Consent as a cornerstone of Law 25
Before Law 25, consent requirements existed in Quebec privacy law, but they were often applied broadly or implicitly. Since the law came into full force in September 2023, the requirements are more specific. A checkbox at the bottom of a form or a clause buried in general terms and conditions is no longer sufficient.
Consent must now be manifest, free, informed, and given for specific purposes. These four criteria are not decorative: they redefine what an organization can legally do with the information it collects.
The four criteria for valid consent
Manifest: consent must be a positive, clear action. A pre-checked box does not constitute valid consent. The person must actively do something to express agreement.
Free: the person must not face pressure or disadvantage for refusing. Conditioning access to a service on accepting the collection of non-necessary information creates a compliance problem.
Informed: the person must understand what they are agreeing to. This means explaining, in plain language, what information is collected, why, who will have access, and how long it will be kept.
For specific purposes: this is where granularity comes in. If you collect an email address to send an invoice and also want to use it for marketing communications, you need two separate consents. A single "all-inclusive" form is no longer acceptable.
The right to withdraw consent
Law 25 strengthens individuals' right to withdraw consent at any time. Withdrawal must be as easy as giving consent. If someone signed up in two clicks, they should not have to send an email and wait for a manual response to unsubscribe.
In practice, this means you need to provide an accessible withdrawal mechanism, and your organization must be able to process these requests within a reasonable timeframe. After withdrawal, you can no longer use the information for the relevant purpose.
When consent is not required
The law provides exceptions. You do not need consent in the following situations:
- Legal obligation: the law requires you to collect or communicate the information (for example, a tax reporting obligation).
- Contract performance: the information is necessary to carry out the agreed service with the person. A delivery service does not need separate consent to use the delivery address.
- Legitimate interest (under certain conditions): this exception is narrowly framed and does not cover broad commercial purposes.
These exceptions are not general escape routes. If you invoke them, make sure you can document the justification.
Practical examples
Contact form on a website: collecting a name and email address to respond to an information request is reasonable in a pre-contractual context. If you later want to send a newsletter, you need a separate consent for that purpose.
Employment context: an employer can collect information necessary for managing the employment relationship without explicit consent for each purpose, because labour law creates a legal framework. However, using an employee's information for other purposes requires valid consent.
Loyalty program: signing up for a points program often involves collecting purchase data, habits, and sometimes preferences. Each purpose for using that data must be clearly stated and require separate consent if it goes beyond managing the program itself.
How to document consent
Obtaining consent is not enough: you must be able to prove it. Your organization should keep a record of:
- the version of the form or notice presented to the person at the time of consent
- the date and time of consent
- the purposes accepted
- consent withdrawals and their date
This documentation becomes essential in the event of an incident or a Commission d'accès à l'information (CAI) investigation. A clear record also protects your organization internally, when multiple teams use the same data.
A practical starting point
Inventory your current collection forms. For each one, ask three questions: does the person genuinely understand what they are agreeing to? Does the consent cover all the uses we make of the information? Can we prove the consent was given?
The answers will show you where to focus your update efforts.
Observantia includes a consent management module that lets you document, track, and archive collected consents, and handle withdrawal requests in a structured way.
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.