Since September 22, 2023, organizations with operations in Quebec must publish a privacy policy on their website if they collect personal information by any technological means (for example, via an email address, a website or a mobile app).
On December 18, 2023, Quebec's privacy regulator, the Commission d'accès à l'information (CAI), published a crucial guide for organizations seeking clarity in drafting and revising their privacy policies. You can access Gowling WLG's unofficial translation of the Guide here (official version only available in French).
Here are the top three takeaways from the CAI's Explanatory Guide on Drafting a Privacy Policy:
1. Understanding the dual nature of privacy policies
The CAI's Guide makes a pivotal distinction between two different types of policies: the confidentiality (or online) policy, and other privacy policies.
The former, as required by section 8.2 of the Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1, the Quebec Privacy Act), is necessary for organizations that collect personal information through technological means, typically on websites or digital platforms.
In contrast, the latter, required by section 3.2 of the same act, covers broader aspects of personal information protection within an organization. These policies will generally outline how an organization manages all personal information, not just the information collected online, and includes practices related to data storage, access and protection measures. Understanding this distinction is crucial for compliance and effective privacy management.
2. Clarity is key: Tips for simplified language
The CAI's Guide emphasizes the importance of clear and simple language in drafting privacy policies. It offers practical tips on writing policies that are easily understandable by a wide audience. While these are not strict requirements, they present best practices for all privacy professionals wanting to ensure their policies are accessible to all.
The CAI's Guide also contains tools and ideas, which could be quite useful for privacy professionals looking to "test" their privacy policy prior to publication (or when conducting a review of their existing privacy policy). By testing the policy with a diverse group, organizations can ensure that their privacy policies are not only compliant but also clear, understandable and implementable across the entire organization.
3. Notification of policy modifications
Unfortunately, the CAI's Guide does not provide any clarification regarding the obligation for organizations to inform individuals about modifications to their confidentiality policy. As it stands under the Quebec Privacy Act, organizations are obligated to notify individuals of any amendments to their policy.
This requirement can become burdensome, leading to unexpected scenarios where organizations must notify individuals even for minor adjustments, such as correcting a typo in their policy.
Closing thoughts
The CAI's Guide is a valuable tool for organizations drafting or revising their privacy policies. It aids in understanding legal requirements, encourages clear communication, highlights areas needing further attention and provides tools to "test" the policy prior to publication.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
