Bill 25 and data privacy: what’s at stake for your car dealership?

The concern for the confidentiality of private data on the Internet is not new, but it is taking on an increasingly important role in the day-to-day life of companies across the country. Canada has been a forerunner in data privacy management, notably since the adoption of Canada’s anti-spam law a few years ago. 

Today, the Quebec authorities are going one step further. Since the end of 2022, Quebec has required companies operating in the province to comply with the requirements of Bill 25. This law aims to protect the privacy of individuals by regulating the collection, use and disclosure of personal information by organizations. The implementation of Bill 25 is gradual, and will continue until 2024, after which your dealership will be required to fully comply.

What is personal information?

The data considered as personal information and protected by Bill 25 are as follows:

    • IdentifIcation data: names, addresses, e-mail addresses, telephone numbers,.
    • Sensitive data: SIN, income, membership of religious or other groups, sexual orientation, etc.
    • Profiling data: IP addresses, digital behaviour, cookie data, etc.
Significant penalties

If you fail to protect this data adequately, you risk incurring administrative penalties (up to $10,000,000 or 2% of total revenues) as well as criminal sanctions of up to $25,000,000 or 4% of total revenues. So it’s crucial to take Bill 25 seriously.

Respecting data protection

Bill 25 gives you until 2024 to implement the various adaptation phases.

Phase 1

(from September 2022)

      • Appoint a privacy officer for your dealership.
      • Define governance policies and practices.
      • Implement an incident log and notification process.
      • Create an appropriate training program.
      • Make an inventory of personal information and the service providers who have access to this data. The more providers you have, the more likely you are to expose your customers’ personal data.

This notion is very important, because when it comes to the law, YOU are responsible, not your providers. The data belongs to you, and it’s your responsibility to protect it. There are therefore risks associated with having several providers, as data transfers are multiplied.

Phase 2

(by September 2023)

          • Publish the updated privacy policy on your website.
          • Implement a risk assessment process (PIA).
          • Enable consent collection on your website.
          • Establish a regular data destruction or anonymization process.
Phase 3

(by September 2024)

          • Make sure you can support data portability (being able to extract all of a person’s data on a readable medium).
The management of providers is your responsibility under Bill 25

To protect yourself as much as possible against potential attacks, you need to inventory the personal information in your possession and a list of providers who have access to it. 

The more software providers who have access to your customer’s data, the more you expose this data and take risks.

la protection des données par

When you use 360.Agency’s solutions in your dealership, they have been developed in-house at our Montreal offices, which means that your customer data exists in one single location. What’s more, we’ve designed a global firewall to protect all the personal data you’re responsible for. As a result, it’s considerably more secure than when you use several different software providers.

Setting up a privacy policy

According to Bill 25, your privacy policy must be accessible to users of your website, and must inform them of the following:

      • the purpose for which information is collected
      • the means by which the information is collected,
      • their rights of access and rectification,
      • their right to withdraw consent,
      • the names or categories of service providers with whom you share their information,
      • the possibility that information may be communicated outside Quebec.
privacy policy
Bill 25 and profiling

The new bill defines profiling as “the collection and use of personal information to evaluate specific characteristics of an individual, for purposes such as analyzing the individual’s job performance, economic situation, health, personal preferences, interests or behaviour.”

As a dealer, you will be required, as of September 2023, to obtain consent (“opt-in”) before activating the collection of personal information through identification, location or profiling technologies.


To help you apply these new rules, 360.Agency launches PRIVACY 360, your new digital consent management platform (CMP).

With PRIVACY 360, your website and your advertising operations can comply with Bill 25 in a simple way. 

You can collect proof of consent from your users through fully customizable pop-up windows that integrate perfectly with the look and feel of your website.

privacy 360
Make sure you're in compliance with the fundamental principles of Bill 25 with all our tips and simplify your life with PRIVACY 360!
Make sure you're in compliance with the fundamental principles of Bill 25 with all our tips and simplify your life with PRIVACY 360!