Spotlight on Québec law: New rules on valid consent

Julie Himo (00:06): The province of Québec has recently seen major changes to its privacy regime with the implementation of Law 25, a major focus area for the Québec privacy regulator has been consent rules. My name is Julie Himo, and I’m a privacy and cybersecurity partner in Torys’ Montréal office. I’m here with our associate, Rosalie Jetté, to give you an overview of the new rules.

Rosalie Jetté (00:28): That’s right. Julie, can you tell us what are some of the key takeaways that organizations should keep in mind when it comes to obtaining valid consent from individuals?

Julie Himo (00:38): Of course. The first thing our clients should know is that there may be a different approach to obtaining consent, depending on the purposes for which they wish to use the information. If you are collecting personal information that is strictly necessary to provide products or services, it is possible that Law 25 would only require a notice to individuals and not obtaining their consent.

On the other hand, if you wish to use personal information for other reasons than solely providing products and services, for example, if you want to market additional products to your clients, you will need to obtain their consent. Depending on the scenario, an opt-in (express) consent may be required. In other situations, an opt-out (implied) consent could be sufficient.

Also, as a general rule, organizations should keep in mind that to use or disclose sensitive personal information such as medical, financial or biometrical information, an opt-in (express) consent will be necessary.

Rosalie Jetté (01:37): That’s very helpful, Julie. Another key takeaway is the necessity criteria, which is required for valid consent. In other words, an organization cannot rely on consent to collect and use personal information that it does not need to accomplish its purpose. So if, for example, an organization is asking a client to consent to the processing of their personal information to complete a purchase, it cannot ask for other information which is not required to process that purchase and rely on the person’s consent to use it for other reasons.

Julie Himo (02:07): Absolutely. And Rosalie, is there any specific guidance about how a consent should be obtained?

Rosalie Jetté (02:13): First, organizations should remember that according to the law and the guidance released by the Québec privacy regulator, consent to privacy practices should be presented separately from other information, such as business terms or terms and conditions. Organizations should also remember that consent should be as easy to withhold as it is to provide. This means that if there is a button to click to consent to privacy practices, the button that allows to decline consent should be as easy to access and use. The goal is that individuals are given a real choice about their privacy.

Julie Himo (02:45): Thank you, Rosalie. These are certainly requirements that organizations need to be aware of to avoid regulatory scrutiny and potential liability.