27 Jan 2023

Law 25 Quebec: Changes that Could Affect your Ecommerce

Rose-Marie Clément

5 min read

Law 25 Quebec: Changes that Could Affect your Ecommerce

Since its arrival, Law 25 has brought its share of changes for organizations and businesses selling in Quebec’s market, and the e-commerce world is not exempt. Are you up to date with the changes that have been in effect since September 2022? Are you aware of what’s coming in 2023? Our team has prepared a summary of the changes that could affect your e-commerce as well as some tips and examples of concrete applications.

Firstly, Law 25 defines personal information as: “personal information is any information that relates to a natural person and allows that person to be identified directly or indirectly.”

On the contrary, when we speak of so-called “anonymous” or “anonymized” intelligence, we mean that it “no longer makes it possible, in an irreversible manner, to identify that person directly or indirectly.”

Although eCommerce cybersecurity is one of the top trends in 2023, several technology giants have already begun their crusade against third-party data. Apple has already made it impossible to share personal information from advertising platforms on its Safari browser, while Google plans to end cookies on its Chrome browser by 2024.

human figure with yellow sweater typing on a computer

How Quebec’s Law 25 Will Affect your Ecommerce

In addition to fulfilling all obligations that were previously in place when storing data from Quebec’s consumers, you must, among other things:

1. Appoint a Privacy Officer and provide their contact information on your website.

2. Have established policies on the security of the personal information you hold and publish these policies on your website by September 2023.

3. Collect only the information necessary to fulfill the purpose, and clearly communicate the purpose at the time of collection. Without the consent of the individual, the purpose can only be changed once the personal information has been collected.

4. If a breach of personal information or confidentiality occurs, take the necessary steps to ensure that similar incidents do not occur. You must also keep a record of such incidents and, if they are of a significant nature, inform the person concerned as well as the Commission d’accès à l’information du Québec.

5. Comply with the new framework for sharing personal data for study, research, statistical purposes or as part of a commercial transaction.

6. Inform the Commission d’accès à l’information du Québec if you intend to conduct identity verification through biometric measures (any identification that uses a person’s biological characteristics, such as their voice or face).

7. Inform your customers of your privacy policy and if you use any technology to identify, locate or profile them.

8. Assume that data sharing outside of Quebec will be subject to scrutiny, as not all regions have the same privacy policies

9. Destroy or anonymize your customers’ (and employees’) personal information once the purpose for which it was collected has been fulfilled, following the reasonable period of time required by law (seven years, as of the date of publication of this article). For a complete list of current and upcoming rules, or for assistance on the subject, visit the Quebec government’s section on the protection of personal information.

Novatize’s Advice On the Security of Personal Information

Novatize is committed to the firm’s values, and among these is transparency. It is with this in mind that we make these suggestions regarding the protection of personal data.

Privacy Officer

In addition to designating a Privacy Officer, we recommend providing their name and a description of their role and responsibilities on your e-commerce site. You can even add their picture and an email address to reach them if needed. Demonstrate to your customers how seriously and transparently you plan to protect their information. There is no such thing as zero risk, but make sure your company is doing everything in its power to provide a safe shopping experience.

Privacy Incident

A privacy incident is any event that caused confidential information to be leaked to others who were not authorized to receive it.

For example, some ecommerce platforms have known vulnerabilities, and scripts can sometimes be injected to harvest sensitive information. Another possible example could be a malicious employee leaving your company with access to the customer database and sharing sensitive information with others.

Our advice: as soon as you know (or think) that an incident has occurred, communicate with the people responsible for IT security to make sure that it won’t happen again. Immediately think of corrective measures to put in place.

Also, inform your clientele and community about the incident once the situation is under control. While the subject is sensitive, hiding or not being honest is even more so. Minimize the reputational impact of an incident by communicating in a transparent and professional manner: