Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Quebec: The CAI's guidelines for consent

On October 31, 2023, the Commission on Access to Information (CAI) published the final version of its guidelines on obtaining valid consent (the Guidelines), only available in French here. These Guidelines apply to companies doing business in Quebec that are subject to the Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 (the Private Sector Act). These Guidelines also apply to Quebec public sector organizations subject to the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, CQLR c. A-2.1 (the Public Sector Act), where consent is required for the use or disclosure of personal information (under Section 14 of the Private Sector Act and Section 53.1 of the Public Sector Act).  

These Guidelines intend to help explain the criteria needed to obtain valid consent within the scope of the law, clarify an organization's obligations when obtaining consent, and identify best practices with regard to consent. Both Canadian and foreign companies offering goods or services in Quebec should therefore be familiar with these Guidelines, as they will form the basic framework in an analysis if there is ever a complaint or incident brought to the CAI involving the use or communication of personal information of a person located in Quebec. Tara D'Aigle-Curley, of ROBIC L.L.P, delves into these guidelines, analyzing each criterion of consent and how companies can ensure compliance.  

Liyao Xie/Moment via Getty Images

Key takeaways of the Guidelines

Notably, the Guidelines do not concern the collection of personal information. In Section B.3 of the Guidelines, the CAI is very clear on the fact that Quebec law, unlike Canadian or international law, does not require companies to obtain consent for the collection of personal information. Organizations must respect the principles of necessity and transparency, as stipulated in Section 8 of the Private Sector Act. In other words, if the collection of personal information can be justified on the grounds of necessity and the organization is transparent about its practices, it would be permissible to collect personal information. Furthermore, Section B.6 on the collection of personal information for primary purposes makes it clear that an organization may consider that individuals who knowingly provide their personal information are also consenting to its use and disclosure when necessary for the stated primary purposes. This opens the door to the collection of personal information by screen scraping, or the massive collection of data for the purpose of algorithm training, when this is at the heart of an organization's activities. The potential for abuse is high, especially when sensitive personal information is collected for primary purposes.  

Primary versus secondary purposes

Primary purposes relate to the provision of services or to the organization's business model. For example, in the banking or financial sector, a primary purpose could be to open an account for an individual. Conversely, secondary purposes are characterized by what is useful to the company but not essential to its service delivery, for example, business intelligence for the administration of a loyalty program or marketing and advertising in a financial institution.  

Valid consent criteria

To be valid, consent must meet eight criteria. All of these criteria are interrelated and important. Consequently, if a criterion is not respected in the eyes of the CAI, consent will not be valid and the personal information may be considered to have been obtained in a manner contrary to the law, opening the door to administrative and pecuniary sanctions.  

The eight criteria for valid consent are: 

  • consent must be clear; 
  • consent must be free; 
  • consent must be informed; 
  • consent must be given for specific purposes; 
  • consent must be granular; 
  • the request for consent must be understandable and written in simple, clear terms; 
  • consent must be temporary; and 
  • the request for consent must be presented separately. 

The eight criteria of validity are also added to the principle of necessity, which, according to the CAI, applies to all stages in the life cycle of personal information: collection, use, disclosure, retention, and destruction. It should be noted that the law only specifies this principle at the time of collection.  

Clear consent

Consent must be obvious and given in a way that demonstrates the actual will of the individual giving it. Consent may be explicit (express consent) or implied. Express consent is when a person takes an active (positive) gesture, such as making a statement, checking a box, or signing. In other words, it is opt-in consent. Express consent is essential when an organization wishes to use or communicate sensitive personal information for secondary purposes, such as creating targeted audiences. Conversely, consent is implied when the individual's wishes can be inferred from their inaction, such as deactivating a checkbox that has already been ticked. A person should have a valid opportunity to refuse or opt-out. Note that the CAI specifies that when in doubt regarding an individual's true intention to use or disclose their personal information for secondary purposes, the organization should obtain express consent from them.  

Free consent

The concerned individual must be able to express their wishes without undue pressure and without suffering disproportionate harm. Giving consent to the use or disclosure of personal information for a secondary purpose must be as simple as not giving it. The same applies to withdrawing consent, which should be accessible through a simple mechanism. For example, the request for consent could include a checkbox to allow the organization to use and disclose personal information for marketing purposes. This must not influence the initial agreement. Consequently, having to provide personal information for marketing purposes in order to access a news site would clearly not be permitted in Quebec. Similarly, the CAI warns organizations against 'dark patterns,' i.e., tricks and strategies on websites that make a user do things that they did not intend to do. There are strategies that emphasize consent rather than refusal, as well as repeated requests for consent which could contravene the free nature of consent, among other things through consent fatigue.  

