Law 25: What Does it Mean For My Business?

Digital Marketing / June 27, 2023

It would be too easy if the digital marketing world wasn’t changing CONSTANTLY… right?

If you’re not aware of it already, Québec’s new Law 25, also known as the Act to Modernize Legislative Provisions respecting the Protection of Personal Information, aims to strike a balance between the benefits of data-driven marketing practices and the protection of individuals’ rights to privacy. 

This law empowers individuals with greater control over their personal information, while imposing certain restrictions on businesses engaging in digital marketing. This 3-phase legislative roll-out has been around for almost a year now, and the second phase will be launched as of September 22nd 2023.

Who does Law 25 apply to?

Law 25 affects all businesses that collect data on residents of Québec, regardless of their location. So, even if your company is in Ontario, but you have Québec visitors in your database, this law will still impact your organization. 

Although specific to Quebec, Law 25 demonstrates the worldwide trend of growing importance and demand for protecting personal information. Whether you are based in the United States or in another Canadian province, you’re going to want to stay up to date on the latest trends in terms of Data security. 

The way we collect and process data is about to change dramatically.

Why is Law 25 happening?

Several factors prompted the Québec government to adopt such ambitious legislation:

• Increase in demand for privacy protection.
• The rapid growth of technologies with no regulatory framework (hello ChatGPT!).
• Data-use scandals such as Cambridge Analytica.
• Major leaks of personal information, such as those from Desjardins or Capital One.
• The pandemic and the adoption of hybrid work, with its attendant issues of remote server access and cybersecurity.

September 2023 is only 3 months away. And we’re here to explain to you what that means exactly for your business:

1. Data security

Businesses must implement appropriate security measures to protect personal information from unauthorized access, disclosure, or alteration. It’s important to regularly assess and update security protocols.

Users need to be made aware of the policies regarding the security of the data. Here’s what needs to be put in place:

• In your privacy policy, share the roles and responsibilities for the protection of personal data.

• Share the policies and processes for the collection, retention, destruction and anonymization of personal data. 
• Share the potential impact of an incident related to personal information collected to identify and minimize areas at risk.

2. Use of Data

Clients have the right to know what personal information is being collected, how it will be used, and who will have access to it. These details need to be available to consult for the users.

If personal information is transferred to a third party outside of Quebec, businesses must ensure that the receiving party provides a comparable level of protection as required by Quebec’s privacy laws.

It’s also necessary that you obtain explicit consent by the user, and that you give them an option to allow them to change the consent they already gave.

3. The Use of Artificial Intelligence

In an age of rapidly advancing technology, it only makes sense to take advantage of AI to improve the processes of your website. However, in the same way you need to be transparent about the use of user data, you will also need to be transparent about which decisions are made through a specific algorithm. This means the user needs to be made aware of:

• The decisions resulting from an AI, and the factors that led to the decision.
• Which personal information is used for this decision. 

It’s also required that the user have the option to rectify the personal information that led to the decision.

Are there penalties for businesses that don’t respect Law 25?

There sure are. The penalties can reach up to $10 million or 2% of the company’s worldwide sales.

We understand this is a lot of information and it could be concerning for some of you, but what’s most important to understand is that Law 25 represents a significant milestone in protecting individuals’ privacy rights in the digital age. While it poses challenges for digital marketers, it also encourages a more responsible and ethical approach to data collection, processing, and marketing practices. By embracing these changes and prioritizing user consent and data protection, businesses can build trust with their customers, foster long-term relationships, and navigate the evolving landscape of digital marketing successfully.

It’s important to note that this summary is intended to provide a simplified overview of Law 25. For comprehensive legal advice and guidance, consult with legal professionals specializing in privacy and data protection in Quebec.

How Can We Help?

At Bloom, our Analytics team is driven by new challenges and the launch of Law 25 is no exception. Our experts are here to help navigate these changes smoothly. Here’s how:

• Audit your website (compatibility, complexity) for custom consent management solution or double-check if you already have one.
• Create the consent pop-ups and UX/UI optimization
• Install Consent Management Platform and customize it
  • Such as Didomi & Osano

• Configure your Google Tag Manager consent checks with datalayer
• And anything you may need assistance with!

Let’s make it bloom. Contact us.