In June 2020, Quebec introduced Law 25 to update and strengthen the province's privacy laws for both private and public sectors. Officially titled “An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information,” Law 25 establishes more rigorous privacy requirements for businesses operating in Quebec.

While compliance with privacy laws can seem daunting, we are of the view that they represent an opportunity to build trust with customers. Below we outline some tips to consider if you are subject to Law 25.

#1: Law 25 is being rolled out in phases over the course of three years

Key provisions come into force over a three-year period. Know which provisions come into effect over the three key stages—22 September 2022, 22 September 2023, and 22 September 2024 —and plan your compliance priorities accordingly.

#2: Key provisions of Law 25

Below we outline some key requirements that you should consider in your privacy program:

• The "person in highest authority" in an organization is responsible for internal compliance, although they may delegate this responsibility

• Breach reporting provisions require organizations to notify the Quebec data protection authority of any data breaches

• Mandatory notification to individuals is required when a data breach poses "a risk of serious injury"

• Ensure you have an incident management plan and procedures to follow, and document all incidents

• Privacy impact assessments are required in certain circumstances, such as when implementing new technologies or processing sensitive data

• Privacy notices must address transparency requirements, including information about automated decision-making processes

• Ensure you have a complaint handling system

• Inform individuals if their data will be transferred outside of Quebec

• Ensure you use plain and accessible language when obtaining consent, particularly when interacting with minors

• Individuals have rights over their data include a right to data portability and de-indexation rights.

#3: There will be penalties for noncompliance

Law 25 introduces significant penalties for organizations that fail to comply with its provisions. Administrative penalties of up to CAD $10 million or 2% of global turnover (whichever is higher.) Additionally, penal fines of up to CAD $25 million or 4% of global turnover (whichever is higher) can be levied. The Commission d'accès à l'information also has expanded powers.

#4: Braze can help

We provide customers with a breadth of tools that can help support subscription and consent management that may be beneficial for complying with Law 25. Here are some steps that may be worth considering taking.

• Visit our Braze Data Protection Technical Assistance Page for guidance on how to access features to manage privacy requests from your customers, such as an individual who exercises their data portability right.

• Using Braze Teams to enable true governance: Add a custom attribute to all user profiles to indicate whether (and/or when) a user has consented, move all campaigns/canvases into that Team, and change all dashboard user permissions.

• Defaulting to marking users as unsubscribed from channels, such as push and email, and only marking them as subscribed upon obtaining explicit consent.

• Use both in-product and out-of-product channels like email and in-app messages to gain consent from users, explain how data will be used before it’s collected, educate users on the value of your offerings, and more.

Want to deliver personalized experiences across channels, while respecting consumer privacy and remaining compliant with the latest privacy laws? Find out how with our exclusive guide: Minimum Viable Data: What You Need to Balance Personalization and Privacy.