- Increased transparency for consent and collection of personal information
- Implementation of privacy by design principles in technology and systems
- New data rights for individuals whose personal information is collected, such as
- data portability rights
- rights related to automated decision making
- data profiling rights
- the right to be forgotten (with exception of information of public interest)
Law 25 also introduces some unique requirements regarding biometric data (voiceprints, fingerprints, DNA, etc.). Businesses must provide notice to the Commission d’accès à l’information (CAI) du Québec at least 60 days in advance of creating a biometric database.
The vast majority of the amendments enacted by Law 25 will come into effect on September 22, 2023, and will require significant changes to privacy compliance frameworks, including mandatory PIAs for the transfer of personal information outside of Québec, mandatory provisions within all outsourcing contracts, the adoption of privacy by default mechanisms for new technologies, and many other significant changes.
Who does it impact?
With some exemptions, most organizations established in Québec and/or doing business in Québec that are collecting, using, or disclosing personal information of individuals located in the province will be impacted. Even the scenario of a Québec-based customer soliciting goods and services from a foreign website – in other words, most international online shopping scenarios – is potentially covered by the new legislation and may require compliance by the foreign company.
What are the penalties for noncompliance?
Law 25 increases the fines for non-compliance with privacy legislation, with private-sector entities subject to fines ranging from $15,000 to $25,000,000 CAD, or an amount corresponding to four per cent of worldwide turnover for the preceding fiscal year (whichever is greater).
An Act to modernize legislative provisions as regards the protection of personal information (also known as "Law 25" or "Bill 64") adopted on September 22, 2021, substantially modifies the protection of personal information regime for businesses and public organizations operating in Québec. These changes will come into effect over the course of the next three years, starting on September 22, 2022.
How to set up new notices for “Quebec Law 25”
- Login to UCP and go to “Manage” in the menu section.
- From there, choose the domain you wish to set up.
- Once in the setup page, navigate to the settings. From here in the “Configure Consent” column you will see a new drop down to choose the regulation you wish to set up with the following options:
- Custom Regulation
- Nevada Consumer Opt-out Law
- Quebec Law 25
Added new location for Quebec under Canada into UCP. Select Selecting “Quebec Law 25” regulation will automatically choose “Prior consent (Opt-In)” as default consent type for those regulations. You’ll no longer be able to choose “Don’t require consent” or “Opt-out Consent” for “Quebec law 25”.
Expanded Consumer Rights
The Act also gives rise to a new private right of action, allowing individuals to bring claims against companies for statutory damages in respect of specific breaches.
After these forms are filled out (DNS and DSAR) an automated email is sent to the user to verify who they are, and the data is saved within the privacy UI.
To access these forms login to the privacy UI (privacy.evidon.com) and choose the “Access Requests” link in the menu. Once in this menu you will have access to your list of access requests. You can use basic sorting and wildcard search to filter to whatever level is needed. On the right side above the table there is a checkbox that lets you see the results that have not yet been verified by email.