Facebook-f Instagram Linkedin
New tariffs and new solidarity pricing offer →
Main Menu

Understand Law 25 and implement it.

Picture of Louise Coppéré
Louise Coppéré
[read_meter]
Share this article
Everything about law 25

The majority of changes made to “Law 25,” introduced initially in September 2022, took effect on September 22, 2023. What should you remember and be aware of? It’s tough to delve into every detail of such a vast law, but we’ve simplified and condensed the critical information in this article to make it as accessible as possible.

Discover our brand-new, essential guide to compliance with Bill 25, totally FREE! With this guide, you’ll have all the keys you need to understand the essentials of this law.

Law 25: Definition and review of measures already in place

Law 25, also known as the “Act to Modernize Legislative Provisions Respecting the Protection of Personal Information” is a Québecois law aimed at enhancing the protection of citizens’ personal data. It draws inspiration from the European Union’s General Data Protection Regulation (GDPR) and has significant implications for how companies should manage and protect their customers’, employees’, and partners’ personal data. It might be a lot to take in, but it’s a move in the right direction for privacy!

The law came into effect last year with the following measures, which should already be implemented in your company:

  • Appointment of a personal information protection officer (PIPO).
  • Maintenance of a confidentiality incident register.
  • Compliance with rules for the disclosure of personal data without consent.

More changes have come into effect this year (detailed below), and FYI: a final update to this law is expected in 2024, so stay tuned!

Who is affected by Law 25?

Short answer: everyone.

Longer answer: As soon as you possess personal data, you’re affected by Law 25.

Personal data can be (and we’ll keep this very brief otherwise this paragraph will be interminable): a surname, a first name, an identifier, a customer number, a cell phone number, a landline phone number, biometric data, i.e. elements concerning a person’s physical identity, but also elements concerning physiological, genetic, psychological, economic or cultural identity. We catch our breath. It can also be a social insurance number, an ID card number, a passport number, an address, a magazine subscription or an association membership. It could still be age, location, shopping behavior, your gender, tastes… and we’ll stop there.

In short, everything is personal data.

As soon as you collect or process someone’s personal data, whether an individual or a company, you fall under Law 25 and risk penalties for non-compliance.

Updates to Law 25 in 2023: 4 key points

We know legal jargon can be hard to understand, so we’ve highlighted the four measures that came into effect last September, which seem most crucial to remember:

1 — Establishing rules and practices

Implement rules and practices as guidelines on how to store and delete personal information, the procedures to follow, and the process for handling complaints about data protection.

2 — New transparency obligations

Create a public privacy policy detailing how you use sensitive data, which should be accessible and easily understandable.

3 — The concept of consent

You must obtain clear and informed consent from individuals before recording their personal data.

4 — Measures for confidentiality breaches

Sometimes there are errors in the processes put in place, and because data leaks and hackers do exist (!), you need to establish a procedure for dealing with the situation when the practices put in place are breached and the “promises” of secure data preservation are broken.

For a comprehensive list of measures, visit the Quebec Access to Information Commission’s website.

How does this impact you directly?

With your service providers / employees / systems

As a service provider, we access some of your databases to do our job, which might include your clients’ or employees’ sensitive data. We recommend revoking access for any former employee or provider once your professional relationship ends.

Recommendations

  • Use password managers that facilitate granting, revoking, and managing passwords (which, by the way, boosts security).
  • Ensure each person gets specific access rather than sharing one account or using yours.
  • List who has access to what, whether people or systems. Check relevance, clean up, and ensure this is reflected in your privacy policy.

With your clients and potential clients

You’ll also need to implement various measures on your website to comply with Law 25. A person visiting through your website would leave a trace behind him, in data analyze services or in the cookies 🍪. For instance, by setting up a “cookie bar,” you inform every visitor of their rights regarding their personal data. They can knowingly accept or decline being tracked on your site.

The official to-do list

If you’ve read this far, kudos to you! 👏🏻

At Alexem Studio, we’re here to help your business comply. We can guide you in implementing practical measures concerning your website for Law 25 and perhaps even beyond (just ask!)

What YOU need to do

  1. Decide who will be the in-house personal data manager.
  2. List all technologies and software used that contain client and prospect information, so you’re prepared to draft your privacy policy.
  3. Draft a preliminary version of your privacy policy.
  4. Draft a preliminary cookie management policy.
  5. Write consent collection statements for your various forms (newsletter, contact, quote request, others?)
  6. Send all this info to Alexem Studio so we can do our thing 😏.

What WE can do for you

  1. Set up and configure an extension that manages consent: consent banner, warning, cookie policy, privacy policy (we will use CookieYes in the free version).
  2. Add a consent box to all forms.
  3. Review and add a privacy policy page.
  4. Review your cookie management policy and supplement it to include the cookies detected/used on your site.
  5. Add a data deletion request form (at the end of your privacy policy is the location we suggest).
    • Warning! Upon receipt of a deletion request, you must delete the information from all your systems, hence the creation of your exhaustive list. We can assist you, but we cannot intervene if we do not know the systems or do not have access to them.
  6. Clearly display who is responsible for data management.
  7. Incorporate these new links and information into the footer of your site.

Fixed Rate

500 +tx for unilingual site – buy it here
$800 +tx for bilingual site – buy it here

Conclusion

Implementing this law is the perfect opportunity to do a thorough cleaning of the data you have collected over time and then delete them.

Please note that we do not intervene on legal aspects or the internal organization of companies.

Everything about law 25
In this article
    Add a header to begin generating the table of contents
    Scroll to Top

    Leave a Reply

    Website creation and graphic design for businesses and entrepreneurs. Visual Identity, Branding, logos, Social Medias Design, and more. Solutions adapted to your needs, for all budgets.
    Our clients are everywhere!
    • Montréal
    • Quebec
    • Canada
    • United-States
    Office hours
    • Monday to Friday 8:30am - 5:30am
    • Saturday & Sunday
    • EMERGENCIES ONLY
    Alexem Studio 2024

    Frequently asked questions

    To be eligible for the solidarity offer, you must meet one of the following criteria:

    • Annual sales under $250,000 (proof by abbreviated financial statements or statement from an accountant).
    • Number of employees less than or equal to 3 (written declaration or signed internal form).

    The solidarity offer includes a 20% discount on all our regular rates, applicable to the creation of time banks, time plans and package projects for eligible customers.

    Banked hours are a fixed volume of hours that you buy in advance and use at your own pace, according to your needs. Hour plans, on the other hand, allocate a number of hours over a set period (usually a month), with an advantageous rate and regular scheduling to ensure our availability. Both options offer flexibility and priority, but hourly plans allow for more continuous management of your projects.

    Banks and time plans offer :

    • Flexibility: adapt your hours to your needs during the year.
    • Low rates: benefit from our best hourly rate.
    • Priority: our availability is guaranteed for your projects.

    Yes, hour banks are valid for one year from the date of purchase. Make sure you use your hours within this period.

    Time banks must be paid in advance of any project or work being carried out. This guarantees our availability and commitment to your projects.

    No, we do not provide quotations for projects carried out within the framework of banks or time plans. Quotations are reserved for lump-sum projects and follow our standard rates.

    Fixed-price projects include a fixed price and a pre-defined scope. They are suitable for one-off or one-time projects, with costs based on our standard tariff.

    We’re a multidisciplinary team combining expertise in design, web conception, UX, video and more. Working with us means access to a full range of creative services to propel your projects forward.