Ever since the advent of the internet, multiple laws and regulations have been introduced to monitor and regulate its usage.
One such law is bill 25, which has brought in significant changes that should not be ignored.
If you want to be more familiar with it, you can check out the timeline for the implementation of law 25 here.
Who is law 25 for and what is its purpose?
Who is the law for?
Law 25 is designed for a wide range of entities, including companies, non-profit organizations, public organizations, and even political parties. If your operations on the web involve collecting, possessing, using, or sharing personal information and information, then law 25 applies to you.
His mission
The objective of the Personal Information Protection Act is to promote a healthy culture of protecting personal information.
This law obliges Quebec businesses to manage and use the personal information of the population in a more rigorous and secure way.
The citizen, on the other hand, will also reap numerous benefits in various ways:
- receiving more accurate information during personal information collection and automated decision-making;
- obtain information about the use of their personal information to make a decision based solely on automated processing and have the right to express their views to an employee capable of reviewing the decision;
- be notified in the case of a privacy breach that poses a significant risk of harm to their personal information;
- have the right to request the removal and dereferencing of their personal information;
- give consent in simple and straightforward terms.
What exactly does the term “personal information” mean?
To have a complete comprehension of the law, it is essential to clarify the various data and information that constitute it.
Submitted, yes or no?
Personal information serves as a unique identifier for individuals, which makes it crucial for their identification.However, it is vital to understand the difference between direct and indirect identifiers.
Direct identifiers are subject to the law since they directly allow the identification of an individual.
On the other hand, indirect identifiers, which are not linked to a direct identifier, are not regulated by the law.
What exactly is considered a direct identifier?
Direct identifiers are pieces of information that can be used to identify an individual without the need for other data. For instance:
- First and last name
- Social Security number
- Worker number
- Bank card
- Email Address
What exactly is considered a indirect identifier?
Indirect identifiers need supplementary data to recognize an individual. For instance:
- Date of birth
- Area code
- Gender
- GPS coordinates
The exceptions
Depersonalized information is an example of an indirect identifier because it can be used in combination with other internal databases to identify a person.
Anonymous information, however, is not regulated by the law because it lacks any information that can be used to trace a specific individual.
The rights and duties of Quebec businesses
New provisions of law 25 came into effect as of September 22, 2023. One of the requirements is to have established policies and practices for the management of personal information.
Here in summary, the main obligations attached to it:
- obtain informed consent from visitors.
- inform internet users about the collection and usage of their personal information.
- inform individuals about their rights concerning the collection of their personal information.
- respond to requests from individuals regarding the collection of their information,
- create practices that are designed to safeguard the personal information collected.
- establish and adhere to a retention schedule for the data that has been collected.
- designating an individual responsible for safeguarding personal information within the company is necessary.
- develop and post a privacy policy.
As a website owner, it is your responsibility to inform visitors about the collection of their information and obtain their consent before collecting it.
When using cookies, pixel tracking, or collecting email addresses, it is essential to provide visitors with a clear explanation of the nature of the information collected, how it will be used, and the mechanism used to collect it. Additionally, you must obtain their consent before collecting such information.
Valid consent
For consent to be valid, it must be voluntary and informed. Users should have easy access to all the information needed to comprehend what they are consenting to, and they should have the liberty to accept or decline.
Additionally, it is crucial to obtain user consent for every new collection of personal information. For instance, visitors must give their consent for the use of tracking information (cookies), and their approval must also be sought if their email address is to be collected.
The only situation where obtaining new consent is not required is if the new purpose for collecting personal information is compatible with the original purpose.
Implementation of personal data protection practices
According to law 25, pertinent businesses must implement measures to safeguard personal data, including:
- document security;
- use of computer security systems and password protection;
- Using measures that are suitable for the organization and providing training to employees
- establish a procedure for dealing with security breaches, personal data leaks, or other security incidents that could cause significant harm to affected individuals. The affected individuals should be notified immediately, along with the Quebec Access to Information Commission.
How to properly manage the retention of collected personal data?
Personal information that has been collected should not be retained indefinitely. Once the purpose of the data collection is achieved, it should be deleted.
The only exception to this rule would be if the retention of the information is required by law, such as for tax purposes or according to a code of ethics.
How can we respond to requests from individuals regarding the collection of their data?
Any individual whose personal data has been collected has the right to access it, challenge its accuracy, and request its correction at any time.
They can also ask for its deletion, such as when the retention of personal data is no longer justified or valid.
If an individual withdraws their consent for the use of their personal data, the company must delete it from their databases.
The company must respond to these requests within 30 days at the most and inform individuals about the measures that will be taken.
It is necessary to appoint an individual within your organization responsible for the protection of personal data.
It is essential to designate an individual responsible for the protection of personal data. The contact details of this person should be clearly displayed and easily accessible on the website.
It is your duty to establish and post a privacy policy
Since September 22, 2023, it has become mandatory to establish and publicly display a clear and transparent privacy policy.
This policy must:
- should be easily understandable for site users and should provide a clear description of the personal data collected by the company, how it is used and retained, and the rights of individuals concerning their data.
- contain the name and contact details of the person responsible for the protection of personal data.
- easily accessible online, for instance, by placing it in the website footer.
- regularly updated to reflect any changes in the company's personal data collection and processing practices.
Assurez-vous de la conformité des fournisseurs de services avec lesquels vous travaillez
If your business utilizes service providers to handle activities involving the collection or processing of personal data, it is essential to ensure that these providers also comply with law 25.
In conclusion
It is highly recommended to implement the regulations regarding law 25 within your company to avoid facing significant penalties.
Failure to comply with the aforementioned rules can result in penalties of up to $25 million or 4% of the company's global turnover.
If an individual is a victim of non-compliance, they can claim damages of at least $1,000. The Quebec Commission for Access to Information is responsible for overseeing Law 25.
*Please note that the information provided in this article is for informational purposes only and does not constitute legal advice.