Quebec's Law 25: Frequently Asked Questions

For the principal obligations, please visit our page dedicated to Law 25. 

You must comply with the new Law 25 in Quebec, but you don’t know how?

To make your life easier, we took the time to demystify this law, which may seem complicated because of certain gray areas. 

First, be aware that the new responsibilities and obligations relating to this law will be introduced gradually, until September 2024.

1. What is personal information (PI)?
2. What is considered sensitive personal information?
3. Are there any templates available that we can tailor to our business?
4. How do you anonymize former customers' PI?
5. How do we determine the risk of injury? Is there an assessment template?
6. Can a business have information that is considered personal information?
7. If we use an external payroll service (company), are we required to include the payroll service's policy in our documents?
8. Are we responsible for the PI provided by applicants through recruiting sites (names, addresses, e-mail addresses, age, etc.)? Do we have to manage the protection of such PI?
9. How can we retain applicants' résumés? They all contain PI.
10. Does Law 25 affect all types of businesses and organizations (B2Bs, non-profit organizations, public corporations, etc.)?
11. Is any training available to raise employee awareness?
12. If our employees use external applications (e.g., for medical insurance or their pay slip), do we need to notify them that these sites collect their personal information?
13. If an employee does not consent to provide a required piece of personal information, do we have to tell them that they may lose their job?
14. Is truck geolocation data considered PI?
15. Do we have to post a confidentiality policy on a purely information website that only contains photos and information about the company?
16. Does separate consent apply to encrypted emails including pay slips, Records of Employment, and T4, T3 and similar slips?
17. As health care professionals who need to share personal information with external bodies (RAMQ, CNESST, and other public bodies), are we required to obtain consent? Our professional body requires us to obtain this information to establish a file, which makes it mandatory to perform a service. 
18. Do existing contracts need to be adapted or amended to comply with Law 25 as of September 22, 2023?
19. If our clients share PI (name, age, employment) with us, do we have an obligation with respect to consent or can we assume that our clients obtained consent prior to sharing it?
20. Are there established minimum security standards (server protection, firewall, antivirus software, encryption, etc.) for protecting PI?
21. Can a single consent encompass the collection, use, and communication of PI or is separate consent required for each purpose?
22. What does PI destruction mean? Do any basic standards apply?
23. How long can we keep PI in our records? Does this differ by industry (health care v. public sector v. private sector)?
24. Does CFIB offer or recommend a service to help businesses with Law 25 compliance and everything it entails?
25. Will the public bodies with which we do business ask us to demonstrate our PI protection level?
26. Can consent be obtained upon signing the service agreement?
27. Can a customer request to erase images recorded by a security camera?
28. What are a private company's obligations in relation to personal files?
29. What are the new obligations as of September 22, 2023?
30. What are the new obligations as of September 22, 2024?

1. What is personal information (PI)? 

It is information that can be used alone or in combination with other data to identify a natural person, directly or indirectly. 

Are customer names, addresses, phone numbers, and email addresses considered PI? 
Personal information typically includes names, addresses, phone numbers, email addresses, dates of birth, social insurance numbers, IP addresses, and other similar information.

Does information about a business’s sales representative (email address and phone number) count as PI?
Some personally identifying information is public. Information about an individual’s duties within a business is not subject to privacy legislation: 

• name
• title
• job function
• work email address, postal address, and telephone number

What are the rules for government-issued ID (driver’s licences, health insurance cards, and social insurance number cards)?

• Social insurance numbers (SINs) are issued by the federal government, generally for employment, social programs, and tax purposes.
• The Highway Safety Code states that the holder of a driver’s licence cannot be required to produce their licence except where so required by a peace officer or by the Société de l’assurance automobile du Québec for the purposes of highway safety.
• Quebec’s Health Insurance Act specifies that no person may be required to provide a health insurance card number except for purposes relating to the dispensing of services or the provision of goods or resources in the field of health or social services.
• When accepting a product return, businesses collect the customer’s name, phone number, and home address. They sometimes ask to see ID to confirm this information, a practice the Commission d’accès à l’information (Commission) considers acceptable since the information on the ID is only consulted and not collected. The information they do collect can only be accessed by a limited group of employees and is destroyed after 24 months. The business must be able to demonstrate that this is a necessary fraud protection measure.
• When verifying a customer’s age, a piece of ID may be consulted to ensure compliance with the law (e.g., the legal drinking age).

