So you thought GDPR was tough? Wait until you get a load of Bill 64

While the Act was born in Quebec, it affects marketers regardless of where they operate.

tingey-injury-law-firm-nSpj-Z12lX0-unsplash

By Will Novosedlik 

On Sept. 21, 2021, the Québec National Assembly adopted Bill 64, “an Act to modernize legislative provisions as regards the protection of personal information,” which will bring significant changes to Québec private sector and public sector privacy law once it comes into effect in Sept. 2022.

Before you say to yourself “Oh it’s just Québec and I operate in another part of the country,” you may be forgetting that if you have a national database of people whose personal information you wish to use for whatever purpose, 22.5% of those people are going to be in Québec. So sit back down, because this affects you too.

What should marketers be concerned about? Topline, in order to use an individual’s personal information, you must now have a contract or meaningful consent. The Privacy Commissioner states that 72% of Canadians do not trust businesses with their personal data. They need consent, but many consumers do not want to give it.

And for good reason. Derek Lackey, head of the Response Marketing Association and managing director of privacy specialists Newport Thomson, likens it to when you are at the checkout and they tell you that in order to send you a receipt, they need your email address.

“Actually they’re stealing your personal information and using false pretenses to do it,” says Lackey. “Because as soon as you give it to them, they’re adding it to their promotional list. They didn’t tell you that was the purpose. They told you they were going to use it to send you a receipt.” Next thing you know, your inbox is flooded with flyers and special offers. No wonder so many don’t trust brands with our personal information.

Another thing marketers should be concerned about is that, by default, their CEO is now effectively their Chief Privacy Officer, which means that, according to the Act, he/she/they are the “person in charge” of the protection of personal information. That means every organization will want to hire a dedicated privacy officer whose job it is to ensure that it implements and complies with the Act (unless of course your CEO wants to add that to their daily task list). Ultimately it means that if there is a breach of the Act, the CEO is personally responsible.

Organizations will also now need to notify the Commission d’accès à l’information (CAI) and the affected individuals when a “confidentiality incident” presents a “risk of serious injury.” The “risk of serious injury” threshold is assessed based on the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes. And organizations will be required to keep a register of breaches that they would be required to share with the CAI upon request, no matter where they operate in the country.

Organizations have until September 2022 to implement these two measures. But that’s just the tip of the iceberg. By September 2023, there will be a number of other policies that they will need to put in place. For instance, organizations must inform the individual when his or her personal information is used and must also, at the individual’s request, inform them about what’s being used and how. Once the purposes for which the information is being used are achieved, the organization must then destroy it. They must also receive express consent from individuals to use sensitive personal information for secondary purposes.

If marketers intend to share someone’s information outside of Quebec, they’ll need to conduct a Privacy Impact Assessment that takes into account the sensitivity of the information, the purposes for which it is being used, the measures in place to protect it, and the laws in the jurisdiction in which the information will be communicated.

There are several transparency measures that must be taken. Upon collection of personal information, individuals must be informed as to the purposes of collection, the means of collection, rights of access and the right to withdraw consent.

Oh, and no more profiling or geolocation without clear consent either.

One of the things that makes Bill 64 tougher than General Data Protection Regulation (GDPR) is that consent and contractual agreement are the only ways organizations can use personal info, whereas in the EU, you can also use personal information on the basis of “legitimate interest.” In other words, as long as the usage is in the legitimate interest of your business, all you have to do is provide an unsubscribe button. That is not included in Bill 64.

The penalties for non-compliance are stiff. For example, collection, use, disclosure or destruction of personal information in contravention of the Act, or failure to notify the CAI or the affected individuals of a breach that presents a risk of serious injury, or failure to comply with an order issued by the CAI could result in a fine of up to $25 million. Retention of personal information or failure to provide an appropriate privacy notice could hit you with a $10 million fine.

Derek Lackey, who has been focused on privacy laws as they pertain to marketing for over ten years now, has been warning marketers about this for months. “Think about it: all those companies doing data marketing of any kind have no consent to use the data. As soon as Bill 64 comes into force, they’re going to be sitting on these massive databases they can no longer use.”

That’s why Lackey believes this is no longer just the concern of the IT department. “Up until now marketers have avoided this kind of thing, passing the buck on to IT. But marketers are the ones who own the customer relationship. I really think they should be the ones responsible, in collaboration with IT and the privacy officer.”

In 2020 the CMA pushed back on a number of Bill 64’s recommendations, in hopes that express consent would only be required when it is “truly meaningful,” that enforcement be reduced and fines made proportionate to the nature of the violation, that the government would encourage self-regulated privacy compliance codes and that reasonable transparency should be required around profiling and decisions based solely on automated processing. The law as passed does not appear to have agreed with many of the CMA’s suggested revisions, prioritizing consumer rights over those of the businesses that CMA represents.

As for how the CMA’s members have thus far complied with CASL and PIPEDA, the CMA did not provide specific data. Sara Clodman, the CMA’s VP, public affairs and thought leadership, told strategy that “we are advising marketers to prepare their compliance plans and to do a real inventory on how they collect, use and share information of Quebec consumers and to start adjusting their plans to meet the new requirements.”

However, Lackey (who claims to be Canada’s leading expert on CASL) says the CRTC has not acted aggressively enough to police them, issuing only seven fines in the last five years. He also believes most of the personal information collected thus far has been without consent. “I would disagree with that,” says Clodman. “I know that our members go to great lengths to comply with CASL. They take CASL very seriously.”