Informed consent

Consent must be sufficiently clear and precise for the individual to understand what they are consenting to and the possible consequences for the protection of their privacy. Information provided to individuals at the time of collection of personal information that will be used or disclosed for secondary purposes must be presented separately for each purpose. For example, it would likely be preferable to allow the data subject to choose whether or not their personal information will be used for profiling, separately from them choosing whether they would like to receive newsletters.  

Consent given for specific purposes

Consent must have a precise and circumscribed purpose or purposes. To meet the requirements of this criterion, an organization must avoid vague, broad, or imprecise terms. For example, it is no longer permitted to use wording such as: 'for the purposes of ... and any other purposes subsequently determined by the organization.' Consent for each purpose is essential and when an organization adds a secondary purpose for using or disclosing personal information to its activities, it must seek renewed consent.  

Granular consent

Consent must be sought for each purpose. According to the CAI, this criterion ensures that consent remains free and that the individual should not have the sole choice of accepting or refusing the use or communication of their personal information for all secondary purposes targeted by the organization. It is interesting to note that the CAI indicates that the organization must draw up a list of all third parties or categories of third parties to whom the personal information is to be communicated. This means that the individual debating giving their consent could potentially refuse to have their personal information transmitted to a particular third party or category of third parties for the fulfillment of a purpose. This is a relatively heavy burden for organizations, many of which function in structures that do not allow for such consent management. This may lead some organizations to argue that a purpose is primary in order to get around these difficulties. The CAI also mentions that it will be difficult to comply with granularity requirements if the organization relies on implicit consent rather than express consent.  

Understandable consent

The consent request must be presented in simple, clear terms, both in how the information is provided and in the consent statement itself. To this end, words should be concise, the vocabulary simple, and the company's intentions straightforward. The company must also ensure that its level of language is appropriate for its target audience. For example, a consent statement drafted for the general public will not necessarily use the same wording as a statement drafted for lawyers.  

Temporary consent

Consent must have a limited duration associated with the intended purpose. The limit can be linked to a deadline or an event. An organization should determine, in advance, the length of time required to fulfill the purpose, and therefore, the length of time that the consent is valid. Furthermore, it is important not to confuse the data's retention period with the period of validity of consent, as the two will not necessarily always be the same.  

Presented separately

The written request for consent must be presented separately from any other information. It must be separate from conditions of use, confidentiality policies, commitments or signatures, and any other elements of a similar nature. Consent must be easily identifiable and accessible by the individual concerned. It is not valid if it is expressed by a gesture that may also be intended to attest to something else, such as the validity of the information provided.  

Importance of documentation

The CAI recommends that organizations document and keep track of all consent in order to explain and back up their actions in the event of a complaint or allegation of action taken without consent, or in the event of an investigation. Note that this recommendation to document consent is limited to specific situations where the valid consent criteria apply, which amounts to the use or disclosure of personal information for secondary purposes if we follow the CAI's reasoning in combining Sections B.6 on presumed consent and Section B.3 on the collection of personal information. Indeed, for all practical purposes, the Guidelines indicate that the collection, use, and disclosure of personal information for primary purposes would be valid when the organization complies with the necessity principles and fulfills its obligations of openness at the time of collection. 

Implied consent under the CASL 

Marketers tend to underestimate the importance of consent in Quebec when it comes to sending promotional e-mails. However, the beginning of a relationship with a person doesn't mean organizations can assume their consent to receive newsletters. Express and specific consent would be needed for these mailings as Canada's Anti-Spam Legislation, SC 2010 c 23 (CASL) specifies that commercial or philanthropic prospecting is not an acceptable secondary purpose for presuming consent.  

Comments

Surprisingly, the CAI emphasizes that these criteria for valid consent do not apply to the collection of personal information. This view is at odds with the common interpretation of other provincial and Canadian privacy laws where consent is the basis for any collection of personal information. In Quebec, organizations are required to only provide the information stipulated by law, which could be found, for example, in a privacy policy, and this would seem to be sufficient to enable the collection of personal information in all transparency and legality. 

It is also notable that the CAI invokes the principle of necessity at all stages of the personal information life cycle, when in fact this principle only technically applies in law to the collection of personal information. 

Tara D'Aigle-Curley Lawyer 
[email protected]  
ROBIC L.L.P, Quebec