Where collecting information is necessary, you must inform your customer of the reasons why. See this information sheet (in French only) for more information. 

2. What is considered sensitive personal information?

This refers to personal information that is considered particularly confidential or sensitive in nature. It may be more sensitive than general personal information because of the increased risk it poses in the event of unauthorized collection, processing, or disclosure. Information is considered sensitive if it is:

• medical;
• biometric (in French only); or
• otherwise private in nature.

3. Are there any templates available that we can tailor to our business?

Many brochures, guides, and information sheets are available. Contact CFIB’s Business Resources team at 1-833-568-2342 for the right tools to help you prepare for your new obligations.

4. How do you anonymize former customers’ PI?

Information about a natural person is considered anonymized when it is reasonable to expect that it has been irreversibly altered so that the person can no longer be identified directly or indirectly. As Diane Poitras, president of the Commission d’accès à l’information, indicated in our webinar, the Commission considers it virtually impossible to anonymize a person’s PI, except when it comes to aggregated information such as statistics. The law states that PI must be anonymized in accordance with the terms set out in government regulations, which do not yet exist. However, you can destroy PI. For more information regarding the destruction of PI, see: Destruction procedure (in French only).

5. How do we determine the risk of injury? Is there an assessment template?

Applicable legislation requires public or private organizations, regardless of size, to conduct a Privacy Impact Assessment (PIA) (in French only). For any confidentiality incident, the organization must assess the severity of the risk of injury to the people concerned. In doing so, the organization must consider:

• The sensitivity of the information concerned
• The anticipated consequences of its use
• The likelihood that such information will be used for injurious purposes

PIAs consider all the factors that have a positive or negative impact on the privacy of the people concerned:

• The project’s compliance with applicable legislation governing the protection of PI and compliance with the principles supporting it
• The identification of privacy risks related to the project and an assessment of their consequences
• The implementation of strategies to avoid or effectively reduce these risks and their maintenance over time

6. Can a business have information that is considered personal information?

Yes. Examples include:

• Customer information: Businesses often collect information such as their customers’ names, addresses, phone numbers, email addresses, and purchasing preferences.
• Employee information: Businesses typically hold information about their employees, including their names, addresses, SINs, banking details, and tax information.
• Business partner information: Businesses may hold information about their business partners, such as names, business contact information, and financial information. Information regarding the performance of an individual’s duties within a business is not subject to privacy legislation (see Question 1).
• Marketing data: Businesses may collect marketing data, including customer preferences, purchasing habits, and marketing campaign monitoring information.
• Web browsing data: If a business operates a website, it may collect information such as visitor IP addresses, cookies, and browsing preferences.
• Billing data: Businesses typically retain information about financial transactions, such as invoices and receipts, which may contain personal data.

7. If we use an external payroll service (company), are we required to include the payroll service’s policy in our documents?

It would be prudent to review the payroll service’s confidentiality policy and consider it when formulating your own confidentiality policy. It is also recommended that you share this third party’s confidentiality policy with your employees, such as in an appendix to your own policy, as you remain responsible for the personal information that has been provided to you.

Businesses that collect personal information when providing technological products or services with privacy settings must ensure that the privacy settings provide the highest level of confidentiality by default, without any intervention by the person concerned.

You will need to provide additional information to the people concerned if you collect their information using technology that includes functions that can:

• identify;
• track; or
• profile them.

Profiling is defined as “the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.”

In such cases, you will need to inform them:

• That you are using such technology
• Of the ways to enable those functions

You cannot activate these functions by default. The person concerned must be able to do so on their own, voluntarily. For more information on transparency requirements, see: Disclosures prior to collecting personal information (in French only).

8. Are we responsible for the PI provided by applicants through recruiting sites (names, postal addresses, email addresses, ages, etc.)? Do we have to manage the protection of such PI?

