Navigating Quebec Law 25: A Guide for Marketers
Law 25, Quebec’s new private sector privacy law, was adopted in September 2021 and rolled out in stages. Most aspects of the law are now in effect, except for the portability requirement, which takes effect on September 22, 2024, and the requirement (beginning January 1, 2025) to keep a record of personal information that has been anonymized after the purposes for which it was collected have been fulfilled, and the anonymization techniques used in each case.
The CMA Guide on the Application of Quebec Law 25 to Marketing Activities, released this week, helps CMA members understand how the new rules may apply to their marketing activities. The information has been distilled from legal requirements and recommended practices from the CAI, the Quebec government, the CMA’s privacy counsel, and expert members of the CMA’s Privacy and Data Committee.
The guide does not provide legal advice, but it provides key information and best practices to help marketers have meaningful conversations with their compliance teams.
Here are some highlights from the guide.
Does Law 25 apply to you?
Quebec’s Law 25 applies not only to Quebec-based private sector organizations, but also to those in other provinces and jurisdictions that process the personal information of Quebec residents when they are physically located within Quebec.
How Law 25 compares to other Canadian privacy laws
In many ways, Law 25 brings Quebec’s privacy regime more in line with other Canadian private sector privacy laws. However, it differs from other Canadian private sector laws in several ways. Our guide describes the differences in 10 areas relevant to marketing, including consent, tracking and profiling, automated processing, de-identified information, portability, parental consent, transferring data outside of Quebec, and more. The guide provides examples, and outlines restrictions and obligations under the law.
Consent
As in other private sector privacy laws, under Law 25, organizations are generally required to obtain consent for the collection, use, or disclosure of personal information, subject to certain limited exceptions.
The CAI recognizes three types of consent under Law 25:
- Deemed consent
- Implied consent
- Express consent
Guidance from the CAI indicates that consent must meet eight criteria to be valid.
The CMA guide provides summaries of each criterion. As well, it outlines:
- Expectations about obtaining consent from minors,
- How the law treats business contact information,
- Provisions related to consent for secondary purposes, for new purposes, and for disclosure to a third party,
- The notice requirements for deemed consent, and
- How to apply the CAI’s “granularity” guidance.
To effectively meet notice requirements for deemed consent under Law 25, marketers may also wish to consider the approach outlined in the CMA Guide to Transparency for Consumers.
Tracking technologies and privacy by default
Law 25 has new requirements intended to give individuals more understanding and control when an organization collects personal information using technology that allows for profiling, location or identification, as well as requirements that privacy settings on technological products and services must provide for the highest level of privacy by default. CAI’s October 2023 Guidelines on valid consent indicate that technologies that identify, track or profile individuals should be turned off by default, which suggests that express consent is required.
There is some uncertainty about the application and interpretation of some of these requirements. Our guide provides use cases and lists factors that members can consider to help determine what steps they might take to comply with the law and with regulator expectations. It also describes how consent should be applied to the use of sensitive information, and the responsibilities of organizations when sharing personal information with vendors.
Anonymization
The Quebec government issued a Regulation in May 2024 that specifies criteria and terms for anonymizing personal information where an organization elects to anonymize, rather than destroy personal information after the purposes for which it was collected or used are achieved. Our guide outlines when these regulations apply, and the CAI’s expectations about how they should be carried out.
A full copy of the CMA Guide on the Application of Quebec Law 25 to Marketing Activities can be accessed in English here. (Member login is required). Information on additional topics will be added as further guidance is released by the CAI.
Most guidance and other publications of the Government of Quebec and the CAI are available only in French. The CMA Guide contains links to unofficial translations of the key resource documents.
The CMA would like to acknowledge David Elder, our privacy counsel, who chairs the Privacy and Data Protection Groups at Stikeman, along with members of our Privacy and Data Committee, for their help in creating this outstanding resource.
