On September 22, 2023 Phase 2 of Quebec’s Law 25 became effective, meaning that covered entities would have to prove that they are respecting the following requirements:
- Ensure that consent is valid and obtained in advance of collection. For children under the age of 14 years old, consent has to be obtained from a parent or legal guardian. Data subjects have to be given a way to withdraw consent.
- Have in place internal governance policies and practices for handling and protecting personal information.
- Have in place a means for data subjects to submit complaints.
- Conduct a data privacy impact assessment.
- For organizations collecting personal data through technology that identifies the data subject, locates them or profiles them (i.e. cookies), the data subjects have to be informed of this and of the way to opt-in. This means that organizations have to implement cookie consent tools and ensure that any tracking technologies and cookies are set to be off by default.
- Privacy by Design has to be at the foundation of technological products or services offered by organizations conducting business in Quebec.
- Respect the right to be forgotten of data subjects. This means destroying or anonymizing personal information upon request.
- Opt out of automated decision data subjects upon request.
- If you transfer the personal data of individuals outside of Quebec you first have to conduct a privacy assessment and inform the individual of the fact that their data will be transferred outside Quebec.
Effective September 22, 2024, businesses will be required to provide data subjects with the right to data portability.
The guide offers the general answer, namely “notice to individuals whose personal information is collected through technological means, such as individuals who visit a website.” This has to be published on a company’s website and disseminated so that it reaches the data subjects affected. Examples include a link to consult before placing an order online; a message displayed the first time you use a mobile application; or a booklet included in the packaging of a connected object, intended to be read before first use.
- The technological means your company uses to collect personal information of data subjects, such as e-mails received by your customer service; an online appointment request form; an application offered to your customers; cookies on your website; video surveillance; a connected object. Here are also included third parties you collaborate with and which collect personal information on your behalf, or technologies that allow you identify, locate or profile data subjects.
- The types of personal information you collect. The examples suggested are grouped into categories such as identifying information (first name, postal address, e-mail address, telephone number), technical or numerical information (IP address, date and time of connection, pages visited, actions taken on a website), biometric information (fingerprints, shape of face, hand or iris of the eye, keystroke pattern, voice print), etc.
- The purposes for which you collected the information, such as opening a file and processing a service request; shipping an ordered product; or handling and resolving a complaint.
- The categories of people who will have access to the personal information of the data subject, such as, for example, the customer service center, the billing department, or individuals responsible for providing products and services to customers.
- The security measures you have in place to ensure the confidentiality and security of the personal information, such as locked physical premises, firewalls, or information security policies you have adopted.
- The data subject rights that are available to the owner of the personal information and the means by which these rights can be exercised.
- Understand the needs of your target audience: relying on internal data as well as public studies and statistics, aim to identify your target audience, their language skills, and their level of knowledge of the topic of data privacy.
- Choose a relevant message: Provide only the information necessary to understand your practices and comply with the law and remove what your readers won’t need. For the sake of transparency, consider the nature and sensitivity of the information collected and draw their attention to relevant details, i.e. if you collect sensitive personal information.
- Create a clear and visible structure of your policy: Hovering over the headings should provide a good overview of the policy content. You can test several types of titles, such as sentences or questions. Avoid jargon and technical terms. Create clear and easy-to-identify levels of titles and subtitles. Use them across the policy consistently.
- Adopt a clear and precise style: this means you should place the main ideas at the beginning of the paragraph, write short sentences with a simple structure, and you should use common words that your readers know. If a technical term is needed, add an explanation or example.
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.