In principle, a business must limit the use of PI to uphold citizens’ right to privacy. 

• The need to collect, use, or communicate PI to achieve your purposes must be assessed before valid consent is obtained.
• Collecting PI is necessary, in accordance with applicable legislation, if the objective is legitimate, important, and real and the breach of privacy is proportionate to this objective.
• Information may be collected, used, or communicated if it is clearly more useful to the organization or business than injurious to the person concerned.

9. How can we retain applicants’ résumés? They all contain PI.

Some best practices for retaining PI:

• Identify PI: First, clearly identify the PI your organization holds. This includes not only obvious data (e.g., names and addresses), but also sensitive data (e.g., medical, financial, and identity information).
• Minimize collection: Collect only PI that is required for specific and legitimate purposes. Avoid collecting unnecessary data that could jeopardize personal privacy.
• Obtain informed consent: When collecting PI, obtain informed consent from individuals, clearly explaining how their data will be used and giving them the opportunity to give or withdraw consent. Consent gives the people concerned control over how their personal information is used and communicated. They must agree to how their information is used. Organizations must comply with legal obligations regarding the protection of personal information. This includes the requirement to obtain valid consent from the people concerned. Organizations should document this consent and any elements supporting its validity.
• Keep PI secure: Implement appropriate security measures to protect personal information from unauthorized access, disclosure, loss, or theft. This includes anonymizing or encrypting data, managing passwords, restricting access to PI, and providing staff with security training.
• Limit PI retention: Determine an appropriate retention period for personal data and destroy it once it is no longer required for legal or business purposes. This period may vary depending on the nature of the data and local legal requirements.
• Restrict access: Establish data access management policies that define who can access personal data and in what circumstances. Ensure that access is restricted to authorized individuals.
• Train staff: Provide staff with regular training on privacy policies and procedures, so they understand the significance of data privacy and how to handle personal data securely.
• Manage incidents: Implement incident management plans to respond quickly to personal data breaches. In the event of an incident, inform the Commission and the individuals concerned in accordance with the law.

10. Does Law 25 affect all types of businesses and organizations (B2Bs, non-profit organizations, public corporations, etc.)?

Law 25 applies to PI that any business or organization collects, holds, uses, and/or communicates to third parties. It aims to protect all PI, whatever its medium or the form in which it is accessible (written, graphic, audio, video, digitized). Law 25 also applies to professional bodies, religious congregations, political parties, independent Members of the National Assembly (MNAs), and independent candidates. 

Law 25 does not apply to journalistic, historical, or genealogical material collected, held, used, or communicated for the legitimate information of the public.

11. Is any training available to raise employee awareness?

CFIB provides cybersecurity and fraud prevention training to its members and their employees. CFIB’s Cybersecurity Academy can be accessed through the Member Portal. 

CFIB members and their employees also have access to free courses through Vubiz, including a short course on protecting personal data (P1143EN).

Information capsules on various topics relevant to small businesses and not-for-profit organizations will also be available in the coming months on the Commission’s website.

12. If our employees use external applications (e.g., for medical insurance or their pay slips), do we need to notify them that these sites collect their personal information?

Posting a confidentiality policy is mandatory if you collect personal information using technology. This policy must be posted on your website or otherwise made available to the people concerned. 

Note that valid consent must meet the eight criteria set out in legislation:

• Clear: Obvious and given in a way that demonstrates the true intent of the person concerned.
• Free: Involving a real choice and given without constraints and undue pressure. Giving consent should be as easy as not giving it.
• Informed: Accurate, given with full knowledge of the facts and all the necessary information to understand the scope of consent. The person giving consent must be capable of doing so (e.g., not be incapable or under 14 years of age).
• Specific: Given with a precise and clearly defined purpose. The purposes of using or communicating personal information must be defined as precisely as possible.
• Granular: It must be requested for each intended purpose. If there is more than one, consent must be sought separately for each purpose. This allows the person concerned to express their intent clearly, as they can accept or refuse each specific purpose.
• Understandable: The request must be presented in simple and clear language, free of legal or organizational jargon, for both the information provided and the question or statement of acceptance or refusal.
• Temporary: Valid solely for the time required to achieve the purposes for which it was requested. The term can be linked to a period of time (e.g., six months or three years) or an event (e.g., as soon as a payment is completed).
• Separate: The request must be separate from the terms of use, privacy policies, signatures, etc. It must have its own section or interface which can be easily accessed by the person concerned.

