20 Jan 2024
Law 25 Quebec: Changes that Could Affect your eCommerce
Since its arrival, Law 25 has brought its share of changes for organizations and businesses selling in Quebec’s market, and the eCommerce world is not exempt. Are you up to date with the changes that have been in effect since September 2022? Are you aware of what’s coming in 2024? Our team has prepared a summary of the changes that could affect your eCommerce as well as some tips and examples of concrete applications.
Let’s not forget that Law 25 aims to modernize legislative measures on the protection of personal information in the private sector. As technology is constantly evolving, it is vital to adapt to it, and this is why this reform will enable us to better respond to the new challenges posed by today’s digital environment.
Law 25 clarifies the definition of personal information: “Personal information is any information that relates to a natural person and enables that person to be identified, directly or indirectly. However, when information is described as “anonymous” or “anonymized”, this means that it no longer irreversibly allows the direct or indirect identification of the said person.
Although privacy and security are among the trends to watch in 2024, several technology giants have already begun their crusade against third-party data. Apple has already made it impossible to share personal information from advertising platforms on its Safari browser, while Google plans to end cookies on its Chrome browser by 2024.
Transparency is a core value at Novatize, Law 25 is of paramount importance. We aim to perfectly implement the recommendations in order to create a secure eCommerce environment that inspires confidence :
- Cookie Management Module : Respecting the standards of Law 25, RGPD2, CCPA, etc., our solution allows visitors to your eCommerce to choose which cookies they accept or reject;
- Consent module : Offers customers the possibility of giving explicit, time-limited consent to the collection, use and sharing of their data;
- Enhanced security measures : We use advanced methods such as encryption, hashing, pseudonymization or anonymization to protect personal data against unauthorized access, loss, alteration or disclosure. Payment methods are constantly updated to guarantee PCI DSS certification;
- Deactivation of geolocation by default : Users’ privacy is very important, which is why we deactivate geolocation by default until customers give their explicit consent;
- Right to forget system : Implementation of an order and customer information anonymization system to respect the right to forget;
- Data leakage management : Development of a clear communication and management process in the event of a data leak, as well as assistance with data deletion on external modules (such as Facebook marketing, Klaviyo, Google analytics, etc.);
- Other requests tailored to your specific needs.
How Quebec’s Law 25 Will Affect your Ecommerce
In addition to fulfilling all obligations that were previously in place when storing data from Quebec’s consumers, you must, among other things. Novatize highlights 10 new regulations that must be in place by September 22, 2023:
1. Appoint a Privacy Officer and provide their contact information on your website;
2. Have established policies on the security of the personal information you hold and publish these policies on your website by September 2023;
3. Collect only the information necessary to fulfill the purpose, and clearly communicate the purpose at the time of collection. Without the consent of the individual, the purpose can only be changed once the personal information has been collected;
4. If a breach of personal information or confidentiality occurs, take the necessary steps to ensure that similar incidents do not occur. You must also keep a record of such incidents and, if they are of a significant nature, inform the person concerned as well as the Commission d’accès à l’information du Québec;
5. Comply with the new framework for sharing personal data for study, research, statistical purposes or as part of a commercial transaction;
6. Inform the Commission d’accès à l’information du Québec if you intend to conduct identity verification through biometric measures (any identification that uses a person’s biological characteristics, such as their voice or face);
7. Inform your customers of your privacy policy and if you use any technology to identify, locate or profile them;
8. Assume that data sharing outside of Quebec will be subject to scrutiny, as not all regions have the same privacy policies;
9. Set the default parameters to ensure the highest level of confidentiality for the technological product or service offered to the public;
10. Destroy or anonymize your customers’ (and employees’) personal information once the purpose for which it was collected has been fulfilled, following the reasonable period of time required by law (seven years, as of the date of publication of this article). For a complete list of current and upcoming rules, or for assistance on the subject, visit the Quebec government’s section on the protection of personal information.
Novatize’s Advice On the Security of Personal Information
Novatize is committed to the firm’s values, and among these is transparency. It is with this in mind that we make these suggestions regarding the protection of personal data.
Privacy Officer
In addition to designating a Privacy Officer, we recommend providing their name and a description of their role and responsibilities on your eCommerce site. You can even add their picture and an email address to reach them if needed. Demonstrate to your customers how seriously and transparently you plan to protect their information. There is no such thing as zero risk, but make sure your company is doing everything in its power to provide a safe shopping experience.
Privacy Incident
A privacy incident is any event that caused confidential information to be leaked to others who were not authorized to receive it.
For example, some ecommerce platforms have known vulnerabilities, and scripts can sometimes be injected to harvest sensitive information. Another possible example could be a malicious employee leaving your company with access to the customer database and sharing sensitive information with others.
Our advice: as soon as you know (or think) that an incident has occurred, communicate with the people responsible for IT security to make sure that it won’t happen again. Immediately think of corrective measures to put in place.
Also, inform your clientele and community about the incident once the situation is under control. While the subject is sensitive, hiding or not being honest is even more so. Minimize the reputational impact of an incident by communicating in a transparent and professional manner:
- The cause of the incident
- Corrective measures that have been put in place following the incident
- The contact information needed in case of questions
Transparency and honesty at the heart of our actions
At Novatize, honesty is at the heart of everything we do, which is why we value openness and integrity above all else. With this in mind, we strongly encourage you to develop your own policies regarding the security of personal information, and to make them public by publishing them on your website.
In addition, it is essential that you communicate with your customers if you use specific technology to identify, locate or profile them. Your customers need to be fully informed of these measures to ensure optimum protection of their data and personal information.
By adopting this approach, you can demonstrate your commitment to transparency, while reinforcing your customers’ trust in your company.
Would you like support in optimizing your privacy policies to ensure compliance? Contact an expert at Novatize.
📞 +1 844 932 6682
📍 330-330 rue Saint-Vallier Est, G1K 9C5, Québec, QC, Canada
Inspired by what you’ve read?
Our team of experts can help you take your eCommerce to the next level!