Quebec Privacy Commissioner Releases Draft Guidelines on Valid Consent and Launches Public Consultation
This article is part of our Bill 64/Law 25 Blog Series, which will provide readers with a 360° view on Law 25 (formerly known as Bill 64) and its sweeping amendments to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“Private Sector Act” or the “Act”). To view other blog posts in the series, please visit this page. We have also put together a comprehensive toolkit for businesses looking for resources to understand and ensure that they are compliant with Law 25. This toolkit can be found here.
Organizations doing business in Quebec are gearing up for the most significant wave of amendments to the Private Sector Act brought about by the Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Law 25” and formerly known as Bill 64). The entry into force of Law 25 is taking place successively, with most of the amendments becoming effective on September 22, 2023. Among the key amendments coming into force this September are the modifications to Section 14 of the Private Sector Act: the Act’s consent provision.
The amendments to Section 14 reimagine the meaning of consent under the Act by providing specific criteria that define its validity. Consent is the only basis for collection, use and disclosure of personal information under the Private Sector Act, subject only to the narrow exceptions set out therein. Therefore, these amendments strike at the very core of the new privacy regime introduced by Law 25.
The Commission d'accès à l'information (“CAI”), the regulatory authority that oversees the application of the Quebec Private Sector Act has recently published a draft guideline (“Draft Guideline”)[1] providing greater insight into the CAI’s interpretation of Section 14. More specifically, the CAI provides detailed guidance about how to satisfy each of the eight elements set out in the provision, the sum of which amounts to valid consent. These elements are:
We have reproduced the language of Section 14 of the Private Sector Act, as revised by Law 25, showing where these eight elements are found.
“Consent under this Act must be clear, free and informed and be given for specific purposes [i.e. Specific]. It must be requested for each such purpose [i.e. Granular], in clear and simple language [i.e. Understandable]. If the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned [i.e. Separate]. If the person concerned so requests, assistance is provided to help him understand the scope of the consent requested [this is another aspect of consent being Informed].
The consent of a minor under 14 years of age is given by the person having parental authority or by the tutor. The consent of a minor 14 years of age or over is given by the minor, by the person having parental authority or by the tutor.
Consent is valid only for the time necessary to achieve the purposes for which it was requested [i.e. Temporary].
Consent not given in accordance with this Act is without effect.”
1. Eight elements of valid consent - unpacked
Each element is explained in detail in the Draft Guideline and supported by fact pattern-based examples and best practices. We have summarized the key points of each of these eight elements of valid consent.
(a) Consent must be clear
Consent must be clear and granted in a manner that demonstrates the true will of the person concerned. Although the CAI acknowledges valid consent may (in certain circumstances) be implied, the Draft Guidelines reinforce the CAI’s clear preference that organizations seek express (or explicit) consent. The manner in which express consent is obtained is context driven, though the CAI emphasizes that the person is aware that they are giving consent, in particular so that they understand the disclosures made by the organization concerning the handling of their personal information. The CAI also warns against methodologies that presume an express consent. Thus, an active and unequivocally positive gesture is required. The CAI presents several non-examples of how to obtain express consent: pre-checked boxes, opt-out (where there is a simple possibility of subsequent refusal), deducing express consent from silence, inactivity or any activity taken by the person.
Express consent is mandatory in some situations, such as when the information is sensitive. Law 25 defines sensitive personal information as information that due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context of its use or communication, entails a high level of reasonable expectation of privacy.
In this context, it is particularly notable that the Draft Guideline treats Section 8.1 of the Act in its treatment of the topic of express consent. Section 8.1 requires organizations to inform persons of technology used to profile, locate or identify them, as well as the means available to activate such functionality. While this provision is drafted in the form of a transparency obligation, the CAI’s interpretation of this Section in the Draft Guidelines appears to convert a mere notification obligation into an “express consent” obligation, which results in indirect functionality implications as well. The implicit logic of the CAI’s interpretation of Section 8.1 is as follows: since informing someone of the means available to “activate” functionality used to profile, locate or identify an individual implies that such functionality is “deactivated” by default, it follows that “activation” of such technology with require the individual’s express consent.
