Legislation modernizing legal provisions for the protection of personal information (called Law 25) strengthens regulations around privacy protection for Quebec residents. The new requirements specifically target the collection of personal data online using digital tools. In September of 2023, a number of provisions of the new law introduced major changes into how the digital ecosystem operates.

I had the opportunity to discuss these new provisions and concrete business cases with Simon Du Perron during a webinar last April 12. Watch the webinar here to learn more about how the law works and its many grey areas.

Data types

The goal of Law 25 is to protect the personal information of citizens. Personal information refers to data that can specifically identify a person. When it is not possible to directly or indirectly identify a person by the information provided, such data is referred to as anonymized or de-identified data. Law 25 concerns all these types of data.

The concept of sensitive information is an important one. For example, information concerning someone's health, sexual orientation or finances is generally considered part of this type of information, and its presence within a data-gathering process changes the kind of consent that is needed.

Key concepts: The collection and use of data

The law regulates two key moments in the data life cycle: the moment when the data is collected or captured and the use made of it by an organization.

The use of personal information must be stated clearly by companies in their privacy policy. The idea here is to describe their possible reasons for using these personal data as clearly as possible, using the simplest and most accessible language possible. Law 25 has not introduced any changes to this requirement. Rather, it is the collection of personal information that is now better regulated. Collection must be mutually consented to. This means switching from an opt-out model to an opt-in model, meaning it's the advertiser who must ask for consent from the consumer, rather than the consumer that must withdraw their consent when exposed to content when they had never given it in the first place.

Also, technology that allows identification, geolocation or profiling of the user must be deactivated by default and activated only when consent is given by the user, which is a big change for marketing professionals. There are a few concrete use cases that will show clearly how their work is affected by the new Law 25. 

Case 1: Collection and enhancement of primary data

Since consent is at the heart of Law 25, it's important to understand what that entails, particularly in three major areas:

• implicit consent is opt-out consent, which means that by using a company's product or service, such as its website, the user accepts the privacy policy, which must be easily accessible;
• consent to activate technologies (cookie banner) involves asking the user whether data collection technology can be activated in what is generally called a cookie banner, because data collection must be deactivated by default;
• explicit or express consent involves obtaining documentation of consent being given, particularly in cases where sensitive information is required for the proper functioning of a     collection process. Explicit consent is like signing a formal contract. In such cases, the cookie banner is not enough.

While some situations don't theoretically require consent, such as for de-identified data used internally, any data collection still requires consent. In addition, while data collection on digital platforms is more affected, all data collection falls under the jurisdiction of Law 25.

Case 2: Audience sharing

Remarketing is probably the most used tactic in marketing in the past five or ten years. This easy, automated and high-performing tactic, aimed at qualified customers, involves audience sharing. More specifically, companies who use this practice share audiences with an external media platform, generally Meta or Google, which targets the audiences in question when they access their network. No matter what type of audience sharing is used, companies who use this practice must obtain users' consent before activating the technology, in addition to providing an explanation for using the data in their privacy policy. The following tactics are therefore directly affected: 

• Remarketing (search, display, video)
• Inclusion or exclusion of audiences (example: Home Depot)
• Audience expansion (lookalike modelling) and enrichment

Data collected before September 2023 can still be used given the privacy policy in effect at the time of collection. Only data collection after this date requires new consent to be obtained.

Case 3: Performance tracking and optimization

For performance tracking and optimization, marketing specialists often think of Google Analytics, particularly used to analyze performance with aggregated, non-personal data. On the other hand, this tool can only be activated once consent has been obtained so that companies using the data can be sure that it has been collected within the parameters of the new law. In theory, we can use Google Analytics data without the cookie ID parameter to perform statistical analysis without consent, but in practice, data has to be collected. This collection must first obtain consent to activate the technology.

The situation is basically the same for all the other tools for gathering statistics, as long as no technology is activated. However, analysis of transactional data in-store or non-personal data is possible without consent, since it does not require the activation of a particular technology for data collection.

Case 4: Partnerships and secondary data

Partnerships and the sharing of secondary data strangely resemble audience sharing, apart from the fact that they involve sharing audiences with a partner. An example of this would be a tour operator making available its audience of users who have recently booked a vacation package in the south to a company that sells swimwear.

