Since its arrival, Law 25 has brought its share of changes for organizations and businesses selling in Quebec’s market, and the eCommerce world is not exempt. Are you up to date with the changes that have been in effect since September 2022? Are you aware of what’s coming in 2023? Our team has prepared a summary of the changes that could affect your eCommerce as well as some tips and examples of concrete applications.
Let’s not forget that Law 25 aims to modernize legislative measures on the protection of personal information in the private sector. As technology is constantly evolving, it is vital to adapt to it, and this is why this reform will enable us to better respond to the new challenges posed by today’s digital environment.
Law 25 clarifies the definition of personal information: “Personal information is any information that relates to a natural person and enables that person to be identified, directly or indirectly. However, when information is described as “anonymous” or “anonymized”, this means that it no longer irreversibly allows the direct or indirect identification of the said person.
Although eCommerce cybersecurity is one of the top trends in 2023, several technology giants have already begun their crusade against third-party data. Apple has already made it impossible to share personal information from advertising platforms on its Safari browser, while Google plans to end cookies on its Chrome browser by 2024.
Transparency is a core value at Novatize, Law 25 is of paramount importance. We aim to perfectly implement the recommendations in order to create a secure eCommerce environment that inspires confidence.
How Quebec’s Law 25 Will Affect your eCommerce
In addition to fulfilling all obligations that were previously in place when storing data from Quebec’s consumers, you must, among other things. Novatize highlights 10 new regulations that must be in place by September 22, 2023:
1. Appoint a Privacy Officer and provide their contact information on your website;
2. Have established policies on the security of the personal information you hold and publish these policies on your website by September 2023;
3. Collect only the information necessary to fulfill the purpose, and clearly communicate the purpose at the time of collection. Without the consent of the individual, the purpose can only be changed once the personal information has been collected;
4. If a breach of personal information or confidentiality occurs, take the necessary steps to ensure that similar incidents do not occur. You must also keep a record of such incidents and, if they are of a significant nature, inform the person concerned as well as the Commission d’accès à l’information du Québec;
5. Comply with the new framework for sharing personal data for study, research, statistical purposes or as part of a commercial transaction;
6. Inform the Commission d’accès à l’information du Québec if you intend to conduct identity verification through biometric measures (any identification that uses a person’s biological characteristics, such as their voice or face);
8. Assume that data sharing outside of Quebec will be subject to scrutiny, as not all regions have the same privacy policies;
9. Set the default parameters to ensure the highest level of confidentiality for the technological product or service offered to the public;
10. Destroy or anonymize your customers’ (and employees’) personal information once the purpose for which it was collected has been fulfilled, following the reasonable period of time required by law (seven years, as of the date of publication of this article). For a complete list of current and upcoming rules, or for assistance on the subject, visit the Quebec government’s section on the protection of personal information.
Novatize’s Advice On the Security of Personal Information
Novatize is committed to the firm’s values, and among these is transparency. It is with this in mind that we make these suggestions regarding the protection of personal data.
In addition to designating a Privacy Officer, we recommend providing their name and a description of their role and responsibilities on your eCommerce site. You can even add their picture and an email address to reach them if needed. Demonstrate to your customers how seriously and transparently you plan to protect their information. There is no such thing as zero risk, but make sure your company is doing everything in its power to provide a safe shopping experience.
A privacy incident is any event that caused confidential information to be leaked to others who were not authorized to receive it.
For example, some ecommerce platforms have known vulnerabilities, and scripts can sometimes be injected to harvest sensitive information. Another possible example could be a malicious employee leaving your company with access to the customer database and sharing sensitive information with others.
Our advice: as soon as you know (or think) that an incident has occurred, communicate with the people responsible for IT security to make sure that it won’t happen again. Immediately think of corrective measures to put in place.
Also, inform your clientele and community about the incident once the situation is under control. While the subject is sensitive, hiding or not being honest is even more so. Minimize the reputational impact of an incident by communicating in a transparent and professional manner:
- The cause of the incident
- Corrective measures that have been put in place following the incident
- The contact information needed in case of questions
Transparency and honesty at the heart of our actions
At Novatize, honesty is at the heart of everything we do, which is why we value openness and integrity above all else. With this in mind, we strongly encourage you to develop your own policies regarding the security of personal information, and to make them public by publishing them on your website.
In addition, it is essential that you communicate with your customers if you use specific technology to identify, locate or profile them. Your customers need to be fully informed of these measures to ensure optimum protection of their data and personal information.
By adopting this approach, you can demonstrate your commitment to transparency, while reinforcing your customers’ trust in your company.
Do you want to implement the best ecommerce practices and ensure compliance with your actions? Contact an expert at Novatize.
📞 +1 844 932 6682