Unwrapping the CAI's holiday gift: A guide on privacy policy drafting

4 minute read
04 January 2024

Since September 22, 2023, organizations with operations in Quebec must publish a privacy policy on their website if they collect personal information by any technological means (for example, via an email address, a website or a mobile app).

On December 18, 2023, Quebec's privacy regulator, the Commission d'accès à l'information (CAI), published a crucial guide for organizations seeking clarity in drafting and revising their privacy policies. You can access Gowling WLG's unofficial translation of the Guide here (official version only available in French).

Here are the top three takeaways from the CAI's Explanatory Guide on Drafting a Privacy Policy:

1. Understanding the dual nature of privacy policies

The CAI's Guide makes a pivotal distinction between two different types of policies: the confidentiality (or online) policy, and other privacy policies.

The former, as required by section 8.2 of the Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1, the Quebec Privacy Act), is necessary for organizations that collect personal information through technological means, typically on websites or digital platforms.

In contrast, the latter, required by section 3.2 of the same act, covers broader aspects of personal information protection within an organization. These policies will generally outline how an organization manages all personal information, not just the information collected online, and includes practices related to data storage, access and protection measures. Understanding this distinction is crucial for compliance and effective privacy management.

2. Clarity is key: Tips for simplified language

The CAI's Guide emphasizes the importance of clear and simple language in drafting privacy policies. It offers practical tips on writing policies that are easily understandable by a wide audience. While these are not strict requirements, they present best practices for all privacy professionals wanting to ensure their policies are accessible to all.

The CAI's Guide also contains tools and ideas, which could be quite useful for privacy professionals looking to "test" their privacy policy prior to publication (or when conducting a review of their existing privacy policy). By testing the policy with a diverse group, organizations can ensure that their privacy policies are not only compliant but also clear, understandable and implementable across the entire organization.

3. Notification of policy modifications

Unfortunately, the CAI's Guide does not provide any clarification regarding the obligation for organizations to inform individuals about modifications to their confidentiality policy. As it stands under the Quebec Privacy Act, organizations are obligated to notify individuals of any amendments to their policy.

This requirement can become burdensome, leading to unexpected scenarios where organizations must notify individuals even for minor adjustments, such as correcting a typo in their policy.

Closing thoughts

The CAI's Guide is a valuable tool for organizations drafting or revising their privacy policies. It aids in understanding legal requirements, encourages clear communication, highlights areas needing further attention and provides tools to "test" the policy prior to publication.

If you have additional questions regarding your organization's privacy policies, or any other privacy-related topics, do not hesitate to contact us.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.