What Should You Know About Quebec’s New Privacy Law?

While everyone is focused on the Chinese Personal Information Protection Law that was passed on August 20 and went into effect on November 1, 2021, Quebec quietly passed Bill 64, (C-11) “An Act to modernize legislative provisions as regards the protection of personal information.” Now known as Quebec Law 25.

It received assent on September 22, 2021, with a majority of its provisions coming into force over the next two years. Major provisions of Quebec’s Law 25 entered into force on September 22, 2023.

Primary Obligations for Businesses Under Quebec Law 25

Quebec Law 25 (previously Bill 64) modernizes the framework applicable to the protection of Personal Information (PI) in various Acts.

    • Under the bill, public bodies and organizations must publish governance rules regarding PI, and those that collect PI through technological means must publish and disseminate a confidentiality policy. 
    • In addition, the bill introduces in those Acts a requirement to assess the privacy-related factors in certain circumstances, including any information system project or electronic service delivery project involving the collection, use, release, keeping, or destruction of personal information.
    • The bill clarifies various requirements relating to the consent required before personal information is collected, used, or released.

What does this mean for your cookie banners?

Cookie Banners may be construed as “adhesion contracts” under that law, bringing them within the scope of the new French language requirements on June 1, 2023, of Bill 25. 

    • French should be the primary language displayed on the banner. 
    • If a second language other than French is used, it must not be displayed in a way that would minimize or disrupt the user’s ability to read the French language. (e.g., displaying the second language bigger than the French language or presenting the French language in a way that cannot be read easily).
    • Translation should be ‘identical in meaning’. In some cases, a word-for-word translation will not result in a translation in meaning.

Fast-track compliance with Law 25 with TrustArc

cookie consent manager location settingsWith geo-IP address look-up, TrustArc Cookie Consent Manager users can enjoy Quebec language law support. Customers can enable French Canadian for residents located in Quebec to comply with French language law. When users select Quebec under Canada in their Location Setting, they can enable the Set Consent Language checkbox. 

This setting forces users visiting from the locations specified in the consent manager to always see the set language. 

    • The language must first be added in language settings. 
    • Then, users can select French or any language from the dropdown list. quebec-law-25-consent-language

If a language that has been selected in the Set Consent Language setting is removed, then users encounter a warning prompt that the Language is being used in a consent design and it will be removed from there as well.

Risks of Non-compliance

The Quebec privacy regulator, Commission d’accès à l’information (CAI) can impose on businesses:

    • Fines for administrative violations are up to 2% of annual turnover or C$10 million.
    • Fines for penal violations (those with a criminal element), individuals may be fined up to C$ 100,000, and organizations may face fines of either 4% of annual turnover or C$25 million.

Additional Steps to Ensure Law 25 Compliance

Review necessary actions to fast-track your readiness:

    • Appoint a privacy officer
    • Data Inventory & Breach Reporting 
    • Data Subject Request Management

Quebec Law 25 Expert Commentary

Joining Paul Breitbarth and K Royal in this Serious Privacy podcast episode are two experts in Canadian privacy law, Jennifer Stoddart and Constantine Karbaliotis. Jennifer was the Privacy Commissioner of Canada from 2003 to 2013 and previously served as the Chair of the Commission d’accès à l’information du Québec from 2000 to 2003. She has also held positions on the Human Rights Commissions of Canada and Québec.

Constantine is likewise no slacker in privacy law, having nearly 20 years of experience in the private and public sectors, helping companies comply with complex privacy laws from the US, Canada, and the EU.

Join us as we discuss the ins and outs of the new Quebec law, the complications you might see, and the necessary steps you need to take to be compliant. In the conversation, we will discuss some nuances of integrating privacy programs and how GDPR impacts Canadian activities.

This week’s episode can be streamed below.

Talk to an expert today to see how TrustArc solutions and Managed Services can help you achieve compliance with Quebec Law 25.