Quebec’s Law 25 introduces crucial regulations regarding the handling of personal information by businesses. As your website consultant I want to provide you with some insights and suggestions to ensure your organization is on the right path towards compliance with this important legislation. If you are a Quebec business and have not taken steps towards compliance with Law 25 please read on.
Background on Law 25:
Law 25, also known as An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information, aims to enhance privacy protections for individuals in Quebec. It sets out strict requirements for how organizations collect, use, and disclose personal information, with the goal of safeguarding the privacy rights of Quebec residents.
Key Steps for Compliance:
Although there are many steps and stages to being fully compliant, here are the steps that I suggest to work on immediately.
- Designate a Privacy Officer: The first crucial step is to designate a privacy officer within your organization. This individual will be responsible for overseeing compliance with Law 25 and ensuring that your privacy practices align with the legislation.
- Update Your Privacy Policy: Review and update your organization’s privacy policy to include the specific requirements outlined in Law 25. This will involve disclosing how personal information is collected, used, and stored, as well as any measures taken to protect this data.
- Implement Cookie Consent Form: If your website or online platforms use cookies, it’s essential to implement a cookie consent form. This form should inform users about the use of cookies and obtain their consent before any data is collected.
- Review Data Storage Practices: Assess how personal information is stored within your organization, including any data stored outside of Quebec. This may include cloud services, hosting providers, or third-party platforms like MailChimp, HubSpot, Quickbooks and others. Ensure that you disclose this information in your privacy policy.
Compliance Deadlines:
It’s essential to prioritize compliance with Law 25 as soon as possible. While specific deadlines may vary depending on the nature of your business and the type of personal information you handle, the legislation is already in effect. Failure to comply could result in severe fines.
Examples of Fines for Non-Compliance:
Businesses found violating the legislation may face fines ranging from $15,000 to $100,000 in the case of a natural person. In all other cases, fines can range between. $15,000 to $25,000,000 or 4% of worldwide turnover for the previous year, whichever is greater. Fines range based on the offence type, from minor to very severe. See details here.
Next Steps:
I understand that navigating compliance with Law 25 can seem daunting. That’s why I’m here to support you through the process. While I am not specialized in privacy law and therefore cannot take responsibility for your compliance, I can provide guidance and assistance to help you take the necessary steps towards compliance.
I estimate approximately $400 of consulting work to assist with updating your privacy policy and implementing a cookie consent form, both in English and French. Additionally, we’ll discuss further steps, such as establishing an incident management plan and governance framework, as needed.
Please let me know if you would like to proceed, and designate a privacy officer within your organization. Together, we can work towards ensuring that your business meets the requirements of Law 25 and prioritizes the protection of personal information.
Thank you for entrusting me with your compliance needs. If you have any questions or concerns, don’t hesitate to reach out.
Jason Campbell
514-266-9229