Whether you’re a private company, an agency or a public organization in Quebec, you’ve probably heard of Law 25. However, for many, understanding this law remains very unclear, as does its application.
As we approach September 22, 2023, which marks the next important threshold in the personal data protection process, it’s vital to take a closer look at the subject and to be properly prepared.
What is Law 25?
Summary of Law 25
Law 25 is a major update to existing legislation. It aims at strengthening the protection of Quebecers’ digital personal data. The Commission d’Accès à l’Information (CAI) defines personal data as information about an individual that identify them. This information is confidential and, barring exceptions, cannot be collected or shared without the consent of the person concerned. In other words, it is a piece of information that uniquely identifies a person, and must therefore be treated with care and respect for privacy.
This strengthening of legislation will take the form of a strict framework for the gathering and use of personal data collected by companies from their websites. This is the first time in 28 years that the Quebec government has updated its legislation in this way. The law applies not only to Quebec companies but also to any organization based outside the province that does business with Quebec.
Law 25 will come into force over 3 years, from September 2022 to September 2024. Companies will have to comply gradually. The next important date to remember is September 22, 2023. From this date, companies that fail to provide clear consent for each piece of data collected could be subject to penalties. Fines can be very steep, up to 4% of the organization’s global sales, and up to $25 million!
Law 25 requirements
Any company doing business in Quebec and collecting digital data in any way will have to meet very specific requirements.
A privacy policy
A page dedicated to privacy policy must be integrated to the website. It has to be accessible in French and translated according to the languages available on the website. Each company is free to create its policy, as long as it complies with Law 25 and is easily understood by the user.
The consent banner
To comply with Law 25, a consent banner must be displayed on the website. Recollection of personal data depends entirely on the user’s acceptance. Failure to provide a choice would be automatically interpreted as a refusal and the user’s data would not be collected. This is why the consent banner deserves to be visible. Various online consent platforms are available to incorporate a banner into your website.
Cookie management
Law 25 stipulates that companies must list all cookies used on their website. It is required to explain their purpose and provide users with the ability to delete any cookies of their choosing. A URL link must be included at the bottom of each website page so that users can change their cookie authorization at any time.
While Law 25 will not impact cookies that are essential for the website’s functioning, companies must still elucidate their purpose.
How do I set up consent management?
As mentioned above, it’s essential to install a consent banner on your website. To do this, you first need to choose the consent platform you want to work with. There are many platforms on the market with different features and prices. One of the key factors to consider is its ability to customize the banner. The degree of banner personalization is very important since it will greatly influence the acceptance rate of users.
Here are the main elements to consider:
- Banner position on the website (top, middle or bottom of the page)
- The colour and location of the « Accept » and « Decline » buttons
- The frequency of the banner pop-up after the user has given his initial response.
In short, the banner can be optimized in several ways to encourage consent.
We suggest opting for a consent platform that enables daily analysis of acceptance rates, allowing you to respond promptly if a version of your consent banner falls short of expectations.
Keep in mind that the effectiveness of the consent process significantly impacts the number of users willing to provide it. Finally, make sure you include the link that permits users to change their minds at any moment. While it’s preconfigured and accessible in the consent platform, it is crucial to add it to the website footer.
The next step
The upcoming significant date is September 2024, introducing a new obligation under Law 25. According to this legislation, it will be mandatory, upon the request of the concerned individual, to disclose the personal information they have supplied to a company.
Thus, if a person wishes to know what personal data he or she has communicated to a specific company, they can submit a request for this purpose. Subsequently, the company is obligated to furnish the requested information within the specified legal timeframes.
Are you ready to comply with Law 25?
Is your company ready for the new Law 25? If the answer is no, we advise you to act quickly, as September is just around the corner!
In summary, the implementation of Law 25 represents a significant shift in the online landscape in Quebec, and executing it is quite technical. Numerous factors must be thoughtfully considered to guaranteeing adherence:
- A privacy policy must be added to the website; personalized or generated by a consent platform.
- A consent banner must be displayed; also generated by the consent platform.
- Configuration within Google Tag Manager is necessary for cookie personalization. At Ursa, we favor consent platforms that enable cookie management through Google Tag Manager, ensuring a dependable approach to accepting or refusing cookies and managing data collection.
Do you have any questions? Feel free to reach out to us!