Law 25 Quebec: Changes that Could Affect your eCommerce

Let’s not forget that Law 25 aims to modernize legislative provisions on the protection of personal information in the private sector. Since technology is constantly evolving, it’s vital to adapt to it, which is why this reform will enable us to better respond to the new challenges posed by today’s digital environment. 

Law 25 clarifies the definition of personal information: “Personal information means any information relating to a natural person that enables that person to be identified, directly or indirectly”. However, when information is described as “anonymous” or “anonymized”, this means that it no longer irreversibly allows the direct or indirect identification of the said person.

While privacy and security are among the trends to watch in 2024, several tech giants have already begun their crusade against third-party data. Apple has already made it impossible to share personal information from advertising platforms on its Safari browser, while Google plans the end of cookies on its Chrome browser by 2024.

Keep in mind that transparency is a core value at Novatize, Law 25 is of paramount importance. We aspire to implement the recommendations to the letter in order to create a secure eCommerce environment that inspires trust:

• Cookie Management Module : Respecting the standards of Law 25, RGPD2, CCPA, etc., our solution allows visitors to your eCommerce to choose which cookies they accept or reject;
• Consent module : Offers customers the possibility of giving explicit, time-limited consent to the collection, use and sharing of their data;
• Enhanced security measures : We use advanced methods such as encryption, hashing, pseudonymization or anonymization to protect personal data against unauthorized access, loss, alteration or disclosure. Payment methods are constantly updated to guarantee PCI DSS certification;
• Deactivation of geolocation by default : Users’ privacy is very important, which is why we deactivate geolocation by default until customers give their explicit consent;
• Right to forget system : Implementation of an order and customer information anonymization system to respect the right to forget;
• Data leakage management : Development of a clear communication and management process in the event of a data leak, as well as assistance with data deletion on external modules (such as Facebook marketing, Klaviyo, Google analytics, etc.);
• Other requests tailored to your specific needs.

How Quebec’s Law 25 Will Affect your eCommerce

In addition to honoring all obligations that were previously in place, Novatize summarizes the 10 regulations that must already be implemented on your eCommerce since September 22, 2023:

1. Appoint a Privacy Officer and provide their contact information on your website;

2. Have established policies on the security of the personal information you hold and publish these policies on your website by September 2023;

3. Collect only the information necessary to fulfill the purpose, and clearly communicate the purpose at the time of collection. Without the consent of the individual, the purpose can only be changed once the personal information has been collected;

4. If a breach of personal information or confidentiality occurs, take the necessary steps to ensure that similar incidents do not occur. You must also keep a record of such incidents and, if they are of a significant nature, inform the person concerned as well as the Commission d’accès à l’information du Québec;

5. Comply with the new framework for sharing personal data for study, research, statistical purposes or as part of a commercial transaction;

6. Inform the Commission d’accès à l’information du Québec if you intend to conduct identity verification through biometric measures (any identification that uses a person’s biological characteristics, such as their voice or face);

7. Inform your customers of your privacy policy and if you use any technology to identify, locate or profile them;

8. Assume that data sharing outside of Quebec will be subject to scrutiny, as not all regions have the same privacy policies;

9. Set the default parameters to ensure the highest level of confidentiality for the technological product or service offered to the public;

10. Destroy or anonymize your customers’ (and employees’) personal information once the purpose for which it was collected has been fulfilled, following the reasonable period of time required by law (seven years, as of the date of publication of this article). For a complete list of current and upcoming rules, or for assistance on the subject, visit the Quebec government’s section on the protection of personal information.

Most recently, since September 2024, phase 3 of Law 25 has come into force, introducing additional obligations for companies, particularly with regard to data portability. This right to portability allows individuals to retrieve their personal data in a readable and structured format. This means that you must be prepared to transfer a user’s computerized personal information to another supplier, or directly to the individual, on request. The time limit for processing a portability request is 30 days for private companies and 20 days for public bodies, with the possibility of an extension under certain conditions.

You will therefore need to review your data management practices to ensure that your information is transferable in common formats such as JSON, CSV or XML. It’s also crucial to put security measures in place to ensure that data in transit is protected against unauthorized access.

In addition to portability, other requirements have come into force, such as the creation of a register to document portability requests, the verification of applicants’ identities to prevent abuse, and the implementation of clear policies and procedures to handle these requests in a compliant manner. This new phase aims to strengthen transparency and data protection in an increasingly demanding digital environment.

To ensure compliance, it is essential to train your staff and update your data management processes. Adapting to these new obligations will boost your customers’ confidence while minimizing the risk of sanctions by the Commission d’accès à l’information.

For a complete list of current and upcoming rules, or for assistance on the subject, visit the Government of Quebec’s section on the protection of personal information. 

Novatize’s Advice On the Security of Personal Information

Novatize is committed to the firm’s values, and among these is transparency. It is with this in mind that we make these suggestions regarding the protection of personal data.

Privacy Officer

In addition to designating a Privacy Officer, we recommend providing their name and a description of their role and responsibilities on your eCommerce site. You can even add their picture and an email address to reach them if needed. Demonstrate to your customers how seriously and transparently you plan to protect their information. There is no such thing as zero risk, but make sure your company is doing everything in its power to provide a safe shopping experience.

Privacy Incident

A privacy incident is any event that caused confidential information to be leaked to others who were not authorized to receive it. 

For example, some ecommerce platforms have known vulnerabilities, and scripts can sometimes be injected to harvest sensitive information. Another possible example could be a malicious employee leaving your company with access to the customer database and sharing sensitive information with others.

Our advice: as soon as you know (or think) that an incident has occurred, communicate with the people responsible for IT security to make sure that it won’t happen again. Immediately think of corrective measures to put in place.

Also, inform your clientele and community about the incident once the situation is under control. While the subject is sensitive, hiding or not being honest is even more so. Minimize the reputational impact of an incident by communicating in a transparent and professional manner: 

• The cause of the incident
• Corrective measures that have been put in place following the incident
• The contact information needed in case of questions

Transparency and honesty at the heart of our actions

At Novatize, honesty is at the heart of everything we do, which is why we value openness and integrity above all else. With this in mind, we strongly encourage you to develop your own policies regarding the security of personal information, and to make them public by publishing them on your website.

In addition, it is essential that you communicate with your customers if you use specific technology to identify, locate or profile them. Your customers need to be fully informed of these measures to ensure optimum protection of their data and personal information.

By adopting this approach, you can demonstrate your commitment to transparency, while reinforcing your customers’ trust in your company.

Would you like support in optimizing your privacy policies to ensure compliance? Contact an expert at Novatize. 

📞 +1 844 932 6682

📥 [email protected]

📍 330-330 rue Saint-Vallier Est, G1K 9C5, Québec, QC, Canada