Navigating Privacy Policies: Insights from CAI’s New Guide

  • Updated
  • Posted in Design
  • 8 mins read

With the September 2023 entry into force of significant amendments[1] to the Quebec Act respecting the protection of personal information in the private sector (the “Act”), the Quebec Commission d’accès à l’information (“CAI”) has been regularly releasing guidance documents in the recent months.

In its most recent update on December 18, 2023, the CAI has issued a brief reference guide to drafting clear and simple privacy notices (the “Guide”).[2] The CAI notes that the Guide is the first in a series of several publications to be released over the coming months to assist organizations in understanding and complying with their obligations under the Act. The Guide aims to clarify what a privacy notice is and what it should contain, and it provides tips on how to write such a policy in clear and simple terms.

As the Guide is only available in French,[3] we have provided a detailed summary below.

When is a privacy notice required?

Since September 22, 2023, any organization collecting personal information through technological means must publish on its website a confidentiality policy (commonly referred to as a privacy notice). This notice must also be written in clear and simple terms.[4]

While an organization must provide certain information when collecting personal information from an individual, when the collection is done by technological means, it is the privacy notice that provides this information. The privacy notice may include additional information when it would be useful to make an informed decision.

The CAI also defines what is not a privacy notice. While the privacy notice is part of a set of related documents, it must not be confused with:

  • Governance or privacy policies which provide an internal framework for the organization’s activities and notably describe the roles and responsibilities of personnel in the governance of personal information from its collection to its destruction, rules for the keeping and destruction of personal information, as well as the complaint process regarding the protection of personal information;[5]
  • Consent requests (whether obtained through a written document, a cookie banner or a verbal request), though the CAI notes that a consent request may contain a link to the privacy notice.
  • Conditions of use / Terms of service which govern the use of a website, application or services, and define the rights and responsibilities of the users and the organization. The CAI notes that while terms of use or service may contain a reference to a privacy or governance policy or a section on protection of personal information, they must not be combined with the privacy policy.[6]

Contents of a privacy notice

While a regulation sets out the information to be included in the privacy policies by public sector entities subject to the Act respecting Access to documents held by public bodies and the Protection of personal information (the “Public Sector Act“),[7] the Act does not have an equivalent mechanism for private sector entities. The CAI states that its Guide suggests information that must be provided by a private sector organization, with some additions inspired by the regulations for the public sector.

1. Means of collection

Organizations must indicate the technological means used to collect personal information (e.g., emails received by the customer service department, an online appointment request form, an application for customers, cookies, video surveillance, a connected device, etc.).

They must also name any other entities that collect personal information on their behalf, such as a technology service provider, a third-party consultant who provides part of the services to the organization’s customers; any agencies tasked with answering questions or handling complaints from customers.

Where an entity collects personal information using a technology that has functions to identify, locate or profile an individual, it must also inform the individuals about the use of this technology as well as how to activate these functions. CAI states that such functions must be disabled by default,[8] and where a technological product or service is offered to the public and has privacy settings, these settings must ensure the highest level of confidentiality by default.[9]

2. The personal information collected and the purposes of collection

Organizations must indicate the personal information collected (such as contact, health, demographic, biometric or financial information, as well as technically generated information such as IP address or actions taken on a website).

Organizations must also state the purposes for the collection such as opening files, processing requests, shipping ordered products, managing invoicing, processing payments, and offering personalized recommendations. The CAI also states that organizations must indicate measures available to refuse the collection of certain personal information and the possible consequences (e.g., obtaining information in person rather than by e-mail, placing an order without creating an account or earning loyalty points, refusing cookies and using the website without certain functionalities).[10]

3. The categories of persons who have access to personal information (within and outside the organization)

The CAI states that the categories of persons who have access to the personal information within the organization (such as customer service, billing department, etc.) must be named in the privacy notice.[11]

Where, in order to achieve its purposes, the organization transfers or gives access to personal information to other entities, it must also indicate:

  • the personal information or categories of personal information concerned;
  • the purposes for which the personal information is communicated;
  • the names or categories of persons or organizations that receive or have access to this personal information; and
  • whether personal information may be transmitted outside Quebec.

4. The rights of the individuals

Organizations must indicate the rights of the individuals to:

  • access their personal information held by the organization (which can also include available technological means to access or rectify personal information, if any);
  • have their personal information corrected or updated;
  • file a complaint in accordance with the process set out in the personal information governance policy and practices.

The CAI notes that organizations can also include the name and contact as well as the contact information of the person (or department) to be contacted for questions regarding the privacy notice, and/or the name and contact details of the privacy officer.[12]

5. The organization’s security measures

The CAI states that organizations may include a brief description of the physical, technological or administrative measures taken to ensure the confidentiality and security of the personal information.

CAI’s tips for drafting a clear and simple policy

The CAI reminds at the outset that clarity is assessed from the point of view of the reader and not the writer of the notice which requires listening to the readers and adjusting when necessary. The CAI also recommends documenting considerations, options, and decisions throughout the drafting process in the event that it may be necessary to demonstrate the seriousness of the approach.

  1. Understanding the needs of the target audience by identifying the readers (and their needs, special characteristics, language skills, knowledge level based on internal or external data, studies, statistics); and identifying the context (given that how, when, where, and to what end they will access the notice will influence their level of interest and time spent);
  2. Selecting the message by choosing the relevant information needed to understand the practices required under the law (including by removing what the readers do not need), by identifying key elements in view of the particular characteristics of the readers, and reading context and by considering the scope and sensitivity of the information collected which may require bringing certain messages to their attention if it may surprise them or have a significant impact on their private lives;
  3. Creating a clear, visible structure by using clear, jargon-free, and meaningful headlines that convey key messages, and by creating a hierarchy of titles used consistently throughout the notice with easy-to-identify levels of headings and subheadings;
  4. Using an authentic and inviting tone by aligning it with the organization’s usual communications, and by fostering a tone that builds trust rather than making it authoritarian or threatening;
  5. Adopting a clear, precise style by placing the ideas at the beginning of paragraphs, writing short sentences with simple structures, eliminating unnecessary words, using everyday words instead of formal language or jargon, adding explanations or examples to technical words when they are necessary;
  6. Optimizing page layout by using an easy-to-read, large enough font, keeping sections short, and using visual elements as needed;
  7. Testing the policy by having others within and outside the organization read the policy, and adjusting the notice accordingly; and
  8. Reassessing the policy regularly and keeping it up to date as activities and practices evolve.

Leave a Reply