SOS Ajointes Virtuelles Inc.

Schedule a call
book a call

Bill 25: privacy protection for Quebecers and headaches for entrepreneurs. Prepare yourself gently with SOS AV!

You've certainly heard about it many times: Bill 25, which concerns the protection of personal information in the private sector, and which came into force in September 2022, brings many changes to the way businesses and their digital ecosystem operate.

As Diane Poitras, President of the Commission d'accès à l'information du Québec (CAI), points out, this means greater protection for personal information and new rights for citizens, but it also means a real headache for businesses, both large and small.

Difference between Bill 25 and Bill C-28

Bill C-28 is a federal law dating from 2014, which encourages the reduction of mass emailing. This law, also known as the "anti-spam law", prohibits the sending of emails for commercial use, except with express or tacit consent.

Tacit consent :

It is possible to demonstrate that you already have a business relationship with the person, and that therefore, even if he or she has not given clear consent, it is implicit that you should be led to communicate with him or her. Acceptable implied consents are: a contract, a request for information, a purchase made, a request for a quote, an ongoing private relationship, a publicly posted e-mail related to your field of activity, or a business card sent to you by the person themselves.

Express consent:

In the case of express consent, you must be able to demonstrate that the person has given his or her consent to receive communications from you. This may be in the form of written evidence, such as an e-mail including the date, name and message, or a paper document that you keep in a safe place; or verbal evidence, in which case you must be able to provide a recording of the conversation.

Bill 25 is a provincial law that clarifies and restricts Bill C28. The application of one does not exclude the other, and all companies are obliged to comply with it.

Entry into force and adjustment deadlines

Law 25 came into force in September 2022. However, its application is staggered over a 3-year period, until 2024. The next date to remember is September 22, 2023. That leaves you just a few months to get ready.

But the tools and procedures to do this can take some time to put in place. It's best to get started early, so you can do it as smoothly as possible. What's more, as entrepreneurs, we have to buy expensive tools, and it would be a shame not to take Law 25 into consideration and have to change these tools a few months after acquiring them, for lack of preparation or information.

Prepare yourself properly

Bill 25 will have an impact on many aspects of your business, including resource management and the management of your digital and communications activities.


It is therefore advisable to prepare yourself quickly in order to comply properly.

Here is a summary of the actions to be taken:

Within the company:

  • Designate a Privacy Officer to ensure compliance with the Act. This should be part of the job description of the person assigned.
  • Set up an incident management plan and proceduresto be followed in the event of confidentiality incidents.

To put it plainly, you need to draw up a document outlining exactly what to do in the event of a confidentiality incident (hacking into your data, loss of a computer, etc.).

  • Keep an up-to-date incident log.
  • Diligently disclose to the Commission d'accès à l'information any confidentiality incident that presents a risk of serious harm.

With customers:

  • Insert an unsubscribe link in your newsletters.
  • If a customer requests a copy of his or her personal information, the company is obliged to provide it. It must also provide proof that the information has been destroyed, if the customer so requests.

A few general tips

Generally speaking, companies need to adjust to these new measures to respect the integrity of their customers' personal data and earn their trust. While these adjustments may seem restrictive at the moment, they will become the new norm. The sooner you implement them, the sooner you'll have peace of mind.

Here are some useful tips to help you comply with these restrictions:

  • For CRM and Infolettres, use specialized, secure platforms. Ideally, opt for local platforms that comply with Quebec privacy regulations.
  • Reduce data storage on files such as Excel, CSV, etc.
  • Establish clear policies for extraction and handling.
  • Give priority to express consent (be adamant about clear communications).
  • Encouragetwo-factor authentication (double opt-in).

Need help or guidance to find out how to comply with the new regulations linked to Bill 25? We invite you to consult our Address Book below.

The information presented in this article is based on training obtained on the subject of this Law and the various articles related to this subject. It in no way replaces professional advice. We recommend that you consult a professional if necessary.

Sources :

https://symplify.com/fr/blog/loi-25-au-quebec-tout-ce-que-vous-devez-savoir/

https://www.adviso.ca/blog/affaires/impacts-loi-25-sur-strategies-et-operations-marketing/ -https://www.cai.gouv.qc.ca/documents/CAI_Guide_obligations_entreprises_vf.pdf

Address book:

Bill 25 compliance support - MS Solutions

Services for Bill 25 - BNP Performance philanthropique

Ma Loi 25 - Practical help to comply with Bill 25

SOS AV would like to thank Emma de Guidez from A to Z for her collaboration in writing this article.