13. If an employee does not consent to provide a required piece of personal information, do we have to tell them that they may lose their job?

It would be prudent to seek legal advice before dismissing an employee who refuses to give consent. Remember that consent must be free (of constraints and pressure) and informed (given with full knowledge of the facts).

In principle, consent cannot be free if it is a mandatory condition for access to a service, product, or employment. Accordingly, organizations must allow individuals to opt out of secondary purposes without influencing the original agreement. However, when using or communicating information is essential to providing a service, property, or accessing employment, it becomes linked to the organization’s primary purpose. If the organization complies with its obligation of transparency, the individuals consent to the required use or communication of information for this primary purpose by providing their information. If they do not provide this information, the organization cannot provide them with the service or property or allow them access to employment. It is entitled to refuse to do so.

14. Is truck geolocation data considered PI?

Geolocation data in itself is not typically considered personal information, as it does not directly reveal an individual’s identity. However, if this data is associated with information about a specific driver or vehicle owner, it could be considered personal information. You will need to provide additional information to the people concerned if you collect their information using technology that includes functions that can:

• identify;
• track; or
• profile them.

For more information, see: Collection using technology (in French only).

15. Do we have to post a confidentiality policy on a purely informational website that only contains photos and information about the company?

Any business or organization carried on in Quebec by a person or company must comply with the law if it collects, holds, uses, or communicates the personal information of its customers (individuals) or employees. One of the new obligations is to post a confidentiality policy. If you collect personal information using technology, you must post your confidentiality policy on your website.

Its purpose is to provide the people concerned with all the information they need to make an informed decision when their information is collected and communicated.

16. Does separate consent apply to encrypted emails including pay slips, Records of Employment, and T4, T3, and similar slips?

The consent of the person concerned is required to communicate PI to a third party. The need to collect, use, or communicate personal information to achieve your purposes must be assessed before valid consent is obtained.

As of September 22, 2023, express consent must be given for sensitive PI that entails a high level of reasonable expectation of privacy. That is, consent must be explicitly expressed by a gesture or statement (oral or written) demonstrating the acceptance of the person concerned. Express consent leaves no doubt as to the person’s true intent.

An organization is free to develop consent mechanisms that are appropriate for its activities, as long as they comply with the law. These mechanisms should be tailored to the people involved, the context, and the type of interface used. The following are examples for express and implied consent: 

• Express Consent:
  • Signing a document
  • Checking a box
  • Answering a question in the affirmative
  • Providing verbal approval
• Implied consent:
  • Pre-checked checkbox that can be unchecked
  • Inference based on the person’s silence or inactivity
  • Inference based on another of the person’s actions

For more details on consent, see: Consent and PI collection (in French only). To help you understand the criteria for the validity of consent, the Commission has posted guidelines on the topic (in French only).

17. As health care professionals who need to share personal information with external bodies (RAMQ, CNESST, and other public bodies), are we required to obtain consent? Our professional body requires us to obtain this information to establish a file, which makes it mandatory to perform a service. 

In principle, businesses or organizations must obtain the consent of individuals to communicate their personal information. Express consent is required when the business or organization wants to use or release sensitive information. However, it is not required if such use or communication is necessary for the primary purpose and is announced at the time the information is collected. This consent may be subsequently withdrawn. 

As it does not require an active and positive gesture, implied consent should only be used when the following additional criteria are met: 

• The use or communication of the information does not conflict with the individual’s reasonable expectations in the circumstances.
• No risk of serious injury emerges from the intended use or communication.

