
Bill 25 and its impacts on your website
Here is a brief summary of the standards of Bill 25 that have been in effect since fall 2022, and those coming into effect in September 2023 and 2024. However, it is recommended to consult a specialized lawyer to ensure your compliance.
Effective since September 22, 2022
- Appoint a Person Responsible for the Protection of Personal Information: Nominate a person responsible for protecting personal information.
- Maintain an Incident Register: Keep a record of data breaches, and provide a copy to the Commission d’accès à l’information du Québec (CAI) upon request.
- Conduct a Privacy Impact Assessment (PIA): Evaluate privacy risks and implement strategies to mitigate or avoid them.
Starting September 22, 2023
- Develop a Policy on Privacy Governance Practices: Create a policy detailing the governance of personal information, including:
- Rules for the retention and destruction of personal information;
- Roles and responsibilities of staff throughout the lifecycle of personal information;
- A process for handling privacy-related complaints.
- Publish the Privacy Policy: Make the privacy policy available on your website, including contact information for the internal resource person.
- Adhere to New Consent Rules: Comply with new rules for the collection, communication, and use of data, including the purposes of data collection, the rights to access data, and the right to withdraw consent.
Starting September 22, 2024
- Guarantee Data Portability Rights: Allow users to retrieve a portion of their collected information in an accessible format.
- Comply with Quebec Laws on Biometric Information: Adhere to laws requiring specific obligations for employers regarding biometric information that uniquely identifies a person.
Penalties for non-compliance
Non-compliance can result in financial penalties up to 4% of sales or amounts up to $25,000,000. Bill 25 applies not only to businesses located in Quebec but also to those processing personal information of individuals residing in the province.
Reasons to ensure your website complies with Bill 25
- Protect User Privacy: Adhere to the rules outlined in the law.
- Ensure Transparency: Inform users about the collection and use of their data.
- Build User Trust: Ensure transparent and secure handling of personal information.
- Improve Company Reputation: Demonstrate a commitment to user privacy.
- Avoid Complaints: Prevent issues related to the misuse of personal information.
- Meet Industry Standards: Comply with data protection standards.
- Meet Partner Requirements: Fulfill the compliance demands of business partners.
- Reduce Legal Risks: Minimize the risks associated with collecting and using personal information.
- Avoid Financial Penalties: Prevent fines and lawsuits due to non-compliance.
Feel free to contact us for advice and to install the necessary tools to manage user consent on your website. Our team is available to discuss this with you at any time.
Note: This article is informative and does not constitute legal advice. Please consult the websites of the Government of Quebec and the Commission d’accès à l’information du Québec to ensure compliance with the law.
References and useful links
- Government of Quebec
- Commission d’accès à l’information du Québec
- Le Barreau du Québec publie un aide-mémoire pour aider à respecter la Loi 25
*Biometric information
Biometric information is sensitive and intimate personal information that uniquely identifies a person. These laws include:
- Act respecting access to documents held by public bodies and the protection of personal information
- Act respecting the protection of personal information in the private sector
- Act to establish a legal framework for information technology