By further implication, if the logic of this argument is accepted, it would mean that settings for “cookies” that track location or that are used to profile or identify an individual would have to be deactivated by default. In this sense, the CAI’s interpretation of the notification obligation in Section 8.1 is further transformed into a “privacy by default” obligation with obvious functionality implications for the design of websites and applications. However, if such is the case, the CAI’s interpretation of Section 8.1 appears to run headlong into a conflict with the text of Section 9.1 of Law 25. Section 9.1 requires businesses that collect personal information while offering a technological product or service to “ensure that the parameters of the product or service provide the highest level of confidentiality by default, without the intervention of the person concerned”. However, Section 9.1 expressly states that this “privacy default” obligation does not apply to privacy settings for browser cookies.”
Given the inconsistent drafting of section 8.1 and 9.1 of Law 25 and the potentially onerous business consequences of accepting the CAI’s “express consent” interpretation of Section 8.1, it is almost certain that these provisions of the Draft Guidelines will be hotly debated.
Finally, the CAI does acknowledge that implied consent may be sufficient if the specific context does not concern sensitive personal information, does not run counter to the reasonable expectations of a person in a given context, and there is no risk of serious prejudice emerging from the intended use. Where all of these conditions are met, consent may be inferred from the silence or inactivity of the person, or from another action that they may pose.[2] When relying on implied consent, the organization must still be able to demonstrate that it was obtained in a manifest manner. In other words, the organization must be able to prove that consent can be inferred (deduced) from other behavior on the part of the person. In case of doubt, the CAI suggests that organizations rely on express consent.
(b) Consent must be free
Consent involves genuine choice and person control, and must be given without coercion or pressure. For instance, the “acceptance” option should not be disproportionately emphasized relative to the “decline” option when asking for consent. Furthermore, consent is arguably not free when an organization repeatedly asks for consent when the person has already refused. According to the CAI, organizations should generally only request consent once for the same purpose, unless a substantial change in the context justifies it.
The CAI draws attention to several specific forms of coercion or pressure that organizations should avoid. An organization should generally avoid presenting it as an indispensable component of the conditions for using a service, supplying a good or gaining access to a job. If the transaction subject to consent is necessary for the provision of the service or product, or for employment, the organization must state this explicitly and explain the consequences of not carrying out the transaction. It must also be able to demonstrate why the transaction is necessary in the circumstances.
The CAI also warns of imbalanced power dynamics (e.g. employer-employee) when seeking consent. Organizations must ensure that undue pressure is not placed on an employee to consent to a purpose of collection, use or disclosure of the personal information.
The person concerned must also have the right to withdraw consent at any time, and the organization must provide a simple and accessible mechanism for doing so and inform the person of this option. The fact that a person has to make disproportionate efforts to exercise this right may hinder the free nature of the consent.
(c) Consent must be informed
The person must know and understand what they are consenting to. Before or at the moment of the request for consent, the person must also be provided with the mandatory transparency disclosures set out in the Private Sector Act. The information must also be accessible even after consent has been granted, so that the person can re-evaluate their decision.
Specifically, the Draft Guidelines indicate that the following details should be provided to individuals regarding the collection of their personal information in order to ensure that consent is given on an “informed” basis (warning: the list is long!):
- Who?: the identity of the organisation on behalf of whom the consent is requested
- Why?: the purpose(s) for which the consent is sought
- For whom?: if applicable, the name or categories of third parties to whom the personal information will be communicated
- From whom?: if applicable, the name or categories of third parties from whom the personal information will be collected
- What?: what (categories of) personal information will be collected
- Accessible by whom?: categories of individuals within an organization who will have access to the personal information
- For how long?: duration of validity of consent
- Consequences of withholding consent?: these must not undercut the notion that consent should be “freely” given
- Risks?: what risks or consequences in relation to the personal information are reasonably foreseeable and associated with the proposed use of such information
- How?: how will the personal information be used
- Where?: where will it be hosted
- What rights?: explanations of right to withdraw consent + rights of access and rectification
(d) Consent must be given for specific purposes
As can be imagined, meeting such disclosure obligations in a manner that is “clear” and “simple” will be a challenge!
Moreover, consent must be given by a person who is capable of binding themselves at the time of giving it (e.g. the person must be over the age of 14 years old and have capacity).
