Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

LLM Firewall

Secure your GenAI applications with distributed and context-aware LLM firewalls

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

LLM Firewall

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View

LLM Firewall

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Understanding Valid Consent Requirements : A Closer Look at the Draft Guidelines Issued by the Quebec Data Protection Authority

quebec data protection authority guidelines banner

By Anas Baig | Reviewed By Adeel Hasan

Published July 14, 2023

Quebec's data protection authority, the Commission d'accès à l'information (CAI), recently published a consultation on the collection of consent in relation to personal data protection. The CAI oversees the application of Quebec’s main privacy laws, namely the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, also known as the Access Act, and the Act Respecting the Protection of Personal Information in the Private Sector, also known as Private Act.

Most of Quebec’s Law 25's provisions, which revised the aforementioned Acts, will soon go into effect. Therefore the CAI has put together some preliminary guidelines on what constitutes valid consent for the collection of personal data under the two laws. The consultation was completed on July 2, 2023, and the CAI intends to publish the final guidelines in October 2023. The regulator has nevertheless stated that this deadline might change based on the overall number of comments received and the necessary adjustments.

An Overview of the Draft Guidelines

The guidelines are intended to help individuals and organizations, who are subject to these laws, gain a deeper understanding of the components utilized to evaluate each statutory requirement that must be met to obtain valid consent.

Note: The guidelines do not cover the health industry or address consent to disclosing non-personal information—such as technical or financial information or trade secrets.

Quebec's privacy legislations require seeking valid consent from the data subjects for a variety of purposes, including the following:

To collect personal information from a minor under the age of 14;
To collect personal information from a third party in the private sector;
To use personal information for secondary purposes, i.e. for purposes other than those for which it was collected (primary purposes); and
To disclose or divulge personal information to a third party.

An organization must obtain the valid consent of an individual if it is unsure or unable to demonstrate that an exception applies in a specific circumstance. Additionally, if an individual provides their personal information, they are assumed to have given their consent for it to be used and disclosed for the purposes of which they were informed, provided certain conditions are met.

Valid consent is defined under section 53.1 of the Access Act and section 14 of the Private Act. As per these definitions, the following are the criteria that must be fulfilled for consent to be valid:

Consent must be manifest i.e., obvious, and must be given in a way that demonstrates the real will of the data subject. Generally, explicit consent should be prioritized; however, it can be implicit in certain circumstances. Organizations should consider the following requirements to ensure that the consent collected from a data subject is manifest:

When a person actively expresses (or explicitly states) their agreement, this is called express (or explicit) consent. Therefore, such a gesture or decision is regarded as positive because it signals approval rather than rejection and leaves no doubt about the individual’s choice. This type of consent is often referred to as opt-in.

Explicit consent is required in certain situations. These situations include the following:

For the processing of sensitive personal information
While using technologies that make it possible to identify a person, locate him/her, or perform profiling
If the processing of data is not within the reasonable expectations of the data subject
If there is a risk of serious harm to the data subject from the intended use or disclosure of the data
If data is used/processed for secondary purposes, i.e. purposes different than the purposes for which the data was originally collected for.

Sensitive Information

Use or disclosure of sensitive information must be authorized by express consent. Sensitive information includes data that involves a high level of reasonable expectation of privacy due to the context of its use or disclosure, including medical, biometric, or otherwise intimate information.

Identification, localization and profiling

The use of technologies making it possible to identify a person, locate him/her, or perform profiling can occur only with the explicit consent of the concerned data subject. Technology that allows for an individual's identification, localization, or profiling must be disabled by default, and organizations must advise the data subjects on how to enable such capabilities.

Organizations are free to develop different mechanisms to capture express consent as long as they are in line with the requirements of the law. However, while developing such mechanisms, the organizations should consider the data subjects targeted, the context and the type of interface used to collect consent. Some common examples of acceptable methods to obtain express consent include signing a document, checking a box, or saying "yes" to a question.

Organizations must make efforts to mitigate consent fatigue by not making the steps involved in providing consent repetitive. However, such efforts must not drive the organizations to assume express consent; consent should always involve the data subject's positive and active gesture. Following are some examples of inadequate methods for obtaining explicit consent as they are not capable of ascertaining the will of a data subject beyond doubt:

Use of pre-checked boxes;
Simply providing the possibility of subsequent refusal (opt-out) vs. Deduction related to the person’s silence or inactivity;
Deduction related to a separate act of the person.

For consent to be considered express, an organization must avoid displaying a request for consent in a way that could be mistaken for another action that an individual must perform, like confirming that the terms of use have been read. The organization must implement clear consent mechanisms for obtaining the data subject’s explicit consent.

As per the Guidance, express (explicit) consent should generally be prioritized. Consent, however, can be implied only under certain circumstances if:

it does not pertain to sensitive information;
it does not conflict with the reasonable expectations of data subjects as per the context;
no risk of serious harm emerges from the intended use or disclosure.
If there is no use of personal information for secondary purposes, that is, for purposes other than those for which it was originally collected (primary purposes).

In the case of implied consent, the consent is not explicitly formulated, and the organization infers it because of the data subject’s silence or inactivity or some other action they take not directly related to the consent. If an organization decides to depend on implicit consent, it must still be able to demonstrate how the consent was obtained. An organization must therefore be able to demonstrate that consent can be inferred (derived) from another action on the part of the subject. This implied consent may be more challenging for the organization to prove than express consent.

Even if consent is implicit or tacit, other criteria for the validity of consent i.e., consent must be free, enlightened, specific, etc., must still be fulfilled, and in case there is any doubt about the real will of the data subject, the organization must seek explicit consent instead of relying on implicit consent.

Consent must be freely provided, which means it must involve genuine choice and control and must not be given under coercion or pressure. The data subjects’ consent is free only when they do not suffer any disproportionate suffering or are not unduly influenced while providing the consent. Consent is free only if it is requested separately for each data processing purpose. The person concerned must not only have the choice of accepting everything or refusing everything.

Giving consent should be as easy for a data subject as not giving consent. Fairness must be maintained in presenting these options (to consent or not to consent). Consent procedures that don't ensure the options are fair or that in any other way influence the user's decision do not elicit truly "free" consent and ultimately result in invalid consent.

Consent is also free if the data subject is capable of withdrawing it at any time. For consent to have voluntary nature, its evocation must not require a disproportionate effort as compared to what was required to provide it.

Consent must be informed, which means it must be specific and founded on relevant information. The concerned individual must be aware of and comprehend what their consent means. If the organization doesn't disclose the relevant information, the control being exercised by the individual is illusory, and the permission is invalid. The concerned individual must have access to the following details to understand what they are being asked to consent to:

Who? The organization on whose behalf consent is obtained;
Why? The purpose of the request for consent, or the purpose for which the information is intended to be used or disclosed;
To whom? Names of external third parties or categories of external third parties to whom the organization will share information, where applicable;
From whom? the types of third parties outside the organization from whom the organization will collect information, if relevant, and their names;
What? Relevant information, or at least classes of information;
Accessible to whom? Individuals from different groups inside the company who will have access to the data to achieve the stated purpose;
Until when? Period of validity of the consent;
And if not? Consequences of not consenting or later withdrawing consent (the organization must ensure that these don't affect the consent's freedom of choice).
With what risks? Reasonably foreseeable risks or consequences associated with the activity for which consent is obtained, if any;
How? Means of using or disclosing the information (e.g. mail communication; use of a fully automated decision);
Where? The location where the information will be shared or stored in connection with an activity for which consent has been obtained, mentioning whether another province other than Quebec may be involved in the location;
What rights? Rights of access, rectification, withdrawal of consent, and information on how to exercise them.

Additionally, an organization should refrain from using lengthy writings that are filled with legal jargon. Due to such variables, individuals find it challenging to comprehend what they consent to completely.

Since freely given consent may be revoked, the concerned individual must have access to the relevant data even after providing it, allowing them to reconsider their decision if required. Consequently, an organization must implement strategies to make such information easily accessible. Moreover, an organization should assist individuals seeking assistance to understand the consent's scope. The organization is responsible for developing mechanisms to this end.

