Quebec’s Law 25 and what it means for nonprofits.

Quebec is no stranger to privacy laws. It was the first province to establish privacy legislation in the early 1990’s, but those laws didn’t have too much actual power.¹ Law 25 changes that.

Law 25 (formerly Bill 64) adapts the existing laws protecting the personal information of Quebecors to the digital and technological realities of today and add requirements for anyone doing business within Quebec—not just organizations based in Quebec.

‍

The TL;DR:

The new rules and regulations apply to any private organization (enterprise) that collects, process or communicates personal information.²
If you’re nonprofit organization doesn’t collect or store the personal information of your volunteers, donors or team members, you can skip this article and just contact any third party providers you use (like Zeffy) and ask them if they are following the rules and regulations of Law 25.
If you use Zeffy’s fundraising platform, you’re in the clear: we are following the rules and regulations of Law 25 to a tee.
If you store any personal information about your volunteers, donors or team members, keep reading.

‍

Law 25 is being introduced gradually giving nonprofits time to prepare.

Designed to protect Québecors and their personal information, Law 25 holds organizations accountable for the data they collect and store and requires them to clearly explain why they are asking for your information and how they plan on using it.

Some provisions came into effect on September 22, 2022 and the rest will come into effect in September 2023 and September 2024.³

‍

What are a nonprofit’s obligations under Law 25?

In classic law fashion, there’s some pretty ambiguous language being used and that means there is no clear list of organizations that need to follow Law 25. It only states that any private enterprise that collects, process or communicates personal information is subject to the new rules and regulations.⁴ And that includes nonprofit and charity organizations.

Under Quebec law, an enterprise is an “organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.”⁵

Phew. So, for example, unions and private clinics, such as a psychiatrist, are considered enterprises. Spiritual organizations and religions are not considered enterprises because their main purposes are spiritual, not economic. But it’s all pretty murky.

When in doubt, it’s best to follow the regulations in Law 25 (they’re designed to be in the best interest of your donors after all), or seek out a professional opinion.

So, if your nonprofit organization does collect and store personal information what do you need to do?

Let’s break down what needs to be done and when.

‍

As of September 22, 2022, all organizations—including nonprofits—must:

Appoint a Privacy Officer for your nonprofit.

Your nonprofit organization needs a Privacy Officer to implement and ensure your nonprofit follows Law 25.⁶

A few things to keep in mind:

The Privacy Officer needs to be the highest authority in your organization. (For example, the CEO.)
If the highest authority in your organization does not want to be the Privacy Officer, they can delegate this role to someone within your organization.
The Privacy Officer’s contact details must be published on your website.
The necessary resources (human, technical and financial) need to be made available so your Privacy Officer can successfully comply with Law 25.

‍

Start keeping a record of confidentiality incidents.

You know need to start keeping a record of confidentiality incidents (such as a data breach) in case the Commission d’accès à l’information requests it.⁶

What that means for your nonprofit:

Take an inventory of the personal information your nonprofit (or a third party on your nonprofits behalf) keeps and assess its sensitivity.
Put measures in place to prevent or limit the risk of a confidentiality incident.
Establish a response plan that your organization will follow if a data breach happens.

Of course, there’s an exception to every rule.

New rules allow you to disclose personal information without consent when it’s part of a commercial transaction. (For example, when accepting a donation through a third party fundraising platform such as Zeffy you can share the information needed to complete the transaction.) However, it is your responsibility to make sure all parties are following Law 25.⁶

‍

As of September 22, 2023 a nonprofit that collects and stores personal information needs to:

Create or update a privacy policy that clearly defines the personal information you collect and store and what you do with it. Your privacy policy must be easy to understand and be available on your nonprofit’s website or, if you don’t have a website, in another accessible place.⁶
Implement “privacy-by-default”.¹ (This means that, by default, you cannot collect or store any personal information. You now need consent every time you collect someone’s personal information.)
Get to know the new rules surrounding the consent you need in order to collect, disclose or use personal information.
Be able to destroy personal information when you are done with it. Or, know how to anonymize it to use the data for serious and legitimate purposes afterwards.^1,6
Follow the new transparency rules:¹
Provide a simple and clear explanation of why you need someone’s personal information and how you plan to use it.
Clearly present and obtain consent every time you collect someone’s personal information.
Inform someone when their personal information has been part of an automated decision making process.
Inform someone before using a technology that could identify, locate, or profile them and how to turn it off or avoid it.
Distribute your privacy policies and procedures to everyone whose personal information you collect using technology (such as your website or application).
Deal with the requests and complaints concerning your nonprofit’s management of personal information.
Create and conduct a Privacy Impact Assessment when required. (For example before disclosing personal information outside of Quebec.)
Comply with the new disclosure of personnel information rules outside Quebec.
Respect the new rules surrounding the collection of a minor’s personal information. (Parents must consent to the collection, use and release of personal information of a minor under 14 years of age.)
Respect the right to cease dissemination, re-indexing or de-indexation (or the right to be forgotten).

See Vers la conformité à la Loi sur le privé for more information or New Privacy Obligations for Businesses.

‍

By September 22, 2024, nonprofits will need to:

Ensure your data management systems allow personal information to be downloaded and transferred. (Loi 25 / Bill 64 - Privacy changes are coming to Québec: Are you ready?^1,6

‍

Yes, there are fines if your nonprofit doesn’t follow Law 25.

The Commission d’accès à l’information du Québec can impose penalties for non-compliance of up to $25 million or 4% of a company’s worldwide sales. (Whichever is greater.)⁸

‍

That was a lot of info. What’s a nonprofit to do?

When in doubt, if you store your donor’s personal information, we suggest following the rules and regulations laid out in Law 25. If you don’t store any of your donor’s personal information, but work with third-party services (such as Zeffy) to help you manage your fundraising activities, we suggest checking with them to make sure they are following all the rules and regulations of Law 25. (Zeffy follows them to a tee!)

McMillan has released a two part series explaining Law 25 and both episodes are worth a listen:

Part 1 | Privacy 101 – Obligations Under Québec’s New Act 25: Why your business needs a privacy officer now

Part 2 | Privacy 101 – Obligations Under Québec’s New Act 25: Why you must now record and report privacy violations

And, Didomi is an excellent resource (in English and French).

Oh, and follow the Commission d’accès à l’information du Québec on Twitter to stay up to date on it all.