IDC Names Securiti a Worldwide Leader in Data Privacy


Understanding Valid Consent Requirements A Closer Look at the Draft Guidelines Issued by the Quebec Data Protection Authority

By Securiti Research Team
Published July 14, 2023

Listen to the content

Quebec's data protection authority, the Commission d'accès à l'information (CAI), recently published a consultation on the collection of consent in relation to personal data protection. The CAI oversees the application of Quebec’s main privacy laws, namely the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, also known as the Access Act, and the Act Respecting the Protection of Personal Information in the Private Sector, also known as Private Act.

Most of Quebec’s Law 25's provisions, which revised the aforementioned Acts, will soon go into effect. Therefore the CAI has put together some preliminary guidelines on what constitutes valid consent for the collection of personal data under the two laws. The consultation was completed on July 2, 2023, and the CAI intends to publish the final guidelines in October 2023. The regulator has nevertheless stated that this deadline might change based on the overall number of comments received and the necessary adjustments.

An Overview of the Draft Guidelines

The guidelines are intended to help individuals and organizations, who are subject to these laws, gain a deeper understanding of the components utilized to evaluate each statutory requirement that must be met to obtain valid consent.

Note: The guidelines do not cover the health industry or address consent to disclosing non-personal information—such as technical or financial information or trade secrets.

Quebec's privacy legislations require seeking valid consent from the data subjects for a variety of purposes, including the following:

  • To collect personal information from a minor under the age of 14;
  • To collect personal information from a third party in the private sector;
  • To use personal information for secondary purposes, i.e. for purposes other than those for which it was collected (primary purposes); and
  • To disclose or divulge personal information to a third party.

An organization must obtain the valid consent of an individual if it is unsure or unable to demonstrate that an exception applies in a specific circumstance. Additionally, if an individual provides their personal information, they are assumed to have given their consent for it to be used and disclosed for the purposes of which they were informed, provided certain conditions are met.

Valid consent is defined under section 53.1 of the Access Act and section 14 of the Private Act. As per these definitions, the following are the criteria that must be fulfilled for consent to be valid:

Understanding Valid Consent Requirements | A Closer Look at the Draft Guidelines Issued by the Quebec Data Protection Authority

Consent must be manifest i.e., obvious, and must be given in a way that demonstrates the real will of the data subject. Generally, explicit consent should be prioritized; however, it can be implicit in certain circumstances. Organizations should consider the following requirements to ensure that the consent collected from a data subject is manifest:

When a person actively expresses (or explicitly states) their agreement, this is called express (or explicit) consent. Therefore, such a gesture or decision is regarded as positive because it signals approval rather than rejection and leaves no doubt about the individual’s choice. This type of consent is often referred to as opt-in.

Explicit consent is required in certain situations. These situations include the following:

  • For the processing of sensitive personal information
  • While using technologies that make it possible to identify a person, locate him/her, or perform profiling
  • If the processing of data is not within the reasonable expectations of the data subject
  • If there is a risk of serious harm to the data subject from the intended use or disclosure of the data
  • If data is used/processed for secondary purposes, i.e. purposes different than the purposes for which the data was originally collected for.
Sensitive Information

Use or disclosure of sensitive information must be authorized by express consent. Sensitive information includes data that involves a high level of reasonable expectation of privacy due to the context of its use or disclosure, including medical, biometric, or otherwise intimate information.

Identification, localization and profiling

The use of technologies making it possible to identify a person, locate him/her, or perform profiling can occur only with the explicit consent of the concerned data subject. Technology that allows for an individual's identification, localization, or profiling must be disabled by default, and organizations must advise the data subjects on how to enable such capabilities.

Organizations are free to develop different mechanisms to capture express consent as long as they are in line with the requirements of the law. However, while developing such mechanisms, the organizations should consider the data subjects targeted, the context and the type of interface used to collect consent. Some common examples of acceptable methods to obtain express consent include signing a document, checking a box, or saying "yes" to a question.

Organizations must make efforts to mitigate consent fatigue by not making the steps involved in providing consent repetitive. However, such efforts must not drive the organizations to assume express consent; consent should always involve the data subject's positive and active gesture. Following are some examples of inadequate methods for obtaining explicit consent as they are not capable of ascertaining the will of a data subject beyond doubt:

  • Use of pre-checked boxes;
  • Simply providing the possibility of subsequent refusal (opt-out) vs. Deduction related to the person’s silence or inactivity;
  • Deduction related to a separate act of the person.

For consent to be considered express, an organization must avoid displaying a request for consent in a way that could be mistaken for another action that an individual must perform, like confirming that the terms of use have been read. The organization must implement clear consent mechanisms for obtaining the data subject’s explicit consent.

As per the Guidance, express (explicit) consent should generally be prioritized. Consent, however, can be implied only under certain circumstances if:

  • it does not pertain to sensitive information;
  • it does not conflict with the reasonable expectations of data subjects as per the context;
  • no risk of serious harm emerges from the intended use or disclosure.
  • If there is no use of personal information for secondary purposes, that is, for purposes other than those for which it was originally collected (primary purposes).

In the case of implied consent, the consent is not explicitly formulated, and the organization infers it because of the data subject’s silence or inactivity or some other action they take not directly related to the consent. If an organization decides to depend on implicit consent, it must still be able to demonstrate how the consent was obtained. An organization must therefore be able to demonstrate that consent can be inferred (derived) from another action on the part of the subject. This implied consent may be more challenging for the organization to prove than express consent.

Even if consent is implicit or tacit, other criteria for the validity of consent i.e., consent must be free, enlightened, specific, etc., must still be fulfilled, and in case there is any doubt about the real will of the data subject, the organization must seek explicit consent instead of relying on implicit consent.