However, the law allows you to communicate personal information without obtaining the consent of the person concerned in certain situations, including:

• In an emergency or to prevent an act of violence
• To enable a third party to carry out a mandate or perform a service or job contract that you have assigned to it
• When a person or body submits a written request to you to use the information for the purpose of conducting research, a study, or producing statistics
• In the event of a confidentiality incident, to notify a person or body likely to reduce the risk of serious injury (in French only)

The obligations under the Act respecting Access to documents held by public bodies and the Protection of personal information also apply to the documents and information held by professional bodies, to the extent permitted in the Professional Code.

For more information on exceptions, see: Exceptions to consent (in French only).

18. Do existing contracts need to be adapted or amended to comply with Law 25 as of September 22, 2023?

It is important to check and revise your current contracts to ensure compliance with the new obligations imposed by the Quebec government. See our dedicated page on this topic to learn more about these obligations. 

It is also important to note that CFIB cannot provide legal advice or expertise. If you require legal advice or representation in connection with your business operations, we recommend that you consult with a lawyer. While we cannot recommend a specific firm or lawyer, the following options may be helpful:

• Barreau du Québec: Find a lawyer – Search by AREA OF LAW; this organization can help you find the right lawyer for the area of law that concerns you, close to your business. Check out the Find a lawyer – Search by LAWYER feature. You may also initially want to discuss the details of your situation with an affordable lawyer. The Barreau du Québec can help you find one: Access to justice – Referral services. Information: Doing business with a lawyer – First meeting with a lawyer.
• Northbridge Insurance: One of our business partners, Northbridge Insurance, offers our members one year of access to free legal advice. Their Legal Assist service provides unlimited free legal advice over the phone on matters concerning your business, especially in the field of commercial law. Contact our Business Resources team at 1-833568-2342 to find out how to take advantage of this service.

19. If our clients share PI (name, age, employment) with us, do we have an obligation with respect to consent or can we assume that our clients obtained consent prior to sharing it?

In principle, businesses or organizations must obtain the consent of individuals to communicate their personal information. However, it would be prudent for private businesses to check with the supplier or organization that provides the PI before collecting it.

The following disclosures must be made at the time of obtaining consent:

• Who? Organization on behalf of which consent is sought.
• Why? Purpose for which consent is sought.
• What? Information (or at least the categories of information) concerned, as a reminder if a certain amount of time has elapsed since it was collected.
• From whom? If applicable, name of any third parties or category of third parties outside the organization, from or for whom the organization will collect the information.
• How? Means of using or communicating the information (mail, fully automated decision, etc.).
• To whom? If applicable, name of any third parties or category of third parties, outside the organization, to whom the organization will communicate the information.
• Outside Quebec? If applicable, the possibility that the information could be communicated outside Quebec.
• What rights? Right to withdraw consent, right of access, and right of rectification, with details on how to exercise them.
• Who can access the information? Categories of people within the organization who will have access to the information to achieve the intended purpose.
• For how long? Validity period of consent.
• Who to contact if need be? Contact information of the person in charge of the protection of personal information, who the people concerned can reach out to for more information or to exercise their rights.

20. Are there established minimum security standards (server protection, firewall, antivirus software, encryption, etc.) for protecting PI?

The minimum security standards to protect personal information vary in accordance with the statutes and regulations in each jurisdiction and area. You must implement appropriate security measures to ensure the protection of the personal information collected, used, communicated, retained, or destroyed. These measures must be reasonable given the sensitivity, purposes, quantity, distribution, and medium of the personal information. It is up to you to determine the security measures that meet this obligation for your specific business.

The following are some general practices that are considered minimum security standards to protect personal information:

