Understanding Valid Consent Requirements A Closer Look at the Draft Guidelines Issued by the Quebec Data Protection Authority

A. Consent must be manifest

Consent must be manifest i.e., obvious, and must be given in a way that demonstrates the real will of the data subject. Generally, explicit consent should be prioritized; however, it can be implicit in certain circumstances. Organizations should consider the following requirements to ensure that the consent collected from a data subject is manifest:

In general, consent must be express (explicit)

When a person actively expresses (or explicitly states) their agreement, this is called express (or explicit) consent. Therefore, such a gesture or decision is regarded as positive because it signals approval rather than rejection and leaves no doubt about the individual’s choice. This type of consent is often referred to as opt-in.

Compulsory express consent

Explicit consent is required in certain situations. These situations include the following:

• For the processing of sensitive personal information
• While using technologies that make it possible to identify a person, locate him/her, or perform profiling
• If the processing of data is not within the reasonable expectations of the data subject
• If there is a risk of serious harm to the data subject from the intended use or disclosure of the data
• If data is used/processed for secondary purposes, i.e. purposes different than the purposes for which the data was originally collected for.

Sensitive Information

Use or disclosure of sensitive information must be authorized by express consent. Sensitive information includes data that involves a high level of reasonable expectation of privacy due to the context of its use or disclosure, including medical, biometric, or otherwise intimate information.

Identification, localization and profiling

The use of technologies making it possible to identify a person, locate him/her, or perform profiling can occur only with the explicit consent of the concerned data subject. Technology that allows for an individual's identification, localization, or profiling must be disabled by default, and organizations must advise the data subjects on how to enable such capabilities.

Method of obtaining consent

Organizations are free to develop different mechanisms to capture express consent as long as they are in line with the requirements of the law. However, while developing such mechanisms, the organizations should consider the data subjects targeted, the context and the type of interface used to collect consent. Some common examples of acceptable methods to obtain express consent include signing a document, checking a box, or saying "yes" to a question.

Consent fatigue

Organizations must make efforts to mitigate consent fatigue by not making the steps involved in providing consent repetitive. However, such efforts must not drive the organizations to assume express consent; consent should always involve the data subject's positive and active gesture. Following are some examples of inadequate methods for obtaining explicit consent as they are not capable of ascertaining the will of a data subject beyond doubt:

• Use of pre-checked boxes;
• Simply providing the possibility of subsequent refusal (opt-out) vs. Deduction related to the person’s silence or inactivity;
• Deduction related to a separate act of the person.

For consent to be considered express, an organization must avoid displaying a request for consent in a way that could be mistaken for another action that an individual must perform, like confirming that the terms of use have been read. The organization must implement clear consent mechanisms for obtaining the data subject’s explicit consent.

Consent may be implicit, in certain circumstances

As per the Guidance, express (explicit) consent should generally be prioritized. Consent, however, can be implied only under certain circumstances if:

• it does not pertain to sensitive information;
• it does not conflict with the reasonable expectations of data subjects as per the context;
• no risk of serious harm emerges from the intended use or disclosure.
• If there is no use of personal information for secondary purposes, that is, for purposes other than those for which it was originally collected (primary purposes).

In the case of implied consent, the consent is not explicitly formulated, and the organization infers it because of the data subject’s silence or inactivity or some other action they take not directly related to the consent. If an organization decides to depend on implicit consent, it must still be able to demonstrate how the consent was obtained. An organization must therefore be able to demonstrate that consent can be inferred (derived) from another action on the part of the subject. This implied consent may be more challenging for the organization to prove than express consent.

Even if consent is implicit or tacit, other criteria for the validity of consent i.e., consent must be free, enlightened, specific, etc., must still be fulfilled, and in case there is any doubt about the real will of the data subject, the organization must seek explicit consent instead of relying on implicit consent.

B. Consent must be free

Consent must be freely provided, which means it must involve genuine choice and control and must not be given under coercion or pressure. The data subjects’ consent is free only when they do not suffer any disproportionate suffering or are not unduly influenced while providing the consent. Consent is free only if it is requested separately for each data processing purpose. The person concerned must not only have the choice of accepting everything or refusing everything.

Giving consent should be as easy for a data subject as not giving consent. Fairness must be maintained in presenting these options (to consent or not to consent). Consent procedures that don't ensure the options are fair or that in any other way influence the user's decision do not elicit truly "free" consent and ultimately result in invalid consent.

Consent is also free if the data subject is capable of withdrawing it at any time. For consent to have voluntary nature, its evocation must not require a disproportionate effort as compared to what was required to provide it.

