Québec's privacy regulator, the Commission d'accès à l'information (CAI), has released guidelines on obtaining valid consent (Guidelines) under Québec's updated privacy law. The Guidelines represent a significant change from existing privacy consent practices, and include requirements that extend beyond some of the world's most stringent privacy laws, including the GDPR. Seemingly aimed at smaller businesses, the Guidelines raise implementation questions and challenges for sophisticated businesses that operate in multiple jurisdictions or have deep relationships with their customers or other individuals they interact with.

What you need to know

  • Sophisticated businesses should be familiar with the Guidelines and consider the extent to which they need or want to adjust their consent practices to align with them.
  • The Guidelines:
    • Prescribe when opt-in (express) consent is required, when opt-out (implied) is available, and when notice alone is sufficient such that consent is deemed.
    • Require that businesses obtain consent for non-critical or secondary purposes separately from each other and from any other privacy- or business-related information provided.
    • Require that companies obtain opt-in consent whenever sensitive personal information is involved, and recommend opt-in consent whenever the purpose might be outside reasonable expectations.
  • Businesses' compliance strategies should also consider pending federal privacy law reform, and best practices that help reduce the risks arising from consent-related complaints in the meantime.

What the Guidelines say

The Guidelines set out the CAI's interpretation of the consent requirements for the Act respecting the protection of personal information in the private sector (Act), as well as recommended best practices for businesses to achieve compliance. The Guidelines identify requirements with words like "must", and recommended best practices with words like "should". Below we have summarized the recommendations most likely to impact businesses.

Purposes and consent requirements

The Guidelines rely on a distinction between "primary purposes" (purposes for which the use or disclosure of personal information is necessary to provide a product, service or employment) and "secondary purposes" (legitimate uses of information that are not strictly necessary to provide the product, service or job). Secondary purposes can include marketing, data sharing, analytics, and development of new products, services or tools (including AI training).

Primary purposes

For primary purposes, the Guidelines say that when a business is collecting personal information from the individual, it only needs to provide notice of certain information to obtain consent. This information includes the types of personal information required, the purposes for which the data will be handled, who the information may be provided to, and other details identified in section 8 of the Act. A company that meets the notice requirements of section 8 does not have to get the individual's opt-in or opt-out consent to process their information for these primary purposes (rather, section 8.3 deems consent to have been obtained if the individual provides their information following this notice).

Note that section 6 of the Act requires businesses to obtain an individual's consent to collect their personal information from a third party, subject to certain exceptions. While the Guidelines are entirely silent on this requirement beyond acknowledging its existence, it is worth noting that the above approach for primary purposes is unlikely to apply. Businesses should therefore consider whether they need to obtain opt-in or opt-out consent, or whether the third party in question will have already obtained sufficient consent on the business' behalf.

Secondary purposes

For secondary purposes, the Guidelines confirm that organizations cannot rely on obtaining deemed consent under section 8.3. As such, opt-in or opt-out consent must be obtained unless the Act specifies an exception.

Form of consent: opt-in vs. opt-out

The Guidelines describe two forms of valid consent and when they must or can be used for secondary purposes.

Opt-in

Consent is opt-in (or express) when the individual takes a positive action that clearly shows their agreement, and cannot be construed as agreement to anything else (e.g., a signature, checkbox, or an affirmative answer). Opt-in consent must be used when the purpose involves sensitive personal information (such as medical or biometric information) or another law requires it (such as a credit reporting law). The Guidelines also say that opt-in consent should be used where the intended use or disclosure may be outside the reasonable expectations of the individual, or there is a risk of serious harm involved.

Opt-out

Consent is opt-out (or implied) where the individual's action or inaction can be reasonably interpreted as the individual providing their agreement (e.g., a pre-checked box, or using a "Continue" button in an application after notice of the intended use of the information is provided). The Guidelines say that opt-out consent must not be used for purposes involving sensitive personal information, and should only be used where the purpose is within the reasonable expectations of the individual and there is no risk of serious harm involved.

The Guidelines also say that cases where implied consent is appropriate for a secondary purpose are likely to be relatively rare.

Separate, specified purposes

The Guidelines say that consent must be "granular" (i.e., requested for each specific purpose sought). To meet this requirement, a business must inform the individual of each specific purpose involved, and categories of any third parties involved. The language used to describe the purpose must be specific, circumscribed and sufficiently detailed. The Guidelines further say that business must allow individuals to express their agreement or disagreement separately, for each of the purposes and each of the third parties (or categories of third parties) involved.

