The most significant elements of the Law 25 amendments to Québec's privacy regime take effect on September 22, 2023. While there are a number of new or enhanced requirements in the law that may seem overwhelming or too expensive to implement, it is not too late to take proportional, risk-based steps toward compliance. Organizations can mitigate customer, employee and regulatory risk by starting with a few simple steps, even where full compliance is not achievable by the date the law comes into effect.

What you need to know

While the work needed to comply with new Québec privacy requirements is significant for many organizations, some initial steps can help mitigate risk while organizing a broader compliance project. Organizations that fear they are behind as the deadline to comply approaches can start with these few basic actions:

  • Fill key gaps in the external privacy policy and post it online
  • Adjust the cookies setting on the website
  • Get separate consent to the privacy policy
  • Document what you already to do protect privacy
  • Designate someone in charge of privacy

First steps towards Québec privacy compliance

As we have canvassed in previous articles1, Québec's Law 25 (formerly Bill 64), makes significant amendments to both the private sector and public sector privacy laws in that province. Many organizations—especially startups or foreign companies with some business in Québec—may be left with the impression that compliance with these requirements will be too expensive, resource-intensive, or time-consuming to achieve by the date they come into force. Rather than deferring all efforts to align with this new regime, committing a little effort to some simple first steps can help smooth the transition and mitigate risk.

1.Fill key gaps in the external privacy policy

  • If you don't already have a privacy policy on your website, focus on this step. Even if the policy will be updated in time to include more detail or be easier to read, post a basic policy that tells the public:
    • what types of personal information you collect, and how you use it
    • the affiliates, service providers and other third parties you share personal information with
    • whether personal information is sent across provincial or national borders
    • how to contact you with questions, or complaints or to opt out of uses of personal information
  • Ideally, the policy should also describe the internal tools your business uses to protect data, destroy it when no longer required and handle breaches or complaints, as well as any automated decisions made entirely by technology. But don't delay posting a basic policy if this information isn't ready.

2.Adjust cookies setting on the website

  • Find out if your website uses cookies, pixels or other technologies that can identify, locate or profile a visitor, especially for targeted advertising. These "profiling tools" need to be treated differently from other cookies, like necessary cookies used for website performance.
  • If you aren't using a cookies banner to get opt-in consent to profiling tools, ask your website developer how to implement one. Set a timeline to implement this step, even if it can't be done by September 2023.

3.Get separate consent to the privacy policy

  • Make a list of the different places you ask for consent to your privacy policy—for example, when website visitors set up an online profile, when customers purchase a product, or when candidates apply for a job.
  • Check whether the action to get consent to the privacy policy, such as a checkbox on an online form, is bundled with another type of consent, such as the terms of use of the product or platform. Work with your web developer to add a separate checkbox and make sure visitors can view the privacy policy before checking it, or update paper forms to separate these actions.

4.Document what you already do to protect privacy

  • Even if you need time to develop a suite of internal policies on IT security, data destruction, privacy breach response or handling privacy complaints, you probably have employees who can address these issues on demand. Start by writing down who is responsible for these issues in your organization, and what they do to protect the data you handle or respond to requests.
  • In time, you will want to formalize policies and review them regularly. But in the short term, less formal descriptions of your current practices may help identify gaps, apply for privacy or cybersecurity insurance, and respond to customer, employee or regulator requests for information on your privacy management program.
  • In the same vein, make a list of the service providers and other third parties with whom you share personal information. Document whether there is a contract in place that requires them to protect this data, notify you of breaches and where they store the data. This is the foundation to build a practice of performing privacy impact assessments when you are onboarding new vendors, transferring data outside Québec, or changing your information systems.

5.Designate someone in charge of privacy

  • Your organization may not have a full-time privacy officer. But one person should have internal responsibility for privacy compliance, even where multiple employees are involved in the steps described above.
  • Write down who is responsible for privacy compliance. List their responsibilities and the other employees and advisors they rely on. Then make a plan to get that employee training or external support to help them serve that role effectively, within the context of your organization, industry and budget.

Next steps to advance your privacy program

While there are efficient, achievable first steps towards compliance with the new Québec privacy regime that can reduce pressure in the short term, there must be a longer-term plan to address the additional requirements. Get legal advice on the additional gaps in your privacy program and engage with other stakeholders, such as business and IT leads, your insurer or your board to make a plan to address them that considers your organization's data uses, resources and risk profile.

Footnote

1 https://www.torys.com/en/our-latest-thinking/publications/2021/10/bill-64s-adoption-confirms-overhaul-of-quebec-private-sector-privacy-law; https://www.torys.com/en/our-latest-thinking/publications/2022/04/automated-decision-making

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.