Skip to content.

CAI Releases Additional Guidance on Drafting of Privacy Policies

Following the entry into force of the most recent wave of amendments to Quebec’s Act respecting the protection of personal information in the private sector (the “Private Sector Act” or the “Act”) under Law 25, the Commission d’accès à l’information du Québec (“CAI”) has released additional guidance on the drafting of privacy policies.

Under the Private Sector Act, organizations collecting personal information via technological means must, in clear and simple terms, disclose certain details regarding this collection on their website. On December 18th, 2023, the CAI published guidelines outlining the essential elements of privacy policies, each accompanied by concrete examples illustrating what these components might look like in practice (the “Guideline”). The CAI’s Guideline (the official text is available only in French, but we have also prepared an unofficial translation which can be accessed here) first clearly distinguishes privacy policies from other related documents, such as personal information governance/framework policies, privacy consent processes and terms of use. The CAI’s Guideline then specifies that website privacy policies should disclose:

  1. The manner in which personal information is collected
    1. For example, through online appointment forms, website cookies, emails to customer service, etc.
  2. The categories of personal information collected and the corresponding purposes for which this personal information is collected, as well as the means by which the individual may refuse this collection and achieve the intended goal via alternative methods
    1. For example, technical or digital information (IP address, pages visited, date and time of connection), collected based on browsing activity for the purposes of offering personalized recommendations, , accompanied by a clarification that the user may withdraw consent to the collection of such information by refusing the use of non-essential cookies, while noting that such withdrawal of consent may result in the loss of certain features while browsing the website.
  3. The categories of persons within the organization who have access to this personal information
    1. For example, customer service center, billing department, etc.
  4. If there is any transmission of this personal information to other people or organizations, the policy should disclose the categories of personal information concerned, the purposes for which it is communicated, the names or categories of people or organizations receiving or having access to this personal information, and whether this information is transmitted outside of Quebec
  5. The measures in place to safeguard the confidentiality and security of the personal information collected
    1. For example, technological measures such as firewalls, physical measures such as secured premises, administrative measures such as the adoption of an information security policy, etc.
  6. The rights of the individuals whose personal information is collected
    1. For example, the means to correct or access one’s personal information.

In addition to outlining the above as essential elements comprising the content of a Law 25-compliant privacy policy, the CAI also emphasized in the Guideline the importance of presenting this information in legible and easily digestible format. The Guideline offers advice on using clear headings and a logical order, using a tone that is engaging and inviting, rather than cold or threatening, and using simple sentences with common words.

The overarching principle reinforced by the Guideline is also unwaveringly clear – when it comes to compliance in privacy matters, enterprises must carefully consider not only what they say, but how they say it. The CAI expects that enterprises will not only present detailed, nuanced and meaningful disclosures about their privacy practices, but also that they will do so in accessible, easily readable language. As companies continue to implement their Law 25 compliance efforts, particular attention should be given to updating and refreshing public-facing documents, such as website privacy policies and related consent processes.

To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.

For more details, you can also refer to McCarthy Tétrault’s Law 25 Compliance Toolkit.



Stay Connected

Get the latest posts from this blog

Please enter a valid email address