Bill 25 and data privacy: what’s at stake for your car dealership?

The data considered as personal information and protected by Bill 25 are as follows:

• • IdentifIcation data: names, addresses, e-mail addresses, telephone numbers,.
  • Sensitive data: SIN, income, membership of religious or other groups, sexual orientation, etc.
  • Profiling data: IP addresses, digital behaviour, cookie data, etc.

If you fail to protect this data adequately, you risk incurring administrative penalties (up to $10,000,000 or 2% of total revenues) as well as criminal sanctions of up to $25,000,000 or 4% of total revenues. So it’s crucial to take Bill 25 seriously.

Bill 25 gives you until 2024 to implement the various adaptation phases.

(from September 2022)

• • • Appoint a privacy officer for your dealership.
    • Define governance policies and practices.
    • Implement an incident log and notification process.
    • Create an appropriate training program.
    • Make an inventory of personal information and the service providers who have access to this data. The more providers you have, the more likely you are to expose your customers’ personal data.

This notion is very important, because when it comes to the law, YOU are responsible, not your providers. The data belongs to you, and it’s your responsibility to protect it. There are therefore risks associated with having several providers, as data transfers are multiplied.

(by September 2023)

• • • • • Publish the updated privacy policy on your website.
        • Implement a risk assessment process (PIA).
        • Enable consent collection on your website.
        • Establish a regular data destruction or anonymization process.

(by September 2024)

• • • • • Make sure you can support data portability (being able to extract all of a person’s data on a readable medium).

To protect yourself as much as possible against potential attacks, you need to inventory the personal information in your possession and a list of providers who have access to it. 

The more software providers who have access to your customer’s data, the more you expose this data and take risks.

When you use 360.Agency’s solutions in your dealership, they have been developed in-house at our Montreal offices, which means that your customer data exists in one single location. What’s more, we’ve designed a global firewall to protect all the personal data you’re responsible for. As a result, it’s considerably more secure than when you use several different software providers.

According to Bill 25, your privacy policy must be accessible to users of your website, and must inform them of the following:

• • • the purpose for which information is collected
    • the means by which the information is collected,
    • their rights of access and rectification,
    • their right to withdraw consent,
    • the names or categories of service providers with whom you share their information,
    • the possibility that information may be communicated outside Quebec.

The new bill defines profiling as “the collection and use of personal information to evaluate specific characteristics of an individual, for purposes such as analyzing the individual’s job performance, economic situation, health, personal preferences, interests or behaviour.”

As a dealer, you will be required, as of September 2023, to obtain consent (“opt-in”) before activating the collection of personal information through identification, location or profiling technologies.

To help you apply these new rules, 360.Agency launches PRIVACY 360, your new digital consent management platform (CMP).

With PRIVACY 360, your website and your advertising operations can comply with Bill 25 in a simple way. 

You can collect proof of consent from your users through fully customizable pop-up windows that integrate perfectly with the look and feel of your website.