On September 22nd, 2023, Law 25, officially “an Act to modernize legislative provisions as regards the protection of personal information”, will come into force in Quebec, Canada. This legislation will have significant impacts on businesses handling the personal data of Quebec residents.
The Commission d’accès à l’information (CAI) prepared initial guidelines on the criteria for valid consent, and spent the months of May and June consulting with specific businesses to determine the appropriateness of these proposed guidelines. The consultations ended on June 25th, and businesses await the final version of these guidelines, which the CAI has stated will be published early October.
The CMA’s Response
One of the companies asked to consult on these guidelines was the Canadian Marketing Association (CMA). The submission is excellent and expressed their concerns about certain interpretations of Law 25, potentially leading to unintended consequences for consumers and businesses. They also argue that some examples given without proper contextual analysis in the draft guidelines will be extremely and unnecessarily burdensome for organizations. The CMA emphasizes the importance of distinguishing between legal requirements and optional best practices with respect to obtaining consent.
They also raise the issue of the guidelines’ length, suggesting that businesses, especially small and medium-sized enterprises with limited access to legal advice, need concise and straightforward guidance on applying Law 25. The CMA commends the inclusion of a helpful visual tool but suggests additional practical tools like a summary checklist or flowchart to assist organizations in understanding the basic legal requirements.
The CMA believes that the CAI should amend their guidelines in seven key areas:
- Mandatory express consent for identification, tracking and profiling: The CMA strongly recommends removing section 13 from the guidelines, as it pertains to section 8.1 of the Act, and instead creating separate guidelines specific to the collection of personal information through identification, location, and profiling technologies. They emphasize the need for consultation with the CMA and other industry stakeholders to address the complex and diverse nature of these technologies, promote transparency and avoid confusion for organizations and consumers.
- Express consent and consent fatigue: The CMA urges the CAI to clarify that while express consent may be preferred in certain situations, it should not be encouraged for every case (section 30 of the guidelines). Law 25 does not mandate express consent “whenever possible,” and promoting this approach would increase consent fatigue. The examples in section 33 of the guidelines should be replaced with more effective best practices to address consent fatigue.
- Granularity – separate consent for each purpose: In section 59 of the guidelines, organizations should be allowed to bundle similar and logically related purposes when requesting consent, as long as each purpose is clearly stated, and the groupings are not confusing or misleading.
- Authentication of the data subject – parental consent: Section 25 of the guidelines should state that organizations must make reasonable efforts to verify parental consent. This requirement should focus on organizations that are aware they are processing personal information of minors. This approach aligns with similar laws in the US, California, and the EU, and ensures that organizations unintentionally processing the data of minors are not unnecessarily targeted.
- Failure to obtain valid consent as a confidentiality incident: Section 16 of the guidelines should be removed. Separate guidelines specifically addressing confidentiality incidents should be developed to handle situations involving loss, unauthorized use, or disclosure of information.
- Repeated requests for consent as a violation of free consent: Section 41(b) of the guidelines should be modified to allow organizations to re-seek consent at suitable intervals.
- Information required for deemed consent: To prevent confusion for organizations, the guidelines should provide clearer and more specific details about the upfront information that is necessary for deemed consent to be considered valid.
Ideally, the CAI will take the CMA’s concerns into serious consideration when finalizing their guidelines. Such revisions will aid in supporting businesses with their Law 25 compliance efforts, and create a foundation for leading effective privacy law reform in Canada.
As we await September 22nd and the revised CAI consent guidelines, organizations should be preparing themselves for the coming into force of key Law 25 provisions, if they process the data of Quebec residents. If you have questions about how to prepare or need assistance, contact PRIVATECH.
Also, note that PRIVATECH’s Fall CIPP/C and CIPM courses are now open for registration! CLICK HERE to learn more about what’s included! In-depth content on the then in force Law 25 and CAI guidance is being inserted into the course content.