CAI Quebec Publishes Criteria for Validity of Consent

On October 31, 2023, Quebec’s Commission d'acces a l'information (CAI) published the final version of a guideline on the validity of consent. The guideline, according to the official announcement on the CAI’s website, “was developed in the context of the entry into force of provisions of Act 25, enhancing the obligations of organizations regarding the protection of personal information.” Act 25, or Quebec Law 25, which was formerly known as Bill 64, brought a significant reform to the Private Sector Act, imposing changes that are to become effective over a period of three years, which started in September 2022.

The guideline is published with “public and private organizations that must obtain consent from individuals to use or communicate their personal information” in mind and aims to do the following: 

• Facilitate understanding of the criteria to be respected to obtain valid consent;
• Clarify the obligations of organizations in obtaining valid consent;
• Identify good practices that promote respect for people’s right to privacy.

It consists of four main parts containing a glossary of terms, an introduction into what is consent, the eight criteria for valid consent, and examples to help make the criteria easier to understand. 

Below we include the eight criteria for valid consent, and an example for each, as outlined in the guideline. It is important to note that this guideline is intended to clarify the obligations of covered entities and that laws and regulations take precedence over the guideline at all times. As regards valid consent, the eight criteria listed are connected to each other and equally important; so much so that if one criterion of the eight is not met, consent will not be considered valid. 

1. Consent must be evident. It must be obvious and given in a way that demonstrates the real wishes of the person concerned. Consent must sometimes be expressed, that is, given by a statement or positive gesture that only indicates consent. Alternatively, consent can also be implied.
   
   Example: A manufacturer markets an educational toy for children from 5 to 8 years old. The toy can record the child’s first name and measure the progress of his answers to questions related to letters and numbers (correct or incorrect answer, response time, etc.). These results are then accessible on a secure web portal for parents. The manufacturer must obtain parental consent to collect this information from children. When configured, the toy gives auditory instructions to parents. To consent to this collection from their child, he asks them to connect to the web portal in order to tick an acceptance or refusal box. This mechanism allows the manufacturer to obtain express parental consent.
   
   
2. Consent must be free. It must involve a real choice and control by the person concerned. This person must be able to make a choice without constraint or pressure. Giving consent should be as easy as not giving it. The data subject must also be able to withdraw their consent at any time.
   
   Example: The website of a clothing store allows its customers to create an account to facilitate their online purchases. During each login, it displays an alert that offers data subjects the option to receive the weekly newsletter of the shop, which includes discounts that may interest them. It is as easy to accept this secondary use of the email address as it is to refuse it. However, in case of refusal by a data subject, the window is displayed at each of its subsequent connections to his account. These repeated and close requests for consent, regardless of the will already expressed by the data subject, could compromise its free character. To avoid this problem, the store could ensure that a reasonable time interval (e.g. a few months) separates these requests.
   
   
3. Consent must be informed. The data subject must understand what they are consenting to and what this entails. The organization requesting consent must provide specific information. It should mention the objective pursued, the information sought and the people who will have access to it. Finally, the person giving consent must be able to do so (e.g. not be incapacitated or under 14 years of age).
   
   Example: Two online shopping platforms collect buyers' consent to share their contact information with other companies for promotional offers. They use different texts:
   Platform A: “I agree to [the Company] sharing my contact information with partners.”Platform B: “I authorize [the Company] to forward my name and email address to its e-commerce affiliates for promotional offers.”
   The text of platform B, more complete, is more likely to lead to informed consent than that of platform A, which does not disclose the purpose of the communication and gives no indication of the identity of its partners.
   
4. Consent must be given for specific purposes. In other words, the purposes of using or communicating personal information must be defined as precisely as possible.
   
   Example: A union seeks express consent from some of its members to use some of the information contained in active grievances to “improve its processes”. This term is imprecise and harms the specific character of consent, because it does not allow data subjects to really understand the intended purpose. This should be stated more clearly, depending on the context (e.g. to “improve training for grievance staff”, “train artificial intelligence to automate certain steps in grievance processing”, etc.).
5. Consent must be granular. It must be requested for each of the intended purposes. If there are several purposes, consent must be requested separately for each of them. This granularity allows the data subject to clearly express their wishes, because they can accept or refuse each specific purpose.
   