According to the CAI, businesses using implied consent should generally ensure that it is for a single purpose, because it can be difficult to express agreement or disagreement with a specific purpose when using implied consent. Many businesses may find this interpretation to be impractical, unworkable, and contrary to industry practice.

Separate presentation of consent

According to the Guidelines, businesses must present written requests for consent separate from any other information, including information provided in the form of a privacy notice for primary purposes. This also includes separate presentation from information (terms and conditions) that are unrelated to privacy. This suggests organizations must distinguish primary purposes (for which notice but no consent is required) from secondary purposes (for which consent is requested) even where no opt-in consent is required. Note however that the Guidelines endorse the use of layering (i.e., providing the key required information in the request for consent itself) and referencing another source (e.g., a privacy policy, FAQs, or other page or document) that provides the rest of the required information.

Withholding and withdrawing consent

The Guidelines say that it must be as easy to withhold consent as it is to provide it, and that the options should be presented fairly (without any undue influence). Consistent with existing privacy law requirements, businesses must allow individuals to decline or opt out of secondary purposes without terminating the product, service or employment. Further, businesses should provide simple and easily accessible opt-out mechanisms.

Next steps for businesses

The Guidelines raise a number of practical issues that may make implementation costly or significantly disruptive. This is particularly the case for sophisticated companies that operate in multiple jurisdictions or have deep relationships with their customers. The following interrelated actions and considerations can help guide such companies in implementing the Guidelines.

Identifying purposes and sources of personal information

An essential component to implementing the Guidelines is compiling an inventory of purposes for which the business handles personal information. Businesses should identify purposes that are: i) primary or secondary purposes subject to the Act's exceptions to obtain consent; ii) primary purposes for which notice will need to be provided; iii) secondary purposes for which express consent will need to be obtained; and iv) secondary purposes for which implied consent can be obtained.

To complete their lists of when consent is required, businesses should also identify when consent is required to collect personal information from a third party or from a minor under 14.

Approach to compliance with Guidelines

Given the practical difficulty in implementing a number of the recommendations, businesses will want to consider the extent to which they can reasonably align with the Guidelines in the short or long term. The Guidelines are ultimately non-binding, and describe what the CAI believes businesses must do according to the Act, and what businesses should do as best practices. Thus, businesses may identify certain best practices that are simply unworkable in the context of their organizations, or unhelpful to individuals who provide personal information. For example, a GDPR-compliant company may determine that some best practices recommended by the CAI are inconsistent with its global approach. Similarly, a business may disagree with the CAI's interpretation of certain requirements under the Act when applied to its operations and audience.

This should of course be weighed against the regulatory and enforcement risks involved. The CAI can be expected to enforce the Act based on its own interpretation of it. While the CAI has signaled that its immediate approach to enforcement will be more outreach-oriented where appropriate, businesses should keep in mind that penalties for violations of the Act can amount to $10 million or 2% of global revenue (whichever is higher), and fines can reach $25 million or 4% of global revenue (whichever is higher).

Parallel federal privacy reform

Businesses with operations outside Québec also need to consider the federal privacy law reforms in Bill C-27, which is currently being reviewed by the House of Commons Standing Committee on Industry and Technology. Bill C-27's requirements may be more or less stringent than the Guidelines or the Act, and national or international organizations will want to harmonize their approach across Canada.

Consent management tools

Businesses that handle personal information for multiple secondary purposes should consider whether a consent management tool would be an effective means of implementing individuals' various consent permissions. While not always a perfect fix, these tools can reduce administrative burden and the risk of human error.

Other best practices

In addition to updating consent forms and practices, there are additional measures to reduce the risks arising from consent-related complaints. These measures include:

  • providing accessible and efficient processes to resolve privacy questions and complaints.
  • making it easy for customers and employees to exercise opt-out rights.
  • reviewing the consent process for new products, services or initiatives against both legal requirements and the Guidelines as part of existing risk assessment processes (for example, as part of the Privacy Impact Assessment process going forward).
  • documenting existing consent practices and mapping them against the statutory requirements of the Act, federal PIPEDA, and applicable international laws.
  • reminding individuals of their existing consent choices, such as through a "privacy check-up" tool.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.