The privacy policy is one of the most visible documents an organization produces on personal information protection. It's often the first document the CAI requests, and the first document a person consults before entrusting their data to your organization.
Yet many Quebec SMBs either have a generic policy copied from an English-language template, or no policy at all. Here's how to write one that is both compliant and genuinely useful.
What Your Privacy Policy Must Include
Law 25 does not prescribe a specific format, but it requires that certain information be accessible. A complete policy generally covers these elements:
1. The types of information collected Be specific. "Personal information" is too vague. List the categories: name, email, address, payment data, browsing data, employment-related information, etc.
2. The purposes of collection Why do you collect each category? Targeted advertising, order processing, human resources management, and legal compliance are different purposes that must be named separately.
3. Third parties who receive your data If you use an email delivery service, a payment platform, a customer relationship management system, or a cloud hosting service, these third parties receive personal information. Mention the categories of recipients (not necessarily every company name, but the type: IT service providers, delivery partners, etc.).
4. Retention periods This is one of the most frequent gaps. How long do you keep customer data after a business relationship ends? When do you delete unsuccessful job applications? Retention periods must be defined and respected.
5. Individual rights Individuals have the right to access their information, have it corrected, withdraw their consent, and in certain cases, have it deleted or transferred to another organization (portability). Your policy must explain how to exercise these rights.
6. Contact information for the responsible person Name or title of the Privacy Officer and a way to reach them (email or contact form).
The Most Common Gaps
Absent or vague retention periods. "We keep your data as long as necessary" does not meet the spirit of the law. Define concrete periods by category.
Purposes that are too generic. "To improve our services" covers too many different realities. Be specific: internal statistical analysis? Feature testing? Sharing results with a third party?
No mention of individual rights. Many policies describe what the organization does but don't tell individuals how they can act. The right to access, correction, and withdrawal of consent must be explicitly mentioned.
Single-language policy in a bilingual context. If your organization interacts with clients in both languages, your policy must be available in French and English.
Outdated policy. A policy dated 2018 that doesn't mention Law 25, the Privacy Officer, or portability rights is a red flag.
Plain Language Writing Tips
An effective privacy policy is not an impenetrable legal document. Here are a few principles:
- Write for the person entrusting you with their data, not for your lawyer. If your SMB client or job applicant doesn't understand what you do with their information, the policy isn't doing its job.
- One idea per paragraph. Lists are your allies.
- Avoid jargon. "Processing of personal data" can become "how we use your information."
- Use clear headings. People don't read privacy policies from start to finish. They're looking for a specific answer. Help them find it.
Updating Matters as Much as Writing
A privacy policy is not a static document. Every time you add a new vendor, launch a new product, or change your data collection practices, you should check whether your policy needs updating.
Plan for an annual review, and clearly designate who is responsible for that review in your organization.
Observantia provides bilingual privacy policy templates tailored to Quebec SMBs, with the elements required by Law 25 already structured. Customize them to reflect your actual practices, then integrate them into your compliance process.
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.