Consent: Rules and Requirements Under Quebec Privacy Law
Art. 8, 9, 12, 13, 14, 15, LPRPSP
What the law requires
Consent is the foundation for collecting and using personal information under Quebec's privacy law. The rules have been significantly strengthened to require consent that is manifest, free, informed, and given for specific purposes.
Manifest consent: Consent must result from a clear action by the person. Pre-checked boxes, silence, or inaction do not constitute valid consent.
Informed consent: Before collecting consent, you must inform the person of: the purposes of collection, the means of collection, rights of access and rectification, and the possibility of withdrawing consent.
Separate consent for each purpose: A consent request must be presented separately from any other information. Each secondary purpose requires separate consent.
Sensitive information: For sensitive information, particularly health data, biometric data, political opinions, or financial information, consent must always be explicit.
Legal reference
"Consent under this Act must be clear, free and informed and be given for specific purposes. It must be requested for each such purpose, in clear and simple language. If the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned. If the person concerned so requests, assistance is provided to help him understand the scope of the consent requested."
"The consent of a minor under 14 years of age is given by the person having parental authority or by the tutor. The consent of a minor 14 years of age or over is given by the minor, by the person having parental authority or by the tutor."
"Consent is valid only for the time necessary to achieve the purposes for which it was requested."
"Consent not given in accordance with this Act is without effect."
— Art. 14, Act respecting the protection of personal information in the private sector
What you must do
Consent compliance requires reviewing all your personal information collection points: web forms, sign-ups, contracts, cookies, and marketing communications.
Implied vs Express Consent
Acceptable implied consent: When collection is manifestly necessary for the obvious purpose of the service. For example: a customer provides their address for delivery — using the address for delivery is implicitly consented.
Explicit consent required:
- Sensitive information (health, biometrics, finances, opinions)
- Use for secondary purposes (marketing, profiling)
- Disclosure to third parties
- Tracking or advertising cookies
- Any collection not obvious from context
Compliant Forms
For each form collecting personal information:
- Clearly identify each purpose. "We use your email to: send your invoice, inform you of our promotions."
- Separate consents. One unchecked box for each secondary purpose.
- Use simple language. Avoid legal jargon. Be precise and concise.
- Provide a link to your privacy policy. Full details accessible in one click.
Cookies and Consent
Cookies that collect personal information or track user behavior for advertising require consent:
- Display a banner before activating non-essential cookies
- Clearly explain which cookies are used and why
- Offer a real choice: accept, refuse, or customize
- Allow changing the choice at any time
- Essential cookies for site operation do not require consent
Withdrawal of Consent
Any person can withdraw consent at any time. You must:
- Offer a simple way to withdraw consent (as simple as giving it)
- Stop using the information for the purpose concerned
- Delete the information if no other legal basis justifies retention
- Document the withdrawal and its date
Common mistakes
- Pre-checked boxes. Pre-checked consent boxes are not valid. Consent must result from an affirmative user action.
- Bundled consent. Requesting a single consent for multiple different purposes ("I agree to receive my invoices and promotional offers"). Each secondary purpose must be separate.
- Making service conditional on consent. Refusing to provide a service if the customer doesn't consent to unnecessary purposes. Example: refusing a sale if the customer declines the newsletter.
- Buried consent. Hiding the consent request in lengthy terms of use. Consent must be presented separately.
- No proof. Not documenting when and how consent was obtained. In case of complaint, you must be able to demonstrate consent.
- Forgetting withdrawal. Not offering a simple way to withdraw consent, or ignoring withdrawal requests.
- Cookies activated by default. Activating tracking cookies before obtaining consent, then displaying the banner.
Frequently asked questions
When is explicit consent mandatory?
Explicit consent is mandatory for: (1) sensitive information (health, biometrics, finances), (2) disclosure to third parties for commercial purposes, and (3) any use other than the purpose for which the information was collected.
Can consent be implied?
Yes, but only for the primary purpose and if that purpose is obvious given the context. For example, collecting an email to send an invoice. For any other use, consent must be explicit.
How do I obtain valid consent for cookies?
For cookies that collect personal information or track behavior, you must: (1) clearly inform the user before activation, (2) explain the use, (3) obtain affirmative consent. Pre-checked boxes are not valid.
Can a customer withdraw consent?
Yes, at any time and without justification. You must stop using their information for the purpose concerned. Withdrawal is not retroactive — past uses remain legitimate.
Is consent from minors different?
Yes. For minors under 14, consent must be given by the person with parental authority. Between 14 and 18, the minor may be able to consent themselves, but it will depend on the specific situation.
Can I refuse service if a customer refuses consent?
Only if the information is necessary for the service. You cannot condition a service on consent for unnecessary purposes (e.g., refusing a sale if the customer declines the newsletter).
How do I document consent?
Keep proof: timestamp, checked box, record of submitted form. You must be able to demonstrate that consent was given, when, and for what purposes.
Next step
Once your consent practices are updated, ensure your privacy policy accurately reflects your actual practices and that you have a process in place to handle access and rectification requests.