Many business-to-business (B2B) corporations are confused as to whether Bill 25, the new amendments to private-sector privacy legislation, applies to their activities. Others simply think they don’t need to worry about it. What’s the real deal?

1. Think about the information you hold about your customers and what it’s used for.

The definition of personal information is deliberately broad and includes a whole range of information that would not automatically come to mind. Personal information can be used to identify a person, whether on its own (for example, a social insurance number) or in combination with other information (such as a first and last name).

However, Bill 25 excludes information concerning an individual’s position within a corporation. A person’s name, title and function, as well as their address, telephone number and e-mail address at work are therefore not personal information when they concern the individual’s identification within the workplace.

Corporations doing business-to-business certainly use this information to contact specific individuals in their customer relations. On the other hand, as soon as contact information is combined with other information specific to an individual, the law is likely to apply.

One company may have decided to collect the home addresses of the executives of its best customers, to send them a personalized gift. Another may hold e-mail addresses that are also the personal e-mail addresses of executives of sole owner companies. Another may hold payment information linked to a personal credit card.

If any of these or similar situations apply to your corporation, then you should assess the extent to which you collect, use and disclose your customers’ personal information, and how you may be subject to Bill 25 on these aspects.  Only information that is specifically used to contact a person within a company is excluded from the application of the law.  

2. Don’t neglect your employees.

Although your business activities focus on other companies, you also have employees, whose personal information you collect from the beginning of their hiring process through to the end of their employment with you, and sometimes even beyond.

Examples of personal information collected on employees sometimes include their criminal or credit history when their application is evaluated, their social insurance number for tax purposes, their work performance or the reason why their employment ended. In some corporations, this may also include biometric information collected by time clocks, an employee’s voice or image collected by video surveillance, or the exact geolocation of a delivery driver.

All this information constitutes personal information within the meaning of applicable privacy laws, which means that your corporation will need to put in place a comprehensive program to manage your employees’ personal information. Unlike companies that deal directly with consumers, this program may be streamlined, but should be no less important.

Practically speaking, this means that your company will have to put in place documented policies and practices for managing employee personal information, a mechanism for detecting and handling privacy incidents involving employee personal information, privacy impact assessments (PIAs) if your corporation uses a system or supplier to which personal information will have to be disclosed to or sent outside Quebec, a mechanism for handling and analyzing requests for access to information, and specific retention periods for employee personal information.

3. Your website may collect personal information.

Websites can be visited by members of the public and can be a way of collecting information that could be personal information. For example, some contact forms or quote requests contain text fields that may result in the collection of personal information. Online chat applications, online stores and recruitment pages are also potential collection points for personal information. Finally, if your web development or marketing teams place cookies on your pages to improve the user experience or for targeted advertising, chances are that these technologies may also collect some personal information.

The collection of personal information on websites requires appropriate consents to be obtained, and technologies such as certain types of cookies to be deactivated by default. Generally speaking, a company will also publish terms of use and a privacy policy on its site.  

4. Don’t forget your professional pages or accounts on social networks.

In the same way as a website, social network profiles and accounts can enable companies to collect personal information, for example, when acquiring new customers who might write to your corporation from their personal profile, when posting comments on your services, in private messages, or when using audience-targeted advertising tools.

In conclusion, as of September 22, 2023, corporations offering business-to-business services must have the following in place:

  • A program for managing the personal information of their employees, minimally involving:
    • The appointment of a Privacy Officer (the person with the highest authority has this role by default under the law, but may delegate the duties to a person of his or her choice)
    • A policy concerning the management of employees’ personal information, including the company’s monitoring practices;
    • A review of pre-employment consents and those given at the time of employment regarding the company’s collection, use and retention of employees’ personal information;
    • A process for managing confidentiality incidents involving employees’ personal information;
    • Internally designated persons to handle access to information requests, complaints and other employee rights provided for by law;
    • Review of the company’s information security practices with regard to employees’ personal information (adapted to the sensitivity of the information)
    • A due diligence process for new service providers when it comes to employees’ personal information, as well as a process for triggering Privacy Impact Assessments, if necessary.

In cases where the company may also be collecting personal information from customers or consumers of the public, it will need to ensure that it adds to its privacy management program:

  • An internal policy for managing personal information;
  • A review of the consents required for the collection, use and disclosure of personal information;
  • A privacy policy published on its website, describing its personal information management practices and providing more information about the collection, use, disclosure and retention of personal information of the company’s customers or the public. The policy must also clearly identify the company’s Privacy Officer, as well as describe the ways in which the public can exercise its privacy rights.

These elements are offered for information purposes only, and each privacy program may differ according to the company’s business model and specific reality. The important thing is to assess your posture and start discussions internally. To find out more, contact Robic’s Data Protection, Cybersecurity and Privacy team.