   Example: A non-profit organization (NPO) organizes a gala to present awards recognizing the work of certain practitioners in its field of activity. It collects the email addresses of candidates to inform them of their appointment and details of the ceremony. It also proposes that candidates consent to actions for three secondary purposes: a) use their email address to contact them to assess their satisfaction after the event; b) use their email address to send them the organization’s general newsletter; c) allow the company designated by the organization to take official photos of the winners to retain their email address to offer discounts on other photography services. In order to respect the granular nature of the consent, the NPO has these three purposes in a table that includes a column "Yes" and a column "No".
   Candidates may thus accept or refuse, separately, each of these three purposes:
   “Do you consent to your address being:
   • Used to contact you to assess your post-event satisfaction? - ☐ Yes ☐ No
   • Used to send you our general newsletter? - ☐ Yes ☐ No
   • Retained by the company designated to officially take photos of the winners to offer you discounts on other services? - ☐ Yes ☐ No
6. The request for consent must be understandable. It must be presented in simple and clear terms, both for the information provided and for the question or statement of acceptance or refusal. The remarks should be concise, that is to say expressed with a minimum of words. They should use common vocabulary, without legal or organizational jargon. They should use the most direct terms possible.
   
   Example: An organization seeks consent using the following text:
   

   “The Customer agrees to the automated analysis by the Company, in particular, but not limited to, historical transactional data for the purpose of determining a profile by machine learning model; said profile will be used by the Company to issue, without making a formal commitment to do so, and subject to its current policies and procedures, personalized offers to reduce the purchase price of certain products, provided that the Customer complies with the terms of use.”

   This very legal and technical text contains several words that are not common vocabulary and several complex turns (long sentence, incises, etc.). It can confuse the person concerned, thereby compromising their informed consent. The following text would be simpler and therefore more understandable:

   “Receive personalized offers – I authorize the company to use my purchase history to determine my buyer profile using an artificial intelligence system. The company will be able to choose to send me personalized discount offers adapted to my profile if I respect the terms of use of the application.”

7. Consent must be temporary. It must be valid for a limited period, i.e. only the duration necessary to accomplish the purposes targeted by the request. The duration limit can be linked to a deadline (e.g. 6 months or 3 years) or to an event (e.g. as soon as a payment is completed).
   
   Example: As part of its professional hiring process, an organization asks candidates to provide two references that it can consult for the assessment of the candidate’s work for previously held positions, in addition to information on evaluations on file. It provides an electronic form for sending references. Wishing to be transparent about the period of validity of the consent, the organization specifies to the candidates that it is valid only until a decision regarding the application is made. This consent is then delimited by an event.
8. The request for consent must be present in such a way so as to be distinguishable from any other information, if made in writing. It must therefore be separated from terms of use, privacy policies, signatures, etc. It must have its own section or interface easily accessible by the data subject.
   
   Example: When completing the creation of an account for an online game, players must check a box stating that they accept the terms of use, to which a hyperlink leads. However, no reference to consent is included in the form. By clicking on the link,  players may discover that the Terms of Use contain, among other things, the publisher’s privacy policy. It is mentioned in the text that by accepting the terms of use, players consents to the use of their friend list, metadata on their device, their interactions with the game (clicks, hours, etc.) and their conversations on the public server for the purpose of targeted advertising, improving the gaming experience and combating cheating, among others. Players also consent to the distribution of their score in the game on a public platform, accompanied by their pseudonym and the history of their games, in order to stimulate competition in the game.
   

   On the specific issue of consent, the fact that such information is incorporated into a privacy policy itself included in terms of use that relate to a variety of other matters compromises the distinct character of consent. Moreover, this situation threatens its manifest character (gesture of consent inseparable from the gesture of acceptance of the conditions of use), free (granular refusal impossible) and informed (information difficult to access).

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

• All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
• Seamless integration into your website;
• Adaptability to your users’ location and applicable regulation;
• Customizable branding;
• ReadyCompliance™: Covering 30+ data privacy regulations;
• Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.