Loi 25
Law 25 and its implications
on email marketing
Discover the impacts of Law 25 on your business and email marketing,
as well as advice on how to comply with it.
What is Law 25?
Law 25 is a Quebec law concerning the protection of personal information and privacy of Quebec residents. It aims to strengthen the protection of personal information of Quebec citizens by regulating the collection, use, disclosure, and retention of such information by private companies and public organizations.
The amendments brought about by Law 25 will be gradually implemented over a period of three (3) years, between September 22, 2022, and September 22, 2024. During this period, private companies and public organizations conducting business in Quebec will face new obligations and will have new rights regarding the protection of personal information.
What are the impacts of Law 25 on email marketing?
Law 25 – Consent & Transparency
Businesses that collect personal information must inform the individual concerned about the purposes, methods of collection, access and rectification rights provided by the law, as well as the individual’s right to withdraw consent for the communication and use of the collected information. In other words, it is essential to specify the intended uses regarding the collection of personal information.
Furthermore, if applicable, companies must inform the individual about the possibility of their personal information being transferred outside of Quebec, the names of the third parties for whom the collection is being carried out, and the third parties to whom their information needs to be communicated.
Requests for consent must be formulated in clear and simple language to facilitate understanding. Consent from an individual must be explicit, voluntary, informed, and given for specific purposes. The law recognizes that in certain circumstances, a company may rely on implicit consent from an individual. In other cases, explicit consent is required.
Law 25 – User Experience
Non-compliance with Law 25 by your company can directly impact the perception of your business by users and lead to a decrease in the trust placed.
An alteration of your company’s reputation could affect your opportunities to secure contracts and achieve sales.
Key Advice – Law 25 and CASL:
Law 25 does not require you to implement the following points. However, these are good practices for information collection for email marketing in line with the principles advocated by Law 25 and the requirements of the Canadian Anti-Spam Law (CASL). Therefore, we recommend applying them by adapting to your company’s needs.
Prioritize forms with the double opt-in option
The type of opt-in determines whether the person signing up for your form will or will not receive an email asking them to confirm their email address and subscription.
In the case of a single opt-in registration, the person will be added directly to your account after signing up.
With the double opt-in option, the person will need to validate their registration after receiving a confirmation email. This action is taken to ensure that the address is valid and that the person who registered is indeed the owner of the address.
Prioritize explicit consent
You may rely on implied consent of a contact (as per CASL) for sending commercial electronic messages if you can demonstrate that you have a business relationship with this contact without them having given you their explicit consent to receive your communications. This involves a manual import.
Caution! Implied consent under CASL may be insufficient within the scope of the new obligations of Law 25 – consult our FAQ section for more information.
You will obtain explicit consent from a contact if they have given their consent to receive your communications in an obvious manner. For example, by signing up for your mailing list through one of the subscription forms, signing a document, etc.
In other words, explicit consents allow you to establish a trust relationship with your subscribers, improve the quality of your contact list, all while demonstrating a commitment to respecting privacy.
Conducting a consent-focused email campaign
Did you know that Cyberimpact provides consent email templates? These templates include pre-configured links, allowing your contacts to expressly confirm their consent to receive your communications.
When a person clicks on one of the consent confirmation links, a message appears on the screen confirming their consent, and they receive a confirmation email.
Furthermore, the consent status of your contact will automatically change from implied to explicit in your account.
FAQ – Law 25 and CASL:
Is double opt-in mandatory in newsletter signup forms?
While double opt-in and single opt-in are not elements directly identified in Law 25 or CASL, Cyberimpact strongly recommends its users to choose the double opt-in option for sharing their form.
This way will ensure that you have explicit confirmation from the user regarding the corroboration of their email address and subscription.
To learn more about opt-in types with Cyberimpact, click here.
Which types of consent to prioritize between implied consent vs. express consent?
We recommend prioritizing express consent, as it is often considered more reliable for email marketing. This means that individuals must explicitly and voluntarily provide their consent to receive marketing emails, such as by checking a box or filling out a form.
Additionally, while commercial personal information is covered by an exception to the consent requirement under Law 25, this exception does not extend to the personal contact information of your subscribers (such as names, personal email and postal addresses, etc.). Thus, the implied consent you may rely on under CASL in the context of an existing business relationship might not be sufficient to meet the consent requirements under Law 25.
To learn more about consent types under CASL, click here.
When I gather contacts at an exhibitor’s booth, what type of consent does it fall under?
If you’re considering sending communications via email or other means to individuals whose business cards you collected at an event, be aware that this could be seen as implied consent.
However, if you want to have a digital record of your contact’s consent to receive communications from your company, it is advisable to provide a tablet or computer at your booth, allowing interested individuals to fill out a consent form explicitly and voluntarily.
How can I obtain explicit consents?
Cyberimpact provides various email templates for consent. Your company could run an email marketing campaign to obtain explicit consent from its subscribers.
Alternatively, Cyberimpact offers the option to integrate a consent block within any template created from our pre-designed or smart templates. The consent block includes pre-configured links, allowing your contacts to confirm their consent to receive your communications explicitly.
Learn more about consent email templates.
Learn more about the consent block.
Learn more about creating a consent template.
Do non-profit organizations (NPOs) need to comply with Law 25?
Law 25 applies to individuals operating a business in Quebec as well as to Quebec public organizations. The concept of a business is broad and encompasses both private companies and non-profit organizations.
Therefore, non-profit organizations must also adhere to the Private Sector Privacy Protection Act, as amended by Law 25.
What is personal information?
Personal information refers to any type of information that can identify an individual, either directly or indirectly. It is confidential. Excluding some exceptions, it cannot be disclosed without the consent of the individual concerned. For example: name, race, ethnic origin, religion, email address, etc.
Law 25 does not require obtaining consent for the collection, disclosure, and use of personal information when it is of a commercial nature. This includes a person’s name, title, and job function, their work email address and phone number, as well as the address of the company where they work.
To learn more about Law 25 and personal information, click here.
Is Cyberimpact compliant with Law 25?
Cyberimpact makes every effort to ensure that its activities comply with the laws applicable to the protection of personal information in the jurisdictions where it operates, including the new legislative provisions introduced by Law 25.
We take the protection of personal information and other data entrusted to us by our clients and partners seriously. For any questions in this regard, we invite you to consult our Privacy Policy or write to privacy@cyberimpact.com.
When I use the Cyberimpact platform for email marketing, who is responsible for the collection and use of personal data?
Cyberimpact takes responsibility for the data it directly collects from its clients. However, Cyberimpact’s clients are responsible for safeguarding the data of their subscribers that they collect, communicate, and utilize within the scope of their operations and their use of the Cyberimpact platform.
In other words, as Cyberimpact’s role is to provide its clients with an email marketing tool, each party remains responsible for the protection of the personal information they collect, use, and communicate.
Who is the responsible person at Cyberimpact for the protection of personal information?
Law 25 requires the appointment of a privacy protection officer within any organization. According to the law, this role falls to the person with the highest authority in the organization. However, it is possible to delegate this role, either fully or in part, to another person.
If you have any questions regarding our practices related to the collection, use, retention, or disclosure of your personal information, or if you wish to file a complaint or report abuse by third parties, please feel free to contact Geoffrey Blanc, CEO and Privacy Protection Officer of Cyberimpact, by email at privacy@cyberimpact.com.
The information displayed on the Cyberimpact website is general and provided for informational purposes only. Nothing on it constitutes legal advice or opinion. You should consult a lawyer before relying on any information provided by Cyberimpact Inc.