On May 3rd, Didomi partnered with Adviso and the National Bank of Canada for a conference in Montreal, addressing data protection issues in Québec and around the world, and how companies can turn them into opportunities.

 

Addressing the topic of Law 25, trust, consent management, and digital performance measurement, the panel was composed of Axel Queffeulou, Senior Data Solutions Architect at Adviso, Philippe Rincon, Vice President of Digital at the National Bank of Canada, and Raphaël Boukris, Co-Founder and CRO at Didomi.

 

In this article, we look back at the event, the main takeaways from the conversation, and the roadmap for organizations to prepare for Law 25.

 

Note: To watch the event recording, go down to the end of the article. You can also download the full presentation as a PDF:

 

Didomi - Turning the challenges of Law 25 and global regulations into opportunities

 

 

Sommaire

 

 

 

Law 25: Background and Timeline

 

Although the next steps do not take place until September, the obligations for Law 25 have already begun since last year. Indeed, since September 2022, companies have already had the obligation to designate a privacy officer within their organization, and to put in place a procedure for reporting personal data breaches.

 

The second deadline is the most urgent and important for organizations operating in Quebec or using the data of Quebec citizens. By September 22, 2023, things they will need to put in place include:

 

Finally, September 22, 2024, will see the introduction of a new component to the law, aiming at facilitating the right to portability - also known as DSAR.

 

There are two obligations set by Law 25 that are of central concern to organizations:

 

    • The obligation of transparency, which implies that the company must inform the person concerned of the purpose of the data collection, and of the rights of access and rectification provided by law

    • The obligation to obtain consent, which consists of putting in place a mechanism that will allow users to consent (or not) to the collection of their personal information

Failure to comply with these obligations puts organizations at risk.

 

Risks in case of non-compliance with Law 25

The most obvious risks are the administrative penalties, which can amount to $10,000,000 CAD, or 2% of the company's global turnover for the previous fiscal year, or if the infraction is qualified as criminal, up to $25,000,000 CAD and 4% of the global turnover.

But beyond the financial penalties, one of the main issues is the brand and reputational risk. 

The loss of user trust and the lack of transparency can negatively affect consumer perception. A Google/IPSOS study shows that 40% of consumers say they are ready to change brands after a negative privacy experience.

We can see that Law 25 is critical in many ways for companies. The question is: how can companies take advantage of these challenges and turn them into business opportunities? 

 

Turning the challenges of Law 25 and global regulations into opportunities

 

During the presentation, the three speakers were able to present three approaches to Law 25, through their respective expertise and experience:

 

  • National Bank of Canada: A history of trust

  • Didomi: Unifying user choice

  • Adviso: Bridging the gap between consent and performance

 

Before exploring each part in detail, and if you don't have time to read the entire article, here are the key points to remember:

 

Didomi Montreal - Takeaways

 

National Bank of Canada: a history of trust

 

Philippe Rincon, Vice President of Digital at National Bank of Canada, opened his presentation by evoking the exponential growth of technology in the 21st century, and highlighting the various crises of trust related to data protection in recent years: Cambridge Analytica, Ashley Madison, Equifax...

 

These crises have caused a loss of consumer trust:

 

  • 62% of respondents are concerned about the security and privacy of their personal data

  • 90% of the data collected worldwide in the last two years was collected without the consent of the users 

 

The Vice President of Digital backs up his point by emphasizing the responsibility of organizations when it comes to handling personal data:

 

"When Raphael visits the bank's website and interacts with us, we are retrieving data. That data does not belong to us. It's Raphael's data, that he agrees to entrust us with. It’s paramount to understand that that data is not ours."

 

- Philippe Rincon, Vice President of Digital at the National Bank of Canada

 

How can we regain people's trust? Faced with this question, Philippe Rincon identifies 6 steps for organizations:

 

  1. Executive endorsement, to ensure that it is a priority for the entire company.

  2. Customer centricity, essential for all digital organizations.

  3. Multi-disciplinary teams, so that the entire organization understands its role in this major undertaking.

  4. A culture of protecting personal data, to develop a data ethic.

  5. A training program, to bring teams up to speed.

  6. Change management, to understand a new way of approaching key issues.

 

To understand the major changes brought about by Law 25, the vice president of digital recommends that organizations adopt a positive posture by seeing the new legislation not as a burden but as an opportunity.

 

Didomi Montreal - Chart

 

Through existing frameworks such as Privacy UX and Privacy by Design, there are ways to give back control to customers and users, placing data privacy at the center of business and strategic thinking.

 

Philippe Rincon concludes his presentation with the business opportunity presented by Law 25, which he sees as an opportunity:

 

I think that we don't really have a choice, from a regulatory point of view, but more importantly, I believe this is a real opportunity for the respect of fundamental rights. (...) It is essential that legal (and other) systems can adapt to technological systems, otherwise, there is a big gap (...) 