Consent must be freely provided, which means it must involve genuine choice and control and must not be given under coercion or pressure. The data subjects’ consent is free only when they do not suffer any disproportionate suffering or are not unduly influenced while providing the consent. Consent is free only if it is requested separately for each data processing purpose. The person concerned must not only have the choice of accepting everything or refusing everything.

Giving consent should be as easy for a data subject as not giving consent. Fairness must be maintained in presenting these options (to consent or not to consent). Consent procedures that don't ensure the options are fair or that in any other way influence the user's decision do not elicit truly "free" consent and ultimately result in invalid consent.

Consent is also free if the data subject is capable of withdrawing it at any time. For consent to have voluntary nature, its evocation must not require a disproportionate effort as compared to what was required to provide it.

Consent must be informed, which means it must be specific and founded on relevant information. The concerned individual must be aware of and comprehend what their consent means. If the organization doesn't disclose the relevant information, the control being exercised by the individual is illusory, and the permission is invalid. The concerned individual must have access to the following details to understand what they are being asked to consent to:

  1. Who? The organization on whose behalf consent is obtained;
  2. Why? The purpose of the request for consent, or the purpose for which the information is intended to be used or disclosed;
  3. To whom? Names of external third parties or categories of external third parties to whom the organization will share information, where applicable;
  4. From whom? the types of third parties outside the organization from whom the organization will collect information, if relevant, and their names;
  5. What? Relevant information, or at least classes of information;
  6. Accessible to whom? Individuals from different groups inside the company who will have access to the data to achieve the stated purpose;
  7. Until when? Period of validity of the consent;
  8. And if not? Consequences of not consenting or later withdrawing consent (the organization must ensure that these don't affect the consent's freedom of choice).
  9. With what risks? Reasonably foreseeable risks or consequences associated with the activity for which consent is obtained, if any;
  10. How? Means of using or disclosing the information (e.g. mail communication; use of a fully automated decision);
  11. Where? The location where the information will be shared or stored in connection with an activity for which consent has been obtained, mentioning whether another province other than Quebec may be involved in the location;
  12. What rights? Rights of access, rectification, withdrawal of consent, and information on how to exercise them.

Additionally, an organization should refrain from using lengthy writings that are filled with legal jargon. Due to such variables, individuals find it challenging to comprehend what they consent to completely.

Since freely given consent may be revoked, the concerned individual must have access to the relevant data even after providing it, allowing them to reconsider their decision if required. Consequently, an organization must implement strategies to make such information easily accessible. Moreover, an organization should assist individuals seeking assistance to understand the consent's scope. The organization is responsible for developing mechanisms to this end.

Consent must be provided for a specified intent or for a limited purpose. This requirement is strongly related to the informed consent requirement because only an individual who can clearly grasp what is being asked of them may provide their consent. An organization must use the most precise language available when describing the purposes for which consent is requested. Imprecise, ambiguous, or general terms jeopardize the specificity of consent and hence compromise its validity.

Unless a legal exception is applicable, an organization must obtain new consent from an individual whenever it intends to use or communicate personal information for purposes different than those to which the individual has already consented.

Consent must be granular, meaning it must be asked for each purpose in particular. The organization must request each purpose separately if consent is required for multiple purposes. Granularity provides truly free consent. If a person is required to consent to several purposes simultaneously, their consent is not truly free.

The request for consent must be understandable, meaning it must be delivered in plain and straightforward language and include a clear expression of acceptance or refusal.

Information should be given concisely, that is, it should be expressed in the fewest possible words while still being clear. An organization should avoid using too many periphrases, complicated sentence structures, and pointless words. Long texts or sentences make it difficult for individuals to understand what is being said. An organization should employ basic vocabulary or words that are understandable to the target audience. Without legalese or corporate speak, organizations should employ everyday commonly used words.

Information needs to be tailored to the intended audience. The perspective and profile of the individuals involved must be taken into account by the organization. Some may not be fluent in the language being used (spoken or written), some may not be aware of their privacy rights, and others may not be familiar with the organization's operations. Additionally, while requesting for consent from diverse types of people, an organization should utilize language that is appropriate for those with the lowest literacy levels.

Consent must be temporary, i.e., it must be valid for a limited period of time. Consent is only valid for as long as it takes to accomplish the goals for which it was obtained. As a result, once those goals are achieved, it loses its validity. Data subjects must be informed of the length of the consent's validity period to be able to provide informed and explicit consent. Again, organizations must avoid using ambiguous or imprecise language.

If the individual’s end of consent validity is linked to an event, an organization should provide sufficient information to the person concerned to enable them to know the likely duration of their consent or to estimate when it might end. Additionally, the organization must advise the individual of their ability to revoke consent at any moment.

An organization should ensure continuing openness whenever it obtains consent over a protracted period of time. It should periodically remind the data subjects that the foundation for using or disclosing their information is their consent and should reference the most recent data available in this regard.

A written request for consent must be made separately from any other information provided. The terms of use, privacy policies, requests to verify the accuracy of information submitted, signatures, etc., must all be maintained separately.

How Can Securiti Help

Protecting consumers’ data and to honor consent choices has never been more crucial. Automation is the only reliable and sustainable method to ensure swift compliance with laws' evolving requirements and obligations, as data is being collected and processed at an alarming rate.

Securiti’s DataControls Cloud framework enables organizations to comply with Quebec’s evolving data privacy landscape by identifying and classifying data, protecting data systems, establishing sensitive data intelligence, governing access to sensitive data, ensuring consent management, analyzing the impact of data breaches and respond promptly, automate individual data requests, automate data privacy obligations, and so much more.

Request a demo to witness Securiti in action.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend