Quebec Law 25 introduces specific requirements for the registration and management of biometric databases, reflecting the province’s commitment to enhancing privacy protections. This regulation mandates organizations to adhere to strict compliance measures when handling biometric data, emphasizing transparency, consent, and accountability.
| Regulation | Quebec Law 25 |
|---|---|
| Max Penalty | Up to CAD 25M or 4% of worldwide turnover |
| Enforcing Authority | Commission d’acces a l’information du Quebec (CAI) |
| Official Source | Official guidance |
What Is Quebec Law 25?
Quebec Law 25, enacted in 2021 and effective from September 2023, represents a significant overhaul of the province’s privacy framework, particularly concerning the handling of personal information. This law introduces specific provisions for biometric data, which is defined as any data derived from biological characteristics that can be used to identify an individual. The regulation aims to ensure that organizations operating in Quebec handle biometric data with the utmost care, reflecting the sensitivity and potential risks associated with such information.
The law requires organizations to register their biometric databases with the Commission d’acces a l’information du Quebec (CAI), thereby creating a formal record of how biometric data is collected, stored, and processed. This registration process is not merely a bureaucratic formality; it serves as a critical component of accountability and transparency in the management of biometric information.
Who Must Comply
All organizations that collect, use, or store biometric data in Quebec must comply with Law 25. This includes private sector entities, public bodies, and non-profit organizations. The law applies to any form of biometric data, including fingerprints, facial recognition data, and voiceprints, regardless of the technology used to capture it.
Organizations that operate across provincial or national borders must also consider how Quebec’s regulations interact with other privacy laws, such as the General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA) in the United States. This cross-jurisdictional consideration is essential for organizations that handle biometric data from multiple sources or regions.
Core Compliance Requirements
Lawful grounds for processing. Organizations must establish a lawful basis for processing biometric data. Under Quebec Law 25, this typically involves obtaining explicit consent from individuals whose biometric data is being collected. Consent must be informed, meaning that individuals should understand what data is being collected, how it will be used, and the potential risks involved.
Transparency and notice. Organizations are required to provide clear and accessible information to data subjects regarding the collection and use of their biometric data. This includes disclosing the purpose of data collection, the legal basis for processing, and the retention period for the data. Transparency is a cornerstone of the regulation, ensuring that individuals are aware of their rights and the implications of their consent.
Data minimization and purpose limitation. Organizations must limit the collection of biometric data to what is necessary for the specified purposes. This principle of data minimization helps mitigate risks associated with over-collection and misuse of sensitive information. Additionally, biometric data should only be used for the purposes for which it was collected, and any secondary uses must be clearly communicated to individuals.
Security measures. Law 25 mandates that organizations implement appropriate security measures to protect biometric data from unauthorized access, loss, or theft. This includes both technical measures, such as encryption and access controls, and organizational measures, such as employee training and incident response planning. Organizations must regularly assess their security practices to ensure they remain effective against evolving threats.
Data subject rights. Individuals have specific rights under Quebec Law 25, including the right to access their biometric data, the right to request corrections, and the right to withdraw consent at any time. Organizations must establish processes to facilitate these rights and ensure that individuals can exercise them without undue burden.
Penalties and Enforcement
The enforcement of Quebec Law 25 is primarily the responsibility of the Commission d’acces a l’information du Quebec (CAI), which has the authority to investigate complaints and impose penalties for non-compliance. Organizations that fail to adhere to the requirements of the law may face significant financial penalties, with fines reaching up to CAD 25 million or 4% of their worldwide turnover, whichever is greater.
The CAI is empowered to conduct audits and inspections to ensure compliance, and organizations must be prepared to demonstrate their adherence to the regulation. In addition to financial penalties, non-compliance can result in reputational damage and loss of consumer trust, which can have long-term implications for an organization’s operations.
Building a Defensible Compliance Program
To effectively comply with Quebec Law 25, organizations should develop a comprehensive compliance program. The following steps outline a structured approach to building such a program:
-
Conduct a data inventory — Identify all biometric data being collected and processed within the organization.
-
Assess legal bases — Determine the lawful grounds for processing each type of biometric data.
-
Develop privacy notices — Create clear and concise privacy notices that inform individuals about data collection practices.
-
Implement security measures — Establish robust security protocols to protect biometric data from unauthorized access.
-
Train employees — Provide training to employees on compliance obligations and data protection best practices.
-
Establish processes for rights — Create procedures for individuals to exercise their rights under the law.
-
Monitor compliance — Regularly review and update compliance practices to ensure ongoing adherence to the regulation.
-
Engage with legal counsel — Consult with legal experts to navigate complex compliance issues and ensure alignment with other applicable laws.
Practical Implementation Priorities
Data mapping and inventory. Organizations should begin by mapping their biometric data flows to understand where data is collected, stored, and processed. This inventory is crucial for identifying compliance gaps and ensuring that all data handling practices align with the requirements of Law 25.
Risk assessment. Conducting a thorough risk assessment will help organizations identify potential vulnerabilities in their biometric data handling practices. This assessment should evaluate the likelihood and impact of various risks, enabling organizations to prioritize their compliance efforts effectively.
Policy development. Organizations must develop and implement policies that reflect the requirements of Quebec Law 25. These policies should address data collection, processing, retention, and security measures, ensuring that all employees understand their roles and responsibilities regarding biometric data.
Stakeholder engagement. Engaging with stakeholders, including employees, customers, and legal advisors, is essential for fostering a culture of compliance. Organizations should communicate openly about their biometric data practices and encourage feedback to improve their compliance efforts.
Ongoing monitoring and review. Compliance is not a one-time effort but requires ongoing monitoring and review. Organizations should establish mechanisms for regularly assessing their compliance status and making necessary adjustments to their practices in response to changes in the regulatory landscape or organizational operations.
Before building a compliance program, an automated scan of your public-facing properties identifies the gaps that carry the most immediate regulatory risk — undisclosed trackers, consent mechanism failures, data sharing without adequate notice, and policy misalignments. BD Emerson’s privacy scanner produces a detailed findings report against Quebec Law 25 requirements within minutes.
Run your free scan or speak with a privacy expert to discuss your compliance obligations under Quebec Law 25 and build a prioritized remediation plan.
Regulatory Crosswalk
Organizations subject to this regulation often operate under these overlapping frameworks: Illinois BIPA, GDPR biometric data, CCPA biometric SPI. BD Emerson maps controls across frameworks to reduce duplicated compliance effort.