In this webinar (in French only), Zeffy’s CEO and co-founder, François, dives into Law 25 and what it means for nonprofit organizations. François shares our research and some advice from our lawyers at Blue HF Legal.
We’ve broken down the webinar into sections for you, or you can watch the whole thing—we definitely think it’s worth a watch! François goes over what Law 25 actually is, the different types of data that fall under Law 25, consent (when do you need it), how Law 25 applies to the nonprofit sector, and what Zeffy is doing to address Law 25.
Before we go any further: What is Law 25?
Law 25 (formerly Bill 64) adapts the existing laws protecting the personal information of Quebecors to the digital and technological realities of today and add requirements for anyone doing business within Quebec—not just organizations based in Quebec. Designed to protect Québecors and their personal information, Law 25 holds organizations accountable for the data they collect and store and requires them to clearly explain why they are asking for your information and how they plan on using it.
- Quebec’s Law 25 and what it means for nonprofits.
Watch the full webinar (only in French):
We recommend watching the full webinar. There are quite a few pertinent questions asked by the nonprofit organizations who attended the webinar that are worth hearing.
The right to be forgotten.
The right to be forgotten is just what it sounds like and means that nonprofits now need to respect the public’s right to cease dissemination, re-indexing or de-indexation.
This means, simply put, that everyone has the right to ask for their data to be deleted.
Law 25, transparency and what that means for nonprofits.
We all have the right to know what data a site is collecting, why the need it, and who they are sharing it with or selling it to.
Consent under Law 25 and how it applies to nonprofits.
A nonprofit cannot use or share data without consent. We know, shocking that this wasn’t the law before…
- An example of this is checking the little check box to receive newsletters.
Nonprofits need to notify donors, volunteers, etc. if there has been a privacy breach.
The obligation of notification means your nonprofit needs to:
- Take an inventory of the personal information your nonprofit (or a third party on your nonprofits behalf) keeps and assess its sensitivity.
- Put measures in place to prevent or limit the risk of a confidentiality incident.
- Establish a response plan that your organization will follow if a data breach happens.
How Law 25 defines our data and why nonprofits need to know this.
1. Personal data:
Everything that relates to or can help identify an individual. (Names, email addresses, addresses, SIN, etc.)
2. Sensitive personal data:
Personal data that is, well, sensitive. (Health issues, race, political opinions, biometrics, etc.)
What actions do nonprofits need to take to conform to Law 25.
- Create an inventory of all the personal data your nonprofit asks for and collects and who you share it with. (Google Analytics, Zeffy, etc.)
- Ensure third party partners are also following Law 25.
- Determine what data is necessary for your nonprofit to operate.
- Your nonprofit organization needs a Privacy Officer to implement and ensure your nonprofit follows Law 25.
The right to be forgotten and what that means for your nonprofit.
Cookies and consent: what nonprofits need to know.
First things first, cookies (the little things that make a website work, but that can also track, save and share a users data). Your nonprofit needs to give users the choice to look at and control the cookies your nonprofit’s site is collecting and using.
There are two types of cookies:
1. Necessary cookies (the ones required so your website acutally works).
- You do not need a user’s permission to use these.
2. Optional cookies (the ones that aren’t required for your webiste to work).
- You absolutely need a user’s permission to use these.
Personal data and consent: what nonprofits need to know.
However, you still need to ask for consent/permission if you plan to use any of the personal data you are asking for.
What is Zeffy doing to conform to Law 25.