Québec’s Act respecting the protection of personal information in the privacy sector (the “Private Sector Act”) underwent significant amendments which came into force on September 22, 2023, impacting all businesses that collect, hold, use or communicate personal information throughout the province.
Among the numerous changes to the Private Sector Act is the obligation for businesses that collect personal information by technological means to publish a confidentiality policy drafted in clear and simple language. The concept of “technological means” might have a wide scope and should include, without limitation, websites, applications, cookies, emails, video surveillance and connected objects.
- how personal information is collected (e.g. by emails, through a request form, with cookies, etc.);
- the third parties which collect personal information on behalf of the business, such as a technology service provider, a service provider handling complaints from customers, etc.;
- if the business collects personal information using technology that includes functions allowing the individuals to be identified, located or profiled (e.g. cookies), information on the use of such technology, which must be disabled by default, and which requires a “pop-up” or a banner ad requesting an express consent;
- a description of the personal information that is collected;
- the purposes for which personal information is collected;
- the measures available to refuse the collection of certain personal information and the possible consequences, if any;
- the categories of employees within the business that have access to the personal information;
- the name or categories of third parties (including service providers) with whom the business will share personal information or that will otherwise have access to the personal information;
- the measures used by the business to safeguard the personal information;
- the rights of the individuals whose personal information is collected to access and rectify the information, to withdraw their consent and to file a complaint; and
- the title and contact information of the business’ privacy officer.
The CAI has indicated that further tools will be provided in the coming months to support businesses in their compliance with the Private Sector Act and its recent amendments.
Businesses should also keep in mind that the CAI recently published, on October 31, 2023, lengthy and detailed guidelines on the validity criteria of consents, in French only, that complement the Guidelines on privacy policies and should also be referred to in the review of privacy policies