According to a study conducted by the Office de la protection du consommateur, 72% of Quebecers are concerned about the protection of their personal data. Faced with this growing concern, Law 25 is the Quebec government’s response to the technological age.

That’s the proportion of Quebecers concerned about protecting their personal data.

What is Law 25 and how does it apply?

Law 25 was introduced in September 2022 and aims to protect our personal information and ensure that our information is handled securely and with respect for our privacy.

It applies to any individual or organization doing business with Quebecers, whether self-employed, non-profit, company, association or cooperative.

What do we mean when we say “personal information”?

Personal information is any information that identifies someone online, such as their name, phone number, e-mail address, password, IP address and more. Personal information can be that of your customers, but also of your suppliers, website visitors, prospects, etc.

What are the major challenges facing your company?

Companies need to pay particular attention to Law 25. With the advance of artificial intelligence and the growing digitization of data, privacy incidents are becoming increasingly common. Companies must therefore put in place adequate protection measures to avoid incidents and comply with legal requirements.

What are the consequences of non-compliance?

Non-compliance with Law 25 can have legal and financial consequences: companies at fault can be subject to considerable fines, which, depending on the seriousness of the breach, can run into millions of dollars. What’s more, these breaches of confidentiality can lead to a loss of customer confidence and cause significant damage to a company’s reputation.

Orphic: your ally in data management

Here are just a few of the measures you can take to comply with this law, and how Orphic can assist you in doing so:

  • Understand that you are concerned and that doing nothing may result in sanctions;
  • Identify all personal information collected on your website and applications;
  • Appoint a person in charge of data collection;
  • Have a plan in case of data leakage;
  • Establish a privacy policy that is clear, legible, public and written by a competent professional, and clearly integrate this policy into your website;
  • Collect any personal information only with the informed consent of the intended visitor or customer;
  • Set parameters for storing personal information (retention period, anonymization, right to be forgotten, portability);
  • Produce a PIA (Privacy Impact Assessment) if you are a public body or company concerned about the privacy of your users;
  • Seek legal advice to ensure compliance with Law 25.