Quebec DPA Publishes Guideline on How to Write a Simple and Clear Privacy Policy

On December 18th, 2023, the Commission d'accès à l'information du Québec (CAI), the Data Protection Authority of Quebec, published a new guideline to help companies establish a clear and effective Privacy Policy to comply with Law 25, formerly known as Bill 64. Quebec’s privacy law is now effective two-thirds of the way, so this guideline, the first of a series of such guidelines the Canadian DPA intends to publish, comes to facilitate companies’ understanding of and compliance with the new requirements and obligations they have to protect the personal information of data subjects.

On September 22, 2023 Phase 2 of Quebec’s Law 25 became effective, meaning that covered entities would have to prove that they are respecting the following requirements:

• Ensure that consent is valid and obtained in advance of collection. For children under the age of 14 years old, consent has to be obtained from a parent or legal guardian. Data subjects have to be given a way to withdraw consent. 
• Have in place internal governance policies and practices for handling and protecting personal information.
• Display a Privacy Policy.
• Have in place a means for data subjects to submit complaints. 
• Conduct a data privacy impact assessment. 
• For organizations collecting personal data through technology that identifies the data subject, locates them or profiles them (i.e. cookies), the data subjects have to be informed of this and of the way to opt-in. This means that organizations have to implement cookie consent tools and ensure that any tracking technologies and cookies are set to be off by default. 
• Privacy by Design has to be at the foundation of technological products or services offered by organizations conducting business in Quebec. 
• Respect the right to be forgotten of data subjects. This means destroying or anonymizing personal information upon request. 
• Opt out of automated decision data subjects upon request.
• If you transfer the personal data of individuals outside of Quebec you first have to conduct a privacy assessment and inform the individual of the fact that their data will be transferred outside Quebec.

Effective September 22, 2024, businesses will be required to provide data subjects with the right to data portability. 

To help businesses with the obligation to display a Privacy Policy, the guide published now on the CAI’s official website aims to answer the following questions while also offering examples intended to help make it easier to understand:

What is a privacy policy?

The guide offers the general answer, namely “notice to individuals whose personal information is collected through technological means, such as individuals who visit a website.” This has to be published on a company’s website and disseminated so that it reaches the data subjects affected. Examples include a link to consult before placing an order online; a message displayed the first time you use a mobile application; or a booklet included in the packaging of a connected object, intended to be read before first use.

What is NOT a privacy policy?

What should a Privacy Policy contain?

• The technological means your company uses to collect personal information of data subjects, such as e-mails received by your customer service; an online appointment request form; an application offered to your customers; cookies on your website; video surveillance; a connected object. Here are also included third parties you collaborate with and which collect personal information on your behalf, or technologies that allow you identify, locate or profile data subjects.
• The types of personal information you collect. The examples suggested are grouped into categories such as identifying information (first name, postal address, e-mail address, telephone number), technical or numerical information (IP address, date and time of connection, pages visited, actions taken on a website), biometric information (fingerprints, shape of face, hand or iris of the eye, keystroke pattern, voice print), etc.
• The purposes for which you collected the information, such as opening a file and processing a service request; shipping an ordered product; or handling and resolving a complaint. 
• The categories of people who will have access to the personal information of the data subject, such as, for example, the customer service center, the billing department, or individuals responsible for providing products and services to customers.
• The security measures you have in place to ensure the confidentiality and security of the personal information, such as locked physical premises, firewalls, or information security policies you have adopted. 
• The data subject rights that are available to the owner of the personal information and the means by which these rights can be exercised.

How to write a Privacy Policy in simple and clear terms?

The guidelines offer a series of tips that companies can use in order to write a clear and simple Privacy Policy, as follows: 

1. Understand the needs of your target audience: relying on internal data as well as public studies and statistics, aim to identify your target audience, their language skills, and their level of knowledge of the topic of data privacy. 
2. Choose a relevant message: Provide only the information necessary to understand your practices and comply with the law and remove what your readers won’t need. For the sake of transparency, consider the nature and sensitivity of the information collected and draw their attention to relevant details, i.e. if you collect sensitive personal information. 
3. Create a clear and visible structure of your policy: Hovering over the headings should provide a good overview of the policy content. You can test several types of titles, such as sentences or questions. Avoid jargon and technical terms. Create clear and easy-to-identify levels of titles and subtitles. Use them across the policy consistently.
4. Be consistent with your tone of voice in the policy: a Privacy Policy is part of your company’s communications and as such should be consistent with the overall tone of your organization. However, the tone of voice should invite the reading of your policy so using the second person “you” or the first person “we” will help create a sense of trust and closeness between your organization and the data subject. 
5. Adopt a clear and precise style: this means you should place the main ideas at the beginning of the paragraph, write short sentences with a simple structure, and you should use common words that your readers know. If a technical term is needed, add an explanation or example.
6. Optimize the layout of your Privacy Policy: Choose an easy-to-read font and a fairly large size, make sure to write short sections and paragraphs and add subtitles to longer sections and shorten lines for easier reading, and use visuals as needed, i.e. explanatory diagrams.
7. Test and adjust your Privacy Policy, as needed, and keep it up to date by reviewing it regularly. For example, you will need to adapt it if your business changes and you collect new personal information. After a review, test your Privacy Policy again. 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

• All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
• Seamless integration into your website;
• Adaptability to your users’ location and applicable regulation;
• Customizable branding;
• ReadyCompliance™: Covering 30+ data privacy regulations;
• Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.