To add to your New Year’s resolutions for this year—a new and improved privacy policy!‎

As we dive into 2024, businesses operating in Québec should include among their New Year’s resolutions a review and overhaul of their privacy and data protection practices.

Since the majority of the new provisions of the Act respecting the protection of personal information in the private sector (the “Private Sector Act”) came into effect on September 22, 2023, businesses in Québec have had the obligation to adopt certain policies regarding privacy and data protection, including a privacy policy (referred to in the Private Sector Act as a “confidentiality policy”). Privacy policies inform an individual of the fact that their personal information is being collected, details regarding the manner in which it is used and disclosed, and of their rights in that respect.

To assist businesses in drafting their privacy policies, the Commission d'accès à l'information du Québec (Québec’s regulator in matters of privacy and data protection) recently published a guide on the subject, entitled Drafting a confidentiality policy (Rédiger une politique de confidentialité in the French original and available solely in French) (the “Guide”).

According to the Guide, a business’ privacy policy must contain the following information:

• name of the business;
• effective date and date of last update of the privacy policy;
• technological means used ( for example, e-mails sent to the business, appointment request forms, cookies, videosurveillance etc.);
• names of third parties who may collect information on behalf of the business;
• location-tracking, identification or profiling technologies used and, if applicable, how to activate them given that these are required to be deactivated by default;
• personal information collected and purposes of such collection;
• how to refuse consent to the collection of certain information (for example, by refusing to create an account in order to complete a purchase) and the possible consequences of such refusal (for example, the inability to participate in the business’ loyalty points program);
• categories of persons who have access to the information;
• information that may be communicated to third parties, the purposes of such transfer, the name or categories of such third parties, and whether or not such information may be transferred out of the province; and
• rights of access, updating of personal information, rectification and complaint procedures.

The Guide also provides drafting advice, an important element given that the Private Sector Act requires policies to be drafted in “clear and simple language”. Meeting this requirement can be a challenge, given the prevalence of technical terms in the privacy space. The Guide suggests, among other things, that businesses should:

• identify their target audience and adapt the style and the tone of its policy accordingly;
• identify key points of interest for the target audience and remove any unnecessary information;
• adopt plain language (for example,  by drafting sentences using the words “you” and “we”) and use short sentences and accessible vocabulary;
• test the policy with the target audience; and
• re-examine and, if necessary, amend the policy on a regular basis.

Although the Guide does not have the force of law, it is nevertheless an interesting and useful tool for businesses operating in Québec. The Guide is part of a concerted effort by the Commission d'accès à l'information to provide the public with more tools and information on the interpretation of the new Private Sector Act, an initiative that has been requested by businesses and practitioners alike since its adoption in 2021.