Bill 25: what exactly are we talking about?
The Quebec government has adopted the Law 25also known as An Act to modernize legislative provisions respecting the protection of personal informationin 2021. Since then, it has been phased in gradually until its full entry into force in September 2024.
Consequently, this reform obliges companies and public bodies to review the way they manage personal data. It strengthens citizens' rights and, above all imposes a clear framework organizations, in a digital context where the collection and exploitation of personal information has become commonplace.
What's more, today, any organization that collects, stores or uses personal data must prove that its practices comply to Bill 25. This applies equally to large companies, SMEs, NPOs, self-employed workers and online stores.
Appoint a Privacy Officer
Law 25 obliges youas a company, to designate a person responsible for the protection of personal informationIn other words, whatever the size of your organization, you must name someone to ensure compliance with your privacy practices.
You can entrust this role to the manager, an employee or an external consultant. Once designated, you must clearly display his name, title and contact details on your website. Ideally, this information should be included in your privacy policy or on your contact page.
In addition, this manager answers questions from the audience, supervises data management and makes sure your company complies with Bill 25 at every stage: collection, use, retention and disclosure of personal information.
Declaration, register and mandatory notification
The Privacy Officer ensures:
- Practical application of the rules related to collection
- How to use
- Conservation
- Data communication.
Thus, it ensures that the company complies with its obligations at every stage of the processing of personal information.
In addition, it also responds to requests from the public. Nparticularly those relating to access, rectification or withdrawal of consent.
In this sense, if you run a small business, you can self-train to take on this role. The Commission d'accès à l'information (CAI) makes available a policy model and many useful resources for guide you through the compliance process.
Managing confidentiality incidents under Bill 25
Law 25 obliges you to take any confidentiality incident seriously. As soon as personal information is accessed, used, shared or deleted without authorization you must act. Even if it's a mistake.
Indeed, a simple mistake, such as sending an e-mail containing sensitive information to the wrong person, is enough. Cyber-attacks, data leaks and unauthorized access to your systems also count as confidentiality incidents.
Every time, treat the incident as an alert. Analyze the situation, take the necessary measures and document the event. By reacting swiftly, you protect the people involved and the environment. demonstrate your compliance with Bill 25.
Declaration, register and mandatory notification
As soon as a confidentiality incident occurs, the company must react immediately. She record the incident in an internal registerThis is an essential tool for ensuring accountability. In fact, this register explains what happenedindicates the date, identifies the personal information affected and describes the corrective measures applied. Where applicableThe company must submit this register to the Commission d'accès à l'information du Québec (CAI) during an investigation.
In additionIf the incident presents a serious risk of harm - such as identity theft, damage to reputation or financial loss - the company will must immediately notify CAI and the people affected. This approach enables affected individuals to quickly take the necessary steps to protect themselves.
To assess the level of risk and know how to react appropriately, CAI provides a practical guide to confidentiality incidents. This document is particularly useful for SMEs that do not have an in-house legal department.
Implement a compliant privacy policy
La Law 25 obliges you to publish a clear, up-to-date and easy-to-read privacy policyespecially on your website.
In this policy, explain clearly :
What personal information you collect;
Why you collect them;
How you store and protect them;
How long you keep them;
And how each person can exercise their rights (access, rectification, withdrawal of consent).
Don't just copy a generic model. Adapt your policy to your actual practices. If you use tools like Google Analytics, a CRM or online forms, mention them. Your visitors need to know where they stand.
Learn how to write a compliant policy, visit this complete article on Bill 25. It guides you step by step and helps you to include all the essential elements.
The right to data portability
Bill 25 introduces the right to portability. This right allows each individual to request a copy of your personal information in a structured, readable and commonly used format.
Your company must therefore be able to extract these data and transmit them in a standard format such that CSV, JSON or XML. This information includes name, purchases, preferences or any other relevant information.
What's more, technology permitting, the user can also ask you to transfer its data directly to another company. In other words, this right makes it easier to change suppliers and gives users real control over their personal data.