These are very important considerations that allow us to position ourselves by saying that it is not only regulatory but really an ethical necessity for organizations."

 

- Philippe Rincon, Vice President of Digital at the National Bank of Canada

 

Didomi: Unifying user choices

 

During his presentation, Raphaël Boukris, Co-Founder and CRO at Didomi, focuses on the technical part of the subject, presenting Didomi's solution and its different modules:

 

  • Consent Management

  • Web compliance monitoring

  • Privacy requests

  • Preference management

 

With this product offering and alongside partners such as Adviso in Canada, Didomi offers technological solutions and services to help organizations face the challenges of data protection. Companies such as Orange, Société Générale or SNCF.

 

 

In addition to consent management, the co-founder and CRO highlights other critical solutions Didomi offers in the context of Law 25, starting with advanced compliance monitoring, which proactively detects compliance breaches, establishes a comprehensive tracker map, and minimizes legal risks.

 

The second essential aspect is the notion of multi-regulations: How to adapt to a world in constant evolution, evolving regulations, and different requirements according to different countries and regions? The multi-regulation feature addresses these issues.

 

Law 25 consent banner benchmark: 3 months removed from the latest phase of the Law 25, we ran an analysis and published a benchmark of the top 3 consent banner types in Québec, looking at consent rates, conversion, and Privacy UX best practices. 

 

Access the full benchmark here (no email or form required):

 

Didomi - Law 25 benchmark on consent banners

 

 

 

Thanks to the Didomi technology, organizations are not only able to create compliant, personalized consent banners, but also to go further by:

 

  • Addressing the compliance needs of global companies through geo-targeting, allowing different banners to be displayed according to local regulations

  • Storing and proving consent in the event of an audit or access rights request 

  • Provide analytics for granular visibility into banner performance

 

To learn more about Didomi's consent management offering and discuss the data protection challenges you might be facing within your organization, book an appointment with one of our experts:

 

Didomi - Montreal Contact - Jean Baptiste

 

Adviso: Bridging the gap between consent and performance

 

Our last speaker, Axel Queffeulou, Senior Data Solutions Architect at Adviso, concluded the presentation by highlighting the inevitable impact of Law 25 on companies, their data collection, and use - particularly in the context of digital marketing.

He says the key is to reduce this impact by first maximizing the amount of data collected, before shifting the focus to a quality-first approach.

How to reduce the impact of Law 25 on data collection? Taking a cue from consent collection practices in Europe since the advent of the General Data Protection Regulation (GDPR), the senior data solutions architect emphasizes the importance of the user experience, which strongly influences the consent rate:

 

"All the effort put into landing pages and homepages is going to waste. Going forward, who's going to welcome new users? The consent banner. We know that the first impression is always the most important, so maximum effort should be made from the start of the CMP installation."

 

- Axel Queffeulou, Senior Data Solutions Architect at Adviso

 

Once consent collection is optimized, the data will have a greater value according to Axel Queffeulou. 

Indeed, users who have consented to entrust their data show their trust in the brand, a change that is reflected in the value of first- and zero-party data, provided directly by consumers.
 

Didomi Montreal - 0 party

 

The speaker highlighted the importance of establishing a data strategy. This is the first step Adviso takes with new clients, a step which then leads to the creation of a data map, an architecture that allows for a 360 view through the following axes:

 

  • Data sources: CRM, product, marketing, consent.

  • Data integration and management: Tag manager, analytics platform, data warehouse

  • Engagement: Advertising, personalization, A/B testing

  • Intelligence: Visualization, analytics

 

For Axel Queffeulou, the compliance challenges presented by Law 25 ultimately present an opportunity: 

 

"They tell you that a CMP is mandatory, but Adviso tells you that a strategy is a prerequisite. The CMP must be integrated into your strategy."

 

​​- Axel Queffeulou, Senior Data Solutions Architect at Adviso

 

 

Roadmap: How to get ready for Law 25

 

Didomi - Montreal_Retroplanning

 

You now have everything you need to prepare for the next step of Law 25 next September. It is essential to prepare in advance to prevent unforeseen events, put in place the necessary processes and adjustments, and avoid unpleasant surprises in case of non-compliance at the end of the year.

Need help in your preparations? Visit our page dedicated to Law 25 and make an appointment with one of our experts to discuss your issues together:

 

Learn more about Law 25

 

Questions and answers (Q&A) et next step

 

To conclude the conference, the audience was able to ask questions. Among the most interesting exchanges, our speakers addressed topics such as:

 

  • The average consent rate performance by industry

  • The scope of Law 25 outside of Quebec

  • The expiration date of user information stored by a company

  • And much more.

 

To discover the answers to these questions and watch the entire conference, we invite you to watch the recording (in French with English subtitles): 

 

 

The next step? Let's meet on September 19th in Montreal, 4 days before Law 25's next big deadline. Book your ticket today - the event will be limited to 100 seats.