Personal Information: the Law’s the Law

Are you aware of the new law aimed at safeguarding the privacy of personal information collected by businesses? You might think it doesn’t concern you if your company doesn’t manage customer databases. However, that’s not the case: if your company has employees and a website, the law applies. Furthermore, the deadline is rapidly approaching: on September 22, 2023, the second round of obligations from Law 25 comes into effect.

This law, adopted by the Quebec government in September 2022, aims to provide all citizens with better control over their personal information. It also requires businesses to be more transparent about the methods of collecting and using their customers’ data.

September 2023

Starting September 2022, companies were required to fulfill these obligations:

  • Appoint a person responsible for the protection of personal information.
  • Inform individuals concerned and the CAI (Commission d’accès à l’information) in case of a confidentiality breach and maintain a record of incidents.

As of September 22, 2023, these new obligations are added:

  • Obligation to establish a personal information governance framework.
  • Transparency requirement.
  • Anonymization and disposal of personal information under certain circumstances.
  • Privacy risk assessment under certain circumstances. New obligations concerning consent. Implement parameters ensuring the highest level of confidentiality.

And by September 2024, the right to portability must be introduced: the obligation to provide individuals with the information an enterprise holds about them upon request.

New Transparency Obligations

Henceforth, when a company collects personal information, it must provide explanations to the concerned individual regarding the reasons for gathering this information, the methods used to obtain it, as well as the rights of access, correction, and withdrawal of consent. If applicable, the company must also disclose the name of the third party for whom the collection is being carried out, the category of third parties who will receive the information, or even the possibility of personal data being shared outside of Quebec. Upon request, the company must also reveal the collected information, the employees with access to this information, the retention period, and the contact details of the data protection officer. All of this information must be communicated in a clear and straightforward manner.

It’s noteworthy that if a company acquires personal information using technology that can identify, locate, or profile an individual, additional information must be provided. The concerned individual must be informed about the use of this technology and the available methods to activate these functions. Additionally, for information obtained through technological means, a specific privacy policy must be published on the company’s website. Finally, if decision-making relies entirely on automated processing of personal information, the concerned individual has the right to know the information used for making the decision, the reasons, the key factors leading to the decision, and the right to request a review of that decision.

To comply with this requirement, it’s necessary to:

  • Establish and publish the following privacy policies and procedures.
  • A policy and procedure regarding the information that must be conveyed during the collection of personal information.
  • A policy and procedure regarding the information that must be provided upon request.
  • A policy and procedure regarding the collection of information used for identifying, locating, or profiling individuals.
  • A policy and procedure concerning the collection of personal information through technological means.
  • A policy and procedure concerning the disclosure of information when a company makes. decisions solely based on automated processing of personal data.

Privacy Impact Assessment

It is now imperative to conduct a Privacy Impact Assessment (PIA) before any project involving the processing of personal data, whether it’s an acquisition, development, or overhaul of information systems or electronic services. It’s important to note that this obligation is not retroactive; it applies exclusively to new projects. Additionally, the extent of the PIA must be proportional to the impact of the project on individuals’ privacy.

To comply with this requirement, it is necessary to:

  • Develop a PIA procedure that defines the criteria for determining when the assessment is necessary and the process for identifying projects that require an assessment from the outset.
  • Share this procedure within the company.
  • Create a straightforward model to effectively carry out the PIA. Disseminate this procedure within the company.

Financial Penalties

The law stipulates penalties that can range up to:

  • A sum of 10 million Canadian dollars
  • A sum equivalent to 2% of the total revenue of the company during the previous fiscal year
  • Harsher penalties are envisaged for the most serious violations.


Indeed, there are cases where the obligation to obtain consent does not apply, especially when the use of data is necessary to provide a product or service requested by the individual concerned. This exemption includes cookies and trackers considered “essential”.

The Banner to Implement

Law 25 requires the disclosure of cookies to website visitors to track their online activities. These cookies are crucial for understanding visitor habits, enhancing visibility in search results, and optimizing marketing campaigns. Furthermore, they facilitate interactions with visitors.

To comply with the law, starting from September 22, 2023, your website must display a banner to obtain explicit consent from users regarding the collection, usage, and storage of their personal data.

Tektonik is capable of assisting you in meeting the requirements of the law.

To avoid the risks associated with non-compliance with Law 25 on your website, as well as the penalties and financial repercussions that may arise, we will create a customized consent banner and integrate it into your website.

In addition to increasing trust and transparency with your potential clients, this banner will enhance your reputation for data privacy. Our goal is to adhere to the spirit of the law while maximizing visitor approval rates, optimizing your online presence, and refining your marketing strategies.

Furthermore, updating the privacy policy on your website can significantly enhance your online positioning. Google’s search algorithms favor websites with clear privacy policies, resulting in improved rankings in search results.

Our Turnkey Solution

Since the initial interaction between your brand and new customers will occur through the consent banner, the aim is also to maintain a positive user experience on your site. In accordance with Law 25, our solution involves creating and configuring a personalized banner to maximize user approval. This cost-effective service is offered without mandatory monthly fees.

This banner enables visitors to make an informed decision about the use of their personal information. They can choose to allow the storage of their data for facilitating transactions, while declining its use for targeted advertisements.

The solution offered by Tektonik is tailored for websites subject to Law 25 and is suitable for all businesses aiming to enhance their organic search rankings and advertising efficiency while complying with the law. These banners are already present on numerous sites we’ve been visiting for the past few weeks. It’s now crucial for you to implement them, as the September 22, 2023 deadline is approaching rapidly.

Reach out to us for an in-depth discussion. We can collaborate with you to devise a solution that adheres to the law, fosters transparency with your clients, and includes the necessary data for seamless collaboration with them.


Contact Us Now!


This post is also available in: FR