However, this right applies only to information collected directly from the data subject. In other words, you are not obliged to transfer data deduced or generated by your own internal systems. Behavioral analyses and risk scores are part of the information you are required to provide. are not required to disclose.
Make your employees aware of Bill 25
Compliance isn't just about your tools or your privacy policy. It's also about people. Your employees are often the first to handle personal data: receiving e-mail, managing a CRM, collecting customer information...
That's why it's essential to train your team. Make sure everyone understands what personal information is, what they can and can't do with it, and how to react in the event of an incident. Even a small human error can result in non-compliance with Bill 25.
What's more, you can integrate reminders into your internal processes, as a simple procedure to follow in case of doubt. By creating a culture of confidentiality, you strengthen your compliance and reduce the risk of errors.
The importance of a compliance audit
To be compliant, you need to know where you are. That's where the audit comes in. A compliance audit gives you a clear picture of your current personal data practices.
This is a diagnostic that reviews your website, forms, software, contracts and internal processes. Thanks to this assessment, you can identify discrepanciesThis is an excellent way of demonstrating your good faith in the event of an audit.
What's more, this audit can be carried out in-house if you have the resources, or entrusted to an external expert for greater objectivity. Either way, it's a valuable tool for moving from theory to action.
What are the penalties for non-compliance with Bill 25?
Law 25 provides for severe penalties for companies that fail to meet their obligations. Unlike previous legislation, where consequences were limited, Bill 25 marks a real change. It gives the Commission d'accès à l'information (CAI) greater powers to impose administrative and penal sanctions.
Financial fines and legal risks
If you do not comply with Law 25, you expose yourself to significant penalties. The CAI can impose fines of up to 10 million dollars or 2 % of your worldwide salesfor the highest amount. These sanctions are aimed at administrative infractions, such as lack of transparency or absence of valid consent.
If you refuse to cooperate with CAI or that you careless handling of personal datathe consequences are even more severe. In these more serious cases, the penalty can be as high as 25 million dollars or 4 % of annual worldwide sales.
These amounts are comparable to those of RGPD in Europewhich shows the extent to which the Quebec government takes privacy seriously. Law 25 makes no distinction between large companies and SMEs: everyone is affected, and rigor is now the norm.
SMEs are also concerned
Don't think that Bill 25 is only aimed at large companies. In realityCAI regularly reminds us that SMEs, self-employed workers and community organizations must also comply. In other wordsRegardless of the size of your company, you must apply the same principles of transparency, security and responsibility when managing personal information.
The impact on reputation
Beyond the fines, poor confidentiality management can have serious consequences. disastrous effects on reputation of a company. A data leak, especially if undeclared or poorly managed, can lead to :
A loss of customer confidence;
Negative media coverage;
Lower sales;
And potential disputes.
In short, prevention is better than cure. A proactive company, with clear compliance mechanisms in place, inspires confidence - and avoids having to react in a hurry.
How can you ensure your company's compliance with Bill 25?
The best way to protect yourself is to act now. Here are the recommended first steps:
Take stock of the personal data you collect
Designate your personal information protection officer (PIPO)
Update or write your privacy policy
Implement a confidentiality incident log
Evaluate your digital tools and collection practices
Finally, make sure that your Web forms, newsletters and CRM systems comply with Bill 25.
You can consult the official compliance guide for companies published by CAI, which provides a clear roadmap.
Alternatively, if you lack the time or expertise, you can call on the services of a specialist agency or consultant in cybersecurity and digital compliance.
Conclusion: better safe than sorry
In conclusion, Bill 25 is profoundly transforming the way Quebec companies manage personal data. You can no longer simply update your privacy policy. You need to adopt a comprehensive culture of responsible personal information management.
By complying with Law 25, you comply with the law, protect your customers, strengthen their trust and avoid avoidable costs. It's not just an administrative obligation. It is a strategic investment in your company's credibility and sustainability.