• Confidentiality: Personal information must be handled confidentially, i.e., it must not be accessible to unauthorized individuals. Access to data must be limited to employees and authorized parties as necessary for specific purposes.
• Authentication and access control: Systems and data containing personal information must be protected by authentication methods, such as strong passwords, access cards, or biometric recognition systems. Access to data must be granted on a need-to-know basis.
• Data encryption: Personal data stored, in transit, or in use must be encrypted to protect against unauthorized access in the event that equipment is lost or stolen, or that the data is transferred through an unsecured network.
• Vulnerability management: Organizations must have processes in place to identify and address security vulnerabilities in their systems and software to avoid potential breaches.
• Monitoring and audits: Organizations should monitor activities involving personal data, record security events, and conduct regular audits to detect any suspicious activity.
• Training and awareness: Employees must receive data security and privacy training to minimize the risks associated with the misuse of personal data.
• Security incident management: Organizations must have a security incident response plan in place to respond quickly to personal data breaches and notify the relevant authorities and people concerned in accordance with applicable regulations.
• Limited retention: Personal information must be retained no longer than necessary to fulfill the purposes for which it was collected. An appropriate retention policy must be in place.
• Supplier contracts: Where third parties process personal data on behalf of your organization, data processing contracts must be established to ensure that these third parties meet the same security standards.
• Compliance with local laws: Organizations must comply with local data protection statutes and regulations, such as the General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA), and meet the minimum security standards specified under those regulations.

It is important to note that these minimum security standards may vary from place to place and change over time in response to evolving security threats. Staying informed of data security legislation and best practices in your region and industry is critical to ensuring appropriate protection of personal information.

CFIB provides cybersecurity and fraud prevention training to its members and their employees. CFIB’s Cybersecurity Academy can be accessed through the Member Portal.

21. Can a single consent encompass the collection, use, and communication of PI or is separate consent required for each purpose?

A private business may collect personal information to establish a file, but it must collect only the information necessary to carry out that task and protect that PI.

The business must also inform the concerned people of the following: 

• The purpose of the file
• How the information will be used
• The categories of people within the business who will have access to it  
• Where the file will be kept
• Their rights of access or rectification 

Where consent is requested for a secondary use or the communication of PI when it is collected, an organization must provide: 

• The information required to comply with its transparency obligations relating to the collection, including the primary purposes for which it is collecting the information.
• Information about other purposes for which it is seeking consent. However, this must be done separately. There is a link between the informed nature of consent and the amount of information provided simultaneously to the person concerned. Presenting information separately, particularly if it concerns consent, reduces the risk of confusion.

If the request for consent is made in writing, it must be presented separately from any other information. It must be separate from terms of use, privacy policies, requests to confirm the validity of the information provided, commitments, signatures, etc.

For more information on consent, see: Consent and PI collection (in French only).

22. What does PI destruction mean? Do any basic standards apply?

Your chosen method of destruction must destroy personal information irreversibly. For paper documents, this often involves shredding. For electronic media, this may require the use of secure deletion software or the physical destruction of storage devices. For electronic media, we recommend that you check whether the data has been irreversibly erased. Keep records of your destruction process, including dates, the methods used, the individuals involved, and any other relevant information. This documentation may be useful in demonstrating your compliance with data protection legislation in the event of an audit or investigation.

The secure destruction of personal information is essential to protect the privacy of individuals and comply with data protection legislation. When in doubt, consult a legal or data security expert on how to proceed with the proper destruction of personal information. For further guidance on ensuring compliance when destroying documents relating to personal information, see this Commission fact sheet (in French only).

23. How long can we keep PI in our records? Does this differ by industry (health care vs. public sector vs. private sector)?

The validity period of consent is a different concept from the retention period of the information. The validity period of consent does not always line up with the destruction of the information. The length of time an organization can retain information depends on the purposes for which it is retained and applicable legislation. When an organization requests consent for a very long period of time, it should pay close attention to transparency on an ongoing basis. At appropriate intervals, it could remind the people concerned of the option to withdraw their consent at any time.

See our table: Personal information retention periods.

24. Does CFIB offer or recommend a service to help businesses with Law 25 compliance and everything it entails?

Apart from our business partners who are part of our Savings program, we are unable to recommend other professional bodies. However, to make your life easier, our team has taken the time to analyze this law, which can seem complex. Our Advisors are available to guide you and our dedicated website contains a host of resources to help you comply.

