Unpacking the Quebec Information Regulator’s guidelines on valid consent

Quebec’s information regulator, the Commission d’accès à l’information (CAI), has released draft guidelines on valid consent under the Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Law 25” or “the AITA”).

Most provisions of Law 25 will take effect from September 2023. The law will impact how organizations request consent across various contexts, including cookies and direct marketing.

Here’s an outline of the CAI’s draft guidance on valid consent.

Please note that our summary of the CAI’s guidance is based on an unofficial machine translation. We have provided the original French, where appropriate.

When is consent required?

The CAI provides some examples when Law 25 requires organizations to obtain consent:

• To collect personal information from a minor under the age of 14 (consent must be obtained from the minor’s parent or guardian).
• To collect personal information from a third party in the private sector.
• To use personal information for “secondary purposes” (purposes other than those for which the information was initially collected).
• To disclose personal information to a third party.

The consent requirements do not explicitly concern cookies. But cookies can serve many purposes, some of which do require consent on the terms identified above (particularly the second and final examples).

And the CAI’s guidance provides an example of valid consent, specifically in the context of cookies:

In this example, a magazine publisher offers personalized content (not necessarily ads) by collecting information via cookies about the user’s interactions with its website.

Before setting cookies on the user’s device, the publisher displays a cookie pop-up that displays the necessary privacy information and provides the visitor with two clearly identified buttons (“Accept” and “Refuse”). The CAI would consider this a valid way to obtain consent.

Presumed consent

Law 25 recognizes “presumed consent” in some circumstances, namely when:

• The organization provides an individual with the information required under Law 25,
• The individual provides their personal information, and
• The organization uses the information for the purpose disclosed to the individual.

Under these circumstances, the individual can be presumed to have consented to the use of their personal information for the specified purpose.

But the CAI notes that presumed consent will only arise if:

• It does not relate sensitive information
• It does not contradict people’s reasonable expectations.
• There is no risk of serious harm.

The CAI cites profiling, which can occur via cookies, as an example of a specific situation where presumed consent is not appropriate.

Elements of consent

The CAI derives eight elements of valid consent from Law 25’s “consent” definition:

1. Express
2. Free
3. Informed
4. Specific
5. Granular
6. Understandable
7. Temporary
8. Separate

Let’s consider each of these elements of valid consent in turn.

Express consent

In general, consent must be “express” (“manifeste”): Given in a way that demonstrates the actual intentions of the individual.

The CAI sees “express consent” as the general standard under Law 25 unless the rules for “presumed consent” are met.

The cookies example provided above, is a demonstration of “express consent”. The user is offered comprehensive information, they have two clear choices, and the cookies are not set until the user clicks “accept”.

The CAI states that the following practices would not constitute “express consent”:

• Failing to untick a pre-ticked box
• Failing to opt-out
• Silence or inactivity
• Any action other than providing consent (e.g. navigating a website)

Free consent

Consent must be “free” (“libre”): An exercise of genuine choice and control, given without coercion or pressure.

The CAI warns against:

• Consent mechanisms that deceive or manipulate the user or that emphasize acceptance over refusal (“dark patterns”).
• Repeated consent requests that could annoy an individual into accepting.
• Making access to products or services conditional on providing consent (e.g. via a “cookie wall”).
• Consent requested in the context of an imbalance of power (where the individual might feel pressure to accept).

For an individual to provide “free” consent, they must be able to withdraw their consent at any time.

Informed consent

Consent must be “informed” (“éclairé”): Precise and based on appropriate information. The individual must also have the capacity to provide consent, or else consent must be sought from the individual’s parent or carer.

Here’s a summary of the information the CAI expects an organization to provide when requesting consent:

• The name of the organization seeking consent.
• The purpose for which consent is sought.
• The names or types of any third parties who might receive the information.
• The names or types of any third parties from whom the organization might collect the personal information.
• The types of personal information to be collected.
• The types of people within the organization who will have access to the information.
• The period for which the individual’s consent will remain valid.
• The consequences of failing to provide consent.
• Any risks associated with the intended use of the personal information.
• The means by which the personal information will be processed.
• The location in which the personal information will be stored (including whether this location is outside of Quebec).
• The individual’s rights, and how to exercise them.

The CAI suggests breaking the required information into “levels” to make it more accessible to the individual, with the most important information at the first level and extended information at the second level (this is particularly relevant to cookie banners).

Specific consent

Consent must be “specific” (“spécifique”): Given for precise purposes or objectives.

“Vague, broad or imprecise terms threaten the specific nature of consent, and therefore its validity,” the CAI states.

When relying on an individual’s consent, you must not use their personal information for “secondary purposes” (purposes other than the “primary purpose” specified at the point of collection).

If you wish to use the personal information for a new purpose, you must obtain a “new consent” for that purpose.

Granular consent

Consent must be “granular” (“granulaire”): Requested, where relevant, for each well-defined purpose.

When requesting consent, the CAI suggests that you delineate your purposes as much as you can.

For example, if you’re collecting someone’s email address to send them a digital product, you might also wish to ask them to sign up to your newsletter, and to provide feedback on their purchase.

There are three separate purposes here:

• Services (sending the individual their product)
• Newsletter (marketing)
• Feedback (service improvement)

The first purpose is likely to be covered by “presumed” consent.

A granular approach should apply to the other two purposes. This could mean, for example, providing two separate tick-boxes at checkout (one for the newsletter, one for the feedback request).

Understandable consent

Consent must be “understandable” (“compréhensible”): The consent request must be presented in simple and clear terms.

The CAI identifies the following characteristics of an “understandable” consent request:

• Simplicity (of vocabulary)
• Clarity (of intent)
• Adaptability (tailored to the intended audience)

Consent will not be valid if the individual does not understand what they are being asked to consent to.

Temporary consent

Consent must be “temporary” (“temporaire”): Valid for a limited period of time.

How long does consent last? It depends.

Consent might be limited based on a specific period (e.g. 30 days) or until a trigger event (e.g. once payment is completed or an account is closed).

Time periods might be set by law (particularly in the financial sector) or based on the period for which the personal information is needed.

You should be transparent about the time period for which consent will remain valid.

Separate consent

Consent must be “separate” (“distinct”): Presented separately from any other information.

Do not bundle consent requests with other information that is irrelevant to the request. Acceptance of broad terms and conditions will not generally be considered valid consent for a specific purpose.

This is taken from a pdf of the guidance that I translated using DeepL and marked up myself. Feel free to include it or delete it. I have written the surrounding text so that you can delete the image and it will still make sense.