Context
Since September 22, 2023, Quebec-based organizations must apply certain measures to their website in order to comply with Bill 25.
Measures related to Bill 25
A fact sheet prepared by the Commission d'accès à l'information (in French) summarizes these measures. Among those that may affect your web site is the addition of a person responsible for the protection of personal information:
- Designate a person responsible for the protection of personal information and publish the title and contact details of the person responsible on the company's website or, if it does not have a site, make them available by any other appropriate means.
NOTE: It is not essential to identify this person by name: they can be designated by title (e.g. "Privacy and Confidentiality Officer"), and their contact information can be an appropriate e-mail address (e.g. privacy@yourdomain.com).
In addition, having a privacy policy on the website is now required, as well as a system that allow visitors to know what data is being collected (notably with the use of cookies), and to give or withdraw their consent. These include:
Having established policies and practices governing the management of personal information, and publishing detailed information about them in simple, clear terms on the company's website or, if it doesn't have a site, by any other appropriate means;
Respect the new rules governing consent to the collection, communication or use of personal information;
Destroy personal information once the purpose for which it was collected has been fulfilled, or anonymize it to use it for serious and legitimate purposes, subject to the conditions and retention period stipulated by law;
Respect the right to cease dissemination, to reindex, or to de-index (or the right to be forgotten);
Privacy policy
To prepare your privacy policy, if your website uses WordPress as its content management system, there is a tool in Settings > Privacy that allows you to create a basic policy template, which you can then complete with your own details. You may also wish to consult the following references:
- New provisions protecting the privacy of Quebecers: Documents and references to support adaptation to the new rules (TRPOCB) (in French)
- Bill 25 Toolbox (in French)
- Commission d'accès à l'information du Québec - Politique de confidentialité (in French)](https://www.cai.gouv.qc.ca/politique-de-confidentialite/)
When drafting the privacy policy, in addition to the information collected from your website, you should also keep in mind the use of services from other providers, which also record information and have their own privacy policies, for example:
- Social networks
- Newsletter services
- Payment gateway(s)
- Forms set up on other services (Google Drive, OneDrive, etc.)
Cookie approval
To set up a floating banner on your website that will allow people to view cookies, there are several free options, both for WordPress and for Drupal. Here are a few examples:
- WordPress
- CookieYes | GDPR Cookie Consent & Compliance Notice (CCPA Ready)
- WP Cookie Consent ( for GDPR, CCPA & ePrivacy)](https://wordpress.org/plugins/gdpr-cookie-consent/)
- Drupal
- EU Cookie Compliance (GDPR Compliance)](https://www.drupal.org/project/eu_cookie_compliance)
- COOKiES Consent Management](https://www.drupal.org/project/cookies)
In systems that allow you to specifically control which cookies to keep, you'll need to identify and configure each file separately. This tutorial can show you how to identify cookies. In general, cookies are associated with the following scenarios:
- Using a tool to collect statistical data on website visits (Matomo, Google Analytics);
- Cookies are used to measure repeated visits from the same device.
- Using an online store and payment gateway(s);
- Cookies are used for security purposes (fraud prevention, for example).
- Using a multilingual system;
- Often, a cookie records the user's language preference.
- Using a member-only area/intranet, implementing communication tools (comments, message boards, etc.);
- Cookies are used to save your preferences.
- Integrating social networking features (e.g. displaying a feed from your Facebook page);
- Social networks may use cookies for their own purposes.
If you need support to ensure that your privacy policy reflects the way your website works, or to set up a cookie approval banner, you can use our services by filling the quote request form.
Other references
- Aide-mémoire: Barreau du Québec (in French)](https://www.barreau.qc.ca/media/deknztxe/aide-memoire-loi-25.pdf)
- MNP: Québec’s Law 25: Is your organization prepared?](https://www.mnp.ca/en/insights/directory/quebecs-law-25-is-your-organization-prepared)