The tour operator must clearly state in its privacy policy that they may share the personal information collected with a partner for promotional purposes. The more specific the explanation, the better. According to some legal experts, it's enough to just indicate the type of partner so as to retain some flexibility for future agreements. In the opinion of others, the exact name of the partner must be part of the policy, which makes partnerships in the long term unrealistic.

Case 5: Personalization and customer experience

If the goal of capturing personal data is to personalize customer experience for non-essential purposes, the activation of data-capture technology must be performed after consent is obtained, and the potential use must have been explained in the privacy policy. The only exception to this requirement concerns cases where data collection is essential to the delivery of a product or service.

For example, if a firm asks a user to provide their address to receive an order, the firm is not obliged to require consent. However, if the firm wants to collect data related to the location of the customer for the purposes of presenting them with local offers or adding their preferred title to a profile, it must ask for implicit consent for use, and this must be before activating the data capture technology. 

For sensitive data, the company must go even further and obtain explicit consent in the form of a contract.

Possible solutions for complying with the regulations and also respecting the privacy of users to create sustainable audiences

There are several possibilities for facilitating the shift towards a greater respect for privacy that go a lot further than Law 25. This new paradigm involves the expectations of consumers, who will always demand more and more from companies.

Data inventory (or even better: data strategy)

The challenge in conforming to Law 25 often lies in its lack of clarity regarding data that has already been collected and how it is used by the different departments of a company. The first sensible step to take is to document your inventory of data. More importantly, it should be determined what the company's needs are in terms of collecting data to support its business growth. This exercise will particularly help you determine what an optimal data-collection strategy is that will also enable you to comprehend how to conform to legislation.

Relationship program and unified data

Relationship or loyalty programs have the advantage of putting users through an enrolment process that combines all the necessary consents into a single request. In addition, this process is an excellent opportunity for explaining in detail the advantages of sharing data for the user. Also, a relationship program often involves data unification which lets you ensure respect for consent within an organization. More specifically, if a user gives or withdraws their consent, it is harder for the company to respect their wishes and remove their data in every channel if these data are not unified.

Consent management platforms

If in the short term organizations can develop an in-house cookie banner, they can quickly respond to the complexity of legal requirements. Quebec is one of the first territories in North America to update its laws on personal data, but others will follow. This means it will become more complex to track and document all the different types of consent needed for different areas, and consent management platforms will become necessary. Such software already exists and is hugely popular! It's a good idea to get guidance on how to choose and set up a consent management platform (CMP) (that's right, another acronym to learn!).

Econometric approaches

Given the erosion of third-party cookies, the tightening of protections for user privacy and the degradation of performance signals, individual tracking of users is not reliable and now requires too much consent for the value it returns. Adviso recommends more probabilistic and econometric approaches that let you see at a more macro view the impact of various marketing initiatives for an organization. Marketing mix modelling (MMM) as well as causal analysis are part of these approaches.

Evaluating conformity and acceptability for users

During the webinar, Simon Du Perron explained that companies can also perform a preliminary privacy impact assessment (PPIA) to evaluate the necessity or reasonableness of a marketing initiative. Given Law 25 is still a recent imposition and replete with grey areas, this type of initiative provides better protection in the event of a misunderstanding. With this kind of positive evaluation in hand, a company that receives a complaint should be better protected as well as less exposed to the hefty fines planned by the Commission d’accès à l’information du Québec or even the courts.

Optimize your consent rate

Consent has to be earned and the onus is now on companies to obtain it. The process by which consent is offered will have a huge impact on the consent rate attained. As with other activities, it's possible to optimize this rate using tests and design processes focused on the user. Companies that invest in such a process will have higher rates and can access more data to support their acquisition and loyalty initiatives. At Adviso, we see some consent rates as low as 10% while others are as high as 90%!

Closing remarks

If we're being honest, marketing teams have not exactly been obsessed with terms and conditions, privacy policies and protecting user data. This shift in favour of users and the legal changes in Quebec likely represent a positive direction for society as a whole, but also for businesses. Basically, by making the effort to conform to the legislation, companies' data collection muscles will certainly get a workout, as well as the data enhancement that they have long overlooked in favour of using third-party data.

Furthermore, the lack of communication between marketing and legal departments harms users. Greater collaboration between and flexibility on the part of marketing managers and legal departments will not just enable companies to conform to legislation, but also result in better business performance.