Consent must be given for specific purposes, meaning that such purposes are precise and circumscribed. This is related to the requirement that consent is informed, making it clear to the person exactly what they are consenting to. An organization should therefore use language that is as specific as possible about the purposes for which it is seeking consent (rather than using vague or ambiguous language), and to collect or use nothing more than the specific information and context for which consent was granted.
(e) Consent must be requested for each such purpose [i.e. Granular]
Consent must requested for each purpose. To meet this element, an organization must ensure that the purpose of the consent is as well-defined as possible. According to the CAI’s Draft Guidelines, if an organization intends to collect personal information for multiple purposes, the organization should separately request specific consent for each purpose. In this regard, the Draft Guidelines provide the example of a non-profit organisation that collects contact information during a charity fundraising for three distinct purposes: a) to send a post-event satisfaction survey; b) to send an info-letter; and c) to permit the organisation to send photos of the event. According to the CAI, in order to obtain valid consent, the non-profit would have to ask the individual three separate consent questions (one in relation to each purpose of collection).
This interpretation of Section 14 of Law 25 by the CAI is utterly unworkable for most organizations and will almost certainly lead to consumer consent fatigue. Most organizations collect personal information for dozens of purposes. While it is perfectly legitimate to expect that such companies will transparently identify such purposes one by one in a granular format, it would be utterly unwieldy to then expect organisations (and their customers and employees) to then work through a cumbersome consent process dozens of times.
(f) Request for consent should be in clear and simple language [i.e. Understandable]
The request for consent must be presented in simple and clear terms, both in respect of the information and the specific statement of acceptance or refusal. The request for consent must be concise, direct, and tailored to the level of literacy of the person concerned. The request for consent must also be structured in several levels, taking into account the context of the organization's activities, to avoid overloading the person with information and to facilitate their understanding.
As indicated above, it will no doubt be a challenge for organisations to meet this obligation if they are to also follow the “informed consent” recommendations set out in the Draft Guidelines.
(g) Consent is valid only for the time necessary to achieve the purposes for which it was requested [i.e. Temporary]
Consent is valid for a limited period of time. It is valid only for as long as is necessary for the purposes for which it was requested. It is no longer valid once these purposes have been fulfilled, which can be measured by a specified term (by the passage of a certain amount of time) or by the occurrence of a certain event. In order to provide informed and specific consent, persons must be informed of the period of validity of their consent.
The organization must also respect the right of the person to withdraw consent at any time, and notify the person of any changes that may affect the validity of consent. According to the CAI, where an organization seeks consent for a very long period of time, it should pay particular attention to transparency on an ongoing basis, and remind the person at appropriate intervals that it is using or disclosing their information on the basis of consent, remind of their right to withdraw consent at any time.
(h) If the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned [i.e. Separate]
The request for consent must be separate, that is, it must be submitted separately from any other information if it is made in writing. This element aims to ensure that the granting of consent is not confused with another action taken by the person, such as confirming that the terms and conditions have been read or that the information provided is valid. The request for consent must be presented separately rather than embedded in a privacy policy, a terms of use, or any another document.
2. Consultation process
The CAI is holding a six-week consultation to seek comments on the Draft Guideline, running from May 16, 2023 to June 25, 2023 at 11:55 PM. The consultation allows participants to comment on the proposed guidelines and to share suggestions for future guidelines. The consultation document also lists 18 stakeholders, welcoming participants to either share their comments with one or more of these stakeholders, or even to collaborate with them in order to jointly produce a submission. It is worth noting that the final guidelines are only expected to be published by the CAI in October 2023, following the entry into force of the sanctions for non-compliance with consent requirements on September 22, 2023.
This consultation presents a valuable opportunity to contribute to the development of a clearly defined and thoughtfully developed framework for valid consent, which is essential for the protection of personal information and the prioritization of ongoing relationships of trust between organizations and individuals in this rapidly evolving domain. To participate in the consultation, please visit the CAI's website and fill out the online questionnaire. It is worth noting that the guideline will not apply to the health sector, which is governed by its own domain-specific rules.[3]
To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.
[1] Note that the Draft Guideline is currently available in French only.
[2] Avis de consultation, Lignes directrices 2023-1 sur les critères de validité du consentement, published May 16 2023, p. 18.
[3] Avis de consultation, Lignes directrices 2023-1 sur les critères de validité du consentement, published May 16 2023, p. 1.