Navigating Quebec Law 25 on Your Website can be difficult – especially regarding installing the cookie consent widget.
Don’t have the time to read this article ? Contact our specialist to get started.
Introduction to Law 25
Quebec’s Law 25, a legislation governing the protection of personal data, has reshaped the digital landscape for organizations, bringing stringent requirements for businesses. Since September 22, 2023, the consequences of non-compliance have been substantial, with fines ranging from $15,000 to 4% of the previous fiscal year’s global revenue, or up to 25 million dollars. As we approach new requirements set to take effect on September 22, 2024, the urgency for your business to comply is critical.
Affected Entities
This law extends its regulatory reach to any company collecting information about Quebec residents, including those based outside the province. Whether your business is in Quebec, Ontario, or beyond, if it collects data from Quebec residents, Law 25 applies. Concurrently, Canada is on the verge of overhauling its privacy laws with Bill C-27, promising broader consumer protection, and other provinces are considering similar updates.
What you should do on your website for Quebec’s Law 25?
Let’s delve into actionable steps for ensuring compliance with Quebec’s Law 25 on your website. Looking for a more technical tutorial?
Download our free Klaro cookie widget install guide
1. Digital Consent
- Activation of a Cookie Consent Widget:
- Ensure a clear and granular cookie consent widget is activated on your website, allowing users to make informed choices about data collection. Make sure users can modify their choice. Also make sure it is personalized to your brand and website’s languages.
- Adaptation of Basic Scripts:
- Modify basic scripts to align with data collection mechanisms, ensuring compliance with the requirements of Law 25. These include Google Analytics, Google Tag Manager, advertising platforms, website, newsletter tool, etc.
- Update Subscription Forms:
- Revise subscription forms to explicitly state the purpose of data collection and inform users of their right to modify or revoke consent.
Get your cookie widget install guide
2. Documentation
- Privacy Policy Update:
- Keep your privacy policy up-to-date, reflecting changes mandated by Law 25. Clearly outline data collection practices and privacy safeguards.
- Framework for Governance:
- Establish a robust framework governing the handling of personal information, emphasizing transparency and user rights.
Discover our Law 25 Compliance Solution
3. Internal Structure
- Appointment of a Data Protection Officer (DPO):
- Designate a Data Protection Officer to oversee compliance efforts, typically assigned to a high-ranking director.
- Data Rights:
- Educate your team and users about data rights, including the right to erasure, access and correction of personal information, protection against automated decision-making, and data portability.
- Privacy Impact Assessment (PIA):
- Conduct Privacy Impact Assessments (PIAs) to identify and mitigate potential privacy risks associated with your data processing activities.
By implementing these measures on your website, it will be a first step towards compliance. There are still elements that you can learn about on our Digital Compliance Service Offering by clicking here.