It is important to note that CFIB cannot provide legal advice or expertise. If you require legal advice or representation in connection with your business operations, we recommend that you consult with a lawyer. While we may not recommend a specific firm or lawyer, the following options may be helpful:

• Barreau du Québec: Find a lawyer – Search by AREA OF LAW; this organization can help you find the right lawyer for the area of law that concerns you, close to your business. Check out the Find a lawyer – Search by LAWYER feature. You may also initially want to discuss the details of your situation with an affordable lawyer. The Barreau du Québec can help you find one: Access to justice – Referral services. Information: Doing business with a lawyer – First meeting with a lawyer.
• Northbridge Insurance: One of our business partners, Northbridge Insurance, offers our members one year of access to free legal advice. Their Legal Assist service provides unlimited free legal advice over the phone on matters concerning your business, especially in the field of commercial law. 

25. Will the public bodies with which we do business ask us to demonstrate our PI protection level?

Under the Act respecting Access to documents held by public bodies and the Protection of personal information, departments and public bodies must be as transparent about public records as they are vigilant about the protection of personal information held in the course of their duties. 

As a result, the public bodies you work with may ask you about the security measures you are taking.

26. Can consent be obtained upon signing the service agreement?

Where the request for consent is made in writing, it must be presented separately from any other information communicated to the person concerned. Consent must be granular, that is to say, requested for each intended purpose. Granularity refers to a material composed of distinguishable pieces. In this context, it ensures that consent is truly free. Consent is not free if the person must use an all-in-one option to simultaneously refuse or accept multiple purposes or third parties to which the organization will communicate their information. Granular consent ensures that the person clearly expresses their intent for each specific purpose.

27. Can a customer request to erase images recorded by a security camera?

Subject to exceptions, any person has the right to be informed of the personal information concerning them held by a business and, if necessary, to request its rectification. This right applies regardless of the form in which the information is accessible (written, graphic, audio, video, digitized, etc.). For more information about rectifying a file regarding inaccurate, incomplete, or ambiguous information concerning you, see: Rectify your personal information (in French only).

As of September 22, 2023, individuals may ask businesses or organizations to cease disseminating their personal information or to de-index any hyperlink attached to their name that provides access to their information if this dissemination causes them injury or violates the law or a court order (right to erasure or to be forgotten).

28. What are a private company’s obligations in relation to personal files?

• Right to consult: In principle, only the person concerned can have access to their file.
• Cost: The person concerned should be able to examine the personal information contained in their file free of charge. However, the law establishes that a reasonable fee may be required to cover the costs of transcribing, sending, or reproducing the documents.
• Time: Private companies have 30 calendar days (in French only) to respond upon receipt of the request.
• Corrections: A request for rectification of personal information by the person concerned is made in writing to the person who holds the authority (owner, director, manager, etc.) within the private business that holds the information.
• Retention: The file is retained until the purpose for which the information was collected has been accomplished.

29. What are the new obligations as of September 22, 2023?

• Obligation to implement personal information governance policies and practices (in French only) and publish detailed information about them.
• New transparency obligations (in French only), such as:
  • Posting personal information governance rules
  • Posting a confidentiality policy drafted in clear and simple language if you collect personal information using technology and notifying the people concerned of any updates to it
  • Informing the person concerned when they are the subject of a decision based exclusively on an automated process (in French only)
  • informing the person when using identification, tracking, or profiling technology (in French only) and letting them know how to activate these functions
• Anonymization (in French only) of personal information
• New parties subject to the Act respecting the protection of personal information in the private sector, such as provincial political parties (in French only)
• Obligation to conduct a privacy impact assessment (in French only) in certain situations
• New rules governing consent (in French only)
• Right to de-indexation (in French only) (or right to erasure or to be forgotten)
• New conditions for communicating personal information outside Quebec (in French only)
• New conditions for communicating personal information facilitating the bereavement process (in French only)
• New conditions for collecting personal information concerning a minor (in French only) under 14 years of age
• Obligation for technological services or products provided to the public to default to the settings providing the highest level of confidentiality (in French only)
• Possibility for the Commission to impose monetary administrative penalties (in French only)

30. What are the new obligations as of September 22, 2024?

Respond to requests for portability of personal information, that is, to transmit personal information at the request of a person concerned.