Consent must be provided for a specified intent or for a limited purpose. This requirement is strongly related to the informed consent requirement because only an individual who can clearly grasp what is being asked of them may provide their consent. An organization must use the most precise language available when describing the purposes for which consent is requested. Imprecise, ambiguous, or general terms jeopardize the specificity of consent and hence compromise its validity.

Unless a legal exception is applicable, an organization must obtain new consent from an individual whenever it intends to use or communicate personal information for purposes different than those to which the individual has already consented.

Consent must be granular, meaning it must be asked for each purpose in particular. The organization must request each purpose separately if consent is required for multiple purposes. Granularity provides truly free consent. If a person is required to consent to several purposes simultaneously, their consent is not truly free.

The request for consent must be understandable, meaning it must be delivered in plain and straightforward language and include a clear expression of acceptance or refusal.

Information should be given concisely, that is, it should be expressed in the fewest possible words while still being clear. An organization should avoid using too many periphrases, complicated sentence structures, and pointless words. Long texts or sentences make it difficult for individuals to understand what is being said. An organization should employ basic vocabulary or words that are understandable to the target audience. Without legalese or corporate speak, organizations should employ everyday commonly used words.

Information needs to be tailored to the intended audience. The perspective and profile of the individuals involved must be taken into account by the organization. Some may not be fluent in the language being used (spoken or written), some may not be aware of their privacy rights, and others may not be familiar with the organization's operations. Additionally, while requesting for consent from diverse types of people, an organization should utilize language that is appropriate for those with the lowest literacy levels.

Consent must be temporary, i.e., it must be valid for a limited period of time. Consent is only valid for as long as it takes to accomplish the goals for which it was obtained. As a result, once those goals are achieved, it loses its validity. Data subjects must be informed of the length of the consent's validity period to be able to provide informed and explicit consent. Again, organizations must avoid using ambiguous or imprecise language.

If the individual’s end of consent validity is linked to an event, an organization should provide sufficient information to the person concerned to enable them to know the likely duration of their consent or to estimate when it might end. Additionally, the organization must advise the individual of their ability to revoke consent at any moment.

An organization should ensure continuing openness whenever it obtains consent over a protracted period of time. It should periodically remind the data subjects that the foundation for using or disclosing their information is their consent and should reference the most recent data available in this regard.

A written request for consent must be made separately from any other information provided. The terms of use, privacy policies, requests to verify the accuracy of information submitted, signatures, etc., must all be maintained separately.

How Can Securiti Help

Protecting consumers’ data and to honor consent choices has never been more crucial. Automation is the only reliable and sustainable method to ensure swift compliance with laws' evolving requirements and obligations, as data is being collected and processed at an alarming rate.

Securiti’s Data Command Center framework enables organizations to comply with Quebec’s evolving data privacy landscape by identifying and classifying data, protecting data systems, establishing sensitive data intelligence, governing access to sensitive data, ensuring consent management, analyzing the impact of data breaches and respond promptly, automate individual data requests, automate data privacy obligations, and so much more.

Request a demo to witness Securiti in action.

Understanding Valid Consent Requirements : A Closer Look at the Draft Guidelines Issued by the Quebec Data Protection Authority

An Overview of the Draft Guidelines

Sensitive Information

Identification, localization and profiling

How Can Securiti Help

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

Understanding Valid Consent Requirements : A Closer Look at the Draft Guidelines Issued by the Quebec Data Protection Authority

An Overview of the Draft Guidelines

Criteria for Valid Consent

A. Consent must be manifest

In general, consent must be express (explicit)

Compulsory express consent

Sensitive Information

Identification, localization and profiling

Method of obtaining consent

Consent fatigue

Consent may be implicit, in certain circumstances

B. Consent must be free

C. Consent must be informed

D. Consent must be specific

E. Consent must be granular

F. Consent request must be understandable: it must be presented in clear and simple terms

G. Consent must be temporary: it must be valid only for the duration for which it is necessary

H. Consent request must be separate: it must be submitted separately if it is in writing

How Can Securiti Help

Join Our Newsletter

Share

More Stories that May Interest You

Compliance Checklist for China’s PIPL

Employer Obligations on Employee Data Under Indian Law

The HR Guide to Employee Data Protection

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

What's
New