Quebec’s Law 25: business cases, legal impacts and solutions
Legislation modernizing legal provisions for the protection of personal information (called Law 25) strengthens regulations around privacy protection for Quebec residents. The new requirements specifically target the collection of personal data online using digital tools. In September of 2023, a number of provisions of the new law introduced major changes into how the digital ecosystem operates.
I had the opportunity to discuss these new provisions and concrete business cases with Simon Du Perron during a webinar last April 12. Watch the webinar here to learn more about how the law works and its many grey areas.
The goal of Law 25 is to protect the personal information of citizens. Personal information refers to data that can specifically identify a person. When it is not possible to directly or indirectly identify a person by the information provided, such data is referred to as anonymized or de-identified data. Law 25 concerns all these types of data.
The concept of sensitive information is an important one. For example, information concerning someone's health, sexual orientation or finances is generally considered part of this type of information, and its presence within a data-gathering process changes the kind of consent that is needed.
Key concepts: The collection and use of data
The law regulates two key moments in the data life cycle: the moment when the data is collected or captured and the use made of it by an organization.
Also, technology that allows identification, geolocation or profiling of the user must be deactivated by default and activated only when consent is given by the user, which is a big change for marketing professionals. There are a few concrete use cases that will show clearly how their work is affected by the new Law 25.
Case 1: Collection and enhancement of primary data
Since consent is at the heart of Law 25, it's important to understand what that entails, particularly in three major areas:
- consent to activate technologies (cookie banner) involves asking the user whether data collection technology can be activated in what is generally called a cookie banner, because data collection must be deactivated by default;
- explicit or express consent involves obtaining documentation of consent being given, particularly in cases where sensitive information is required for the proper functioning of a collection process. Explicit consent is like signing a formal contract. In such cases, the cookie banner is not enough.
While some situations don't theoretically require consent, such as for de-identified data used internally, any data collection still requires consent. In addition, while data collection on digital platforms is more affected, all data collection falls under the jurisdiction of Law 25.
Case 2: Audience sharing
- Remarketing (search, display, video)
- Inclusion or exclusion of audiences (example: Home Depot)
- Audience expansion (lookalike modelling) and enrichment
Case 3: Performance tracking and optimization
For performance tracking and optimization, marketing specialists often think of Google Analytics, particularly used to analyze performance with aggregated, non-personal data. On the other hand, this tool can only be activated once consent has been obtained so that companies using the data can be sure that it has been collected within the parameters of the new law. In theory, we can use Google Analytics data without the cookie ID parameter to perform statistical analysis without consent, but in practice, data has to be collected. This collection must first obtain consent to activate the technology.
The situation is basically the same for all the other tools for gathering statistics, as long as no technology is activated. However, analysis of transactional data in-store or non-personal data is possible without consent, since it does not require the activation of a particular technology for data collection.
Case 4: Partnerships and secondary data
Partnerships and the sharing of secondary data strangely resemble audience sharing, apart from the fact that they involve sharing audiences with a partner. An example of this would be a tour operator making available its audience of users who have recently booked a vacation package in the south to a company that sells swimwear.
Case 5: Personalization and customer experience
For example, if a firm asks a user to provide their address to receive an order, the firm is not obliged to require consent. However, if the firm wants to collect data related to the location of the customer for the purposes of presenting them with local offers or adding their preferred title to a profile, it must ask for implicit consent for use, and this must be before activating the data capture technology.
For sensitive data, the company must go even further and obtain explicit consent in the form of a contract.
Possible solutions for complying with the regulations and also respecting the privacy of users to create sustainable audiences
There are several possibilities for facilitating the shift towards a greater respect for privacy that go a lot further than Law 25. This new paradigm involves the expectations of consumers, who will always demand more and more from companies.
Data inventory (or even better: data strategy)
The challenge in conforming to Law 25 often lies in its lack of clarity regarding data that has already been collected and how it is used by the different departments of a company. The first sensible step to take is to document your inventory of data. More importantly, it should be determined what the company's needs are in terms of collecting data to support its business growth. This exercise will particularly help you determine what an optimal data-collection strategy is that will also enable you to comprehend how to conform to legislation.
Relationship program and unified data
Relationship or loyalty programs have the advantage of putting users through an enrolment process that combines all the necessary consents into a single request. In addition, this process is an excellent opportunity for explaining in detail the advantages of sharing data for the user. Also, a relationship program often involves data unification which lets you ensure respect for consent within an organization. More specifically, if a user gives or withdraws their consent, it is harder for the company to respect their wishes and remove their data in every channel if these data are not unified.
Consent management platforms
If in the short term organizations can develop an in-house cookie banner, they can quickly respond to the complexity of legal requirements. Quebec is one of the first territories in North America to update its laws on personal data, but others will follow. This means it will become more complex to track and document all the different types of consent needed for different areas, and consent management platforms will become necessary. Such software already exists and is hugely popular! It's a good idea to get guidance on how to choose and set up a consent management platform (CMP) (that's right, another acronym to learn!).
Given the erosion of third-party cookies, the tightening of protections for user privacy and the degradation of performance signals, individual tracking of users is not reliable and now requires too much consent for the value it returns. Adviso recommends more probabilistic and econometric approaches that let you see at a more macro view the impact of various marketing initiatives for an organization. Marketing mix modelling (MMM) as well as causal analysis are part of these approaches.
Evaluating conformity and acceptability for users
During the webinar, Simon Du Perron explained that companies can also perform a preliminary privacy impact assessment (PPIA) to evaluate the necessity or reasonableness of a marketing initiative. Given Law 25 is still a recent imposition and replete with grey areas, this type of initiative provides better protection in the event of a misunderstanding. With this kind of positive evaluation in hand, a company that receives a complaint should be better protected as well as less exposed to the hefty fines planned by the Commission d’accès à l’information du Québec or even the courts.
Optimize your consent rate
Consent has to be earned and the onus is now on companies to obtain it. The process by which consent is offered will have a huge impact on the consent rate attained. As with other activities, it's possible to optimize this rate using tests and design processes focused on the user. Companies that invest in such a process will have higher rates and can access more data to support their acquisition and loyalty initiatives. At Adviso, we see some consent rates as low as 10% while others are as high as 90%!
If we're being honest, marketing teams have not exactly been obsessed with terms and conditions, privacy policies and protecting user data. This shift in favour of users and the legal changes in Quebec likely represent a positive direction for society as a whole, but also for businesses. Basically, by making the effort to conform to the legislation, companies' data collection muscles will certainly get a workout, as well as the data enhancement that they have long overlooked in favour of using third-party data.
Furthermore, the lack of communication between marketing and legal departments harms users. Greater collaboration between and flexibility on the part of marketing managers and legal departments will not just enable companies to conform to legislation, but also result in better business performance.