New guidelines on Québec privacy policies

February 1, 2024 | Alexandre Ajami, Jessica Modafferi

Québec’s Act respecting the protection of personal information in the privacy sector (the “Private Sector Act”) underwent significant amendments which came into force on September 22, 2023, impacting all businesses that collect, hold, use or communicate personal information throughout the province.

Among the numerous changes to the Private Sector Act is the obligation for businesses that collect personal information by technological means to publish a confidentiality policy drafted in clear and simple language. The concept of “technological means” might have a wide scope and should include, without limitation, websites, applications, cookies, emails, video surveillance and connected objects.

On December 18, 2023, the Commission d’accès à l’information du Québec (“CAI”), the governmental body tasked with enforcing the Private Sector Act, released guidance on the drafting of privacy policies, which were published in French only (the “Guidelines”). While the Guidelines do not have force of law, they do provide insight as to how the CAI will interpret and apply the Private Sector Act. A comprehensive review of a business privacy policy should therefore take these Guidelines into consideration.

The privacy policy must be separate from other documents such as terms and conditions. In addition to a privacy policy, businesses must also have in place a personal information governance policy that must at least describe the following: roles and responsibilities of the members of its personnel in the governance of personal information, from collection to destruction; rules for retaining and destroying personal information; a process for dealing with complaints regarding the protection of personal information. Detailed information about this governance policy must be published in simple and clear language on the business’ website or, if the business does not have a website, made available by any other appropriate means.

The privacy policy must be drafted in clear and simple language and published on the business’ website and by any other appropriate means, as necessary. The Guidelines specify that depending on the context, the privacy policy must be made available through a link to consult before ordering online, a message displayed the first time a mobile application is used, or in a booklet included in the packaging of a connected object.

The Guidelines include recommendations on the content of a compliant privacy policy. The Guidelines provide that a privacy policy should minimally include the following information:

  • how personal information is collected (e.g. by emails, through a request form, with cookies, etc.);
  • the third parties which collect personal information on behalf of the business, such as a technology service provider, a service provider handling complaints from customers, etc.;
  • if the business collects personal information using technology that includes functions allowing the individuals to be identified, located or profiled (e.g. cookies), information on the use of such technology, which must be disabled by default, and which requires a “pop-up” or a banner ad requesting an express consent;
  • a description of the personal information that is collected;
  • the purposes for which personal information is collected;
  • the measures available to refuse the collection of certain personal information and the possible consequences, if any;
  • the categories of employees within the business that have access to the personal information;
  • the name or categories of third parties (including service providers) with whom the business will share personal information or that will otherwise have access to the personal information;
  • the measures used by the business to safeguard the personal information;
  • the rights of the individuals whose personal information is collected to access and rectify the information, to withdraw their consent and to file a complaint; and
  • the title and contact information of the business’ privacy officer.

The Guidelines are also useful in providing practical examples of these elements that are encouraged to be included in a privacy policy.

In addition to providing guidance on content, the Guidelines include drafting recommendations, emphasizing the importance of communicating the information in a clear, precise and simple manner. The Guidelines recommend that privacy policies should be assessed from the point of view of its audience and should only include relevant information. Further, particularly sensitive information should be brought to the reader’s attention, headers should be properly employed so that the reader can easily navigate the policy and technical terms should be defined. The privacy policy’s tone is also important: authoritarian, cold or threatening language should be avoided. The page layout must ensure that the privacy policy is easy to read.

The CAI has indicated that further tools will be provided in the coming months to support businesses in their compliance with the Private Sector Act and its recent amendments.

Businesses should also keep in mind that the CAI recently published, on October 31, 2023, lengthy and detailed guidelines on the validity criteria of consents, in French only, that complement the Guidelines on privacy policies and should also be referred to in the review of privacy policies

Subscribe to our newsletters to stay up-to date on further guidance and the evolving landscape of Canadian privacy laws. Hoping to rework your privacy policy in 2024? Our Privacy and Data Protection team has the requisite knowledge to support your business.


This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.