The impact of Law 25 (ex Bill 64) on consents

In Quebec, Law 25 (formerly Bill 64) modernizes regulations regarding the protection of personal information. Its objective is to provide citizens with better control over their personal information. This law supports businesses in the collection and use of this information. Several clarifications are introduced into the Private Sector Act (LPRPSP) to regulate consent. It is important to fully understand these and to be well prepared, to avoid any sanction.

What is consent? 

Consent is the action by an individual of accepting the collection of his personal information by an organization with the aim of using or communicating it for different purposes. According to the Law, any person who provides personal information after having been adequately informed (for example, on the purposes for which the information is collected, the means used and their right of access and withdrawal) consents to their use and disclosure (art 8.3, LPRPSP).

When is consent required?

Consent must be explicitly obtained:

• To use personal information about an individual, within the company, for other purposes than which it was initially collected (art 12, LPRPSP);
• To communicate an individual’s personal information to a third party (art 13, LPRPSP);
• To use personal information for commercial or philanthropic prospecting purposes (art 22, LPRPSP).

What is valid consent according to the Law?

Criteria

The notion of consent has not just been introduced into the LPRPSP.  Actually, certain criteria are already provided in this last law. However, Law 25 adds new criteria to be met in order to validate consents. Therefore, to be valid, a consent must now be/have:

• Manifest: Is obvious and certain, it leaves no room for ambiguity
• Free: Was not obtained under pressure
• Informed: Knowingly given
• Given for specific purposes: Cannot be general
• Duration: Expired upon completion of the purposes for which it was requested
• Required for each of these purposes: Must be redone for each different intended use
• Simple and clear terms: Content must be adapted to be understood by the targeted reader
• Distinct: Presented separately from any other information communicated in writing (not concealed)

Consent that does not meet all of these criteria will be considered invalid and without effect (art 14, LPRPSP). In addition, since consent is not final, an individual has the right to revoke it and to withdraw it.

Minor

When the individual is a minor, i.e. an individual under the age of 14, it is necessary to obtain the consent of the parental authority or a guardian to collect personal information. The consent of a child is not valid. However, it is not necessary to obtain the consent of a parental authority, when the collection is clearly for the benefit of the minor (art 4.1, LPRPSP).

Sensitive information

Consent must be manifested expressly when it comes to sensitive personal information (art 12, LPRPSP). Personal information is considered sensitive when it has a high reasonable expectation of privacy, such as medical, biometric or intimate information (e.g. a social insurance number). Consent is said to be express when it is illustrated by behavior, writing or words that clearly indicate the will of the person expressing it.

Exceptions

Despite the importance given to consent, some situations do not require prior assent. Indeed, personal information may be used for another purpose without the consent of the person concerned (art 12, LPRPSP), when its use is:

• for purposes compatible with those for which it was collected (excluding commercial or philanthropic prospecting);
• for the benefit of the individual;
• for the purposes of preventing and detecting fraud or evaluating and improving protection and security measures;
• for the purpose of supplying or delivering a product or providing a service requested by the individual;
• for the purposes of studies, research or the production of statistics and that it is depersonalized.

In addition, a person carrying on a business may, without the consent of the person, communicate personal information to any person or organization if such communication is necessary:

• for the exercise of a mandate or the execution of a service contract (art. 18.3, LPRPSP);
• for the purpose of concluding a commercial transaction (art. 18.4, LPRPSP)
• for study and research purposes or for the production of statistics (art. 21, LPRPSP)

The information must be used for these purposes only and must be destroyed after.

Actions to take

To help you prepare for these new requirements, here are some steps you can take now:

1. Review the current collection process of consent and update your online subscription forms to ensure that they fully respect the right to consent (right to modify/withdraw consent) and that they inform on the reasons for the collection;
   

2. Provide a detailed consent form with checkboxes to allow the person to choose each specific purpose to which they consent and seek consent again when it has expired or the purposes have changed;
3. Be sure to obtain the express consent of visitors to your website when a data collection device is activated. For example, using a cookie warning window (pop-up);
4. Adapt your information collection and processing procedures to take into account situations involving the collection of so-called sensitive information or information relating to individuals under the age of 14;
5. Keep all evidence of consent obtained.

To see how Dialog Insight can help you comply with the management of your consents, visit our Law 25 compliance page.