Privacy Policy (Quebec — Loi 25)

A Quebec Privacy Policy (Politique de confidentialité) is a mandatory legal document that explains how an organization collects, uses, stores, shares, and protects personal information about individuals in the province of Quebec. Unlike a generic Canadian privacy policy, a Quebec Privacy Policy must comply with the specific and more stringent requirements of Quebec's Loi 25 (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels, L.Q. 2021, ch. 25), which significantly modernized the province's foundational privacy statute, the Loi sur la protection des renseignements personnels dans le secteur privé (LPRPSP, RLRQ, ch. P-39.1). Loi 25 entered into force in three phases between 2021 and 2023, introducing major new obligations including mandatory designation of a privacy officer (responsable de la protection des renseignements personnels), privacy impact assessments (évaluations des facteurs relatifs à la vie privée, or EFVP) before cross-border data transfers, explicit consent requirements, a right to erasure (droit à l'oubli), a right to data portability in structured formats, mandatory breach notification to both the Commission d'accès à l'information (CAI) and affected individuals, and substantial financial penalties. The policy must also be drafted in French in compliance with Quebec's Charter of the French Language and Bill 96, and must reference the individual rights established under the Charte des droits et libertés de la personne du Québec (article 5) and the Code civil du Québec (article 35), which enshrine the right to privacy as a fundamental right.

You need a Quebec Privacy Policy whenever your organization collects, uses, holds, or communicates personal information about Quebec residents, regardless of where your organization is physically located. Loi 25 applies to all private-sector organizations operating in Quebec or processing data about Quebec residents. Common situations requiring a Quebec Privacy Policy include operating a website, mobile application, or e-commerce platform accessible to Quebec users, running a physical business that collects customer information such as names, addresses, email addresses, or payment information, operating a SaaS or cloud-based service used by Quebec businesses or consumers, conducting market research or surveys involving Quebec residents, managing employee records for staff working in Quebec, collecting health or insurance information in the province, and operating any loyalty program, subscription service, or membership organization in Quebec. Even organizations headquartered outside Quebec but serving Quebec customers must comply with Loi 25 and therefore need a compliant Quebec Privacy Policy. The policy must be publicly accessible, typically on your website, and must be written in French per the Charter of the French Language.

Key elements of a Loi 25-compliant Quebec Privacy Policy include the mandatory designation and identification of a privacy officer (responsable de la protection des renseignements personnels) with contact information, as required by article 3.1 LPRPSP. The policy must identify the legal basis for the policy, explicitly referencing the LPRPSP as amended by Loi 25, the federal PIPEDA for interprovincial activities, and the Quebec Charter of Human Rights (article 5) and Civil Code (article 35). A detailed section on the categories of personal information collected must be included, with special attention to sensitive information (health, biometric, financial) which requires enhanced protection under Loi 25. The purposes of collection must be specific, explicit, and legitimate under article 4 LPRPSP, and the policy must confirm that no information is collected beyond what is necessary. Consent provisions must explain how consent is obtained, what happens when consent is refused, and how individuals can withdraw consent. Third-party sharing must be described in detail, including a statement that organizations must enter into contractual agreements with third parties to ensure equivalent protection. Cross-border transfer provisions must reference the EFVP requirement under article 17 LPRPSP and list destination countries and protection measures. Individual rights must be clearly stated including access, rectification, erasure (droit à l'oubli, art. 28.1 LPRPSP), portability (art. 27.1 LPRPSP, in force September 22, 2023), and the right to file a complaint with the CAI. Cookie and tracking technology disclosures are required for websites. Security measures must be described, including the incident notification obligation under article 3.5 LPRPSP. Finally, the policy must explain how changes will be communicated and provide contact information for privacy requests.