C. Consent must be informed

Consent must be informed, which means it must be specific and founded on relevant information. The concerned individual must be aware of and comprehend what their consent means. If the organization doesn't disclose the relevant information, the control being exercised by the individual is illusory, and the permission is invalid. The concerned individual must have access to the following details to understand what they are being asked to consent to:

1. Who? The organization on whose behalf consent is obtained;
2. Why? The purpose of the request for consent, or the purpose for which the information is intended to be used or disclosed;
3. To whom? Names of external third parties or categories of external third parties to whom the organization will share information, where applicable;
4. From whom? the types of third parties outside the organization from whom the organization will collect information, if relevant, and their names;
5. What? Relevant information, or at least classes of information;
6. Accessible to whom? Individuals from different groups inside the company who will have access to the data to achieve the stated purpose;
7. Until when? Period of validity of the consent;
8. And if not? Consequences of not consenting or later withdrawing consent (the organization must ensure that these don't affect the consent's freedom of choice).
9. With what risks? Reasonably foreseeable risks or consequences associated with the activity for which consent is obtained, if any;
10. How? Means of using or disclosing the information (e.g. mail communication; use of a fully automated decision);
11. Where? The location where the information will be shared or stored in connection with an activity for which consent has been obtained, mentioning whether another province other than Quebec may be involved in the location;
12. What rights? Rights of access, rectification, withdrawal of consent, and information on how to exercise them.

Additionally, an organization should refrain from using lengthy writings that are filled with legal jargon. Due to such variables, individuals find it challenging to comprehend what they consent to completely.

Since freely given consent may be revoked, the concerned individual must have access to the relevant data even after providing it, allowing them to reconsider their decision if required. Consequently, an organization must implement strategies to make such information easily accessible. Moreover, an organization should assist individuals seeking assistance to understand the consent's scope. The organization is responsible for developing mechanisms to this end.

D. Consent must be specific

Consent must be provided for a specified intent or for a limited purpose. This requirement is strongly related to the informed consent requirement because only an individual who can clearly grasp what is being asked of them may provide their consent. An organization must use the most precise language available when describing the purposes for which consent is requested. Imprecise, ambiguous, or general terms jeopardize the specificity of consent and hence compromise its validity.

Unless a legal exception is applicable, an organization must obtain new consent from an individual whenever it intends to use or communicate personal information for purposes different than those to which the individual has already consented.

E. Consent must be granular

Consent must be granular, meaning it must be asked for each purpose in particular. The organization must request each purpose separately if consent is required for multiple purposes. Granularity provides truly free consent. If a person is required to consent to several purposes simultaneously, their consent is not truly free.

F. Consent request must be understandable: it must be presented in clear and simple terms

The request for consent must be understandable, meaning it must be delivered in plain and straightforward language and include a clear expression of acceptance or refusal.

Information should be given concisely, that is, it should be expressed in the fewest possible words while still being clear. An organization should avoid using too many periphrases, complicated sentence structures, and pointless words. Long texts or sentences make it difficult for individuals to understand what is being said. An organization should employ basic vocabulary or words that are understandable to the target audience. Without legalese or corporate speak, organizations should employ everyday commonly used words.

Information needs to be tailored to the intended audience. The perspective and profile of the individuals involved must be taken into account by the organization. Some may not be fluent in the language being used (spoken or written), some may not be aware of their privacy rights, and others may not be familiar with the organization's operations. Additionally, while requesting for consent from diverse types of people, an organization should utilize language that is appropriate for those with the lowest literacy levels.

G. Consent must be temporary: it must be valid only for the duration for which it is necessary

Consent must be temporary, i.e., it must be valid for a limited period of time. Consent is only valid for as long as it takes to accomplish the goals for which it was obtained. As a result, once those goals are achieved, it loses its validity. Data subjects must be informed of the length of the consent's validity period to be able to provide informed and explicit consent. Again, organizations must avoid using ambiguous or imprecise language.

If the individual’s end of consent validity is linked to an event, an organization should provide sufficient information to the person concerned to enable them to know the likely duration of their consent or to estimate when it might end. Additionally, the organization must advise the individual of their ability to revoke consent at any moment.

An organization should ensure continuing openness whenever it obtains consent over a protracted period of time. It should periodically remind the data subjects that the foundation for using or disclosing their information is their consent and should reference the most recent data available in this regard.

H. Consent request must be separate: it must be submitted separately if it is in writing

A written request for consent must be made separately from any other information provided. The terms of use, privacy policies, requests to verify the accuracy of information submitted, signatures, etc., must all be maintained separately.

How Can Securiti Help

Protecting consumers’ data and to honor consent choices has never been more crucial. Automation is the only reliable and sustainable method to ensure swift compliance with laws' evolving requirements and obligations, as data is being collected and processed at an alarming rate.

Securiti’s DataControls Cloud framework enables organizations to comply with Quebec’s evolving data privacy landscape by identifying and classifying data, protecting data systems, establishing sensitive data intelligence, governing access to sensitive data, ensuring consent management, analyzing the impact of data breaches and respond promptly, automate individual data requests, automate data privacy obligations, and so much more.

Request a demo to witness Securiti in action.