Skip to content
discover Hilo Intelligence
Law 25 Guide

Consent

Quebec's Law 25 consent rules — what makes consent valid, how to obtain it, document it and withdraw it, plus the special cases of sensitive information and minors.

Updated April 20, 20266 min readWritten by Pascal Dupuisconsents. 12-14CAIPPIPSA

Consent is the cornerstone of Law 25. Without valid consent, collecting, using or communicating personal information is unlawful — save for the exceptions the Act itself carves out (express legal authorization, public interest, legal obligation, emergency).

This chapter explains what the CAI and the PPIPSA require in practice, with examples that apply to a Quebec SMB.

Section 14 of the PPIPSA sets out five cumulative qualities — a consent that fails any one of them is invalid, and exposes the enterprise to enforcement.

Quality What it means
Manifest Clear, unambiguous. Silence, inaction or pre-ticked boxes do not constitute consent.
Free Given without pressure, without disproportionate negative consequences for refusing. Tying an essential service to a non-essential consent = vitiated consent.
Informed The individual understands why, by whom and in what context. Purposes must be stated in plain language.
Given for specific purposes One consent covers one specific purpose, and must be re-asked for any distinct purpose.
Expressed in plain and clear terms No legalese, no clauses buried in 30 pages of terms and conditions.

The practical test

Ask these three questions before considering a consent obtained:

  1. Has the person made an explicit positive gesture (click, signature, unchecked box)?
  2. Does the person know what they are consenting to, who will use the information, and for how long?
  3. Can the person refuse without losing access to the core service?

If any answer is "no," the consent is not valid under Law 25.

Consent must be requested for each purpose in plain and clear terms. It must be presented separately from any other information communicated to the person concerned.

In concrete terms:

  • Non-compliant: a line that reads "By creating your account, you consent to our terms of service and privacy policy" with a single Accept button.
  • Compliant: the Create account button is separate from an explicit checkbox "I agree that Hilo Tech may share my information with [partner] for [purpose]" — not pre-checked.

The CAI has made clear that bundled-by-default consent (one OK for several purposes) does not meet the per-purpose requirement.

Sensitive information — health, biometrics, detailed financial data, intimate life, political or religious opinions — requires express consent. That means:

  • A positive gesture specifically tied to this information (dedicated checkbox, separate signature).
  • An explicit mention that the information is of a sensitive nature.
  • A clearly stated retention period.

In practice, a medical intake form or an HR file containing health information must include a separate express-consent clause for that category — distinct from general consent to the privacy policy.

Since September 2023:

  • Under 14: consent must be given by the person with parental authority or the tutor.
  • 14 and over: the minor can consent themselves, with nuances for health information (which is also governed by the Act respecting Health Services and Social Services).

For an SMB that collects summer-camp registrations, an online tutoring service or a youth training program, this changes everything: the "I am over 13" checkbox no longer cuts it — there must be a parental-validation mechanism.

Any person can withdraw their consent at any time, with prospective effect. The enterprise must:

  1. Provide a simple, free way to withdraw (unsubscribe link, online form, dedicated email).
  2. Inform the person of the consequences of withdrawal — e.g. if withdrawal prevents delivery of the core service.
  3. Cease collection and use as soon as the withdrawal is received.
  4. Not retroactively delete data already used under valid consent — withdrawal is prospective, not retroactive.

Withdrawal of consent must not be more complicated than obtaining it. If registration takes one click, unsubscribe takes one click.

The exceptions — when consent is not required

The PPIPSA lists several situations where information can be collected, used or communicated without consent:

  • Legal obligation (s. 18 para. 1 subpara. 1): tax laws, Labour Code, professional order, judicial mandates.
  • Performance of a contract (s. 13): data necessary to execute the agreed service (delivering a parcel = address; invoicing = contact details).
  • Serious and legitimate interest (s. 12 para. 3): use consistent with the original purpose, without disproportionate effect on privacy.
  • Protection of life (s. 18 para. 2): medical emergency, public safety.
  • Study, research, statistics (s. 21): subject to anonymization and approval requirements.

These exceptions are read narrowly. When in doubt, consult your lawyer.

In an investigation, the CAI can demand proof that valid consent was obtained. In practice, your system must keep:

  • The date and time of consent.
  • The exact text displayed to the person (not a link to a document that may have changed).
  • The mechanism used (checkbox, signature, voice recording, etc.).
  • The user's identifier (email, UUID) and, where relevant, the IP address.
  • The version of the policy in force at the moment of consent.

A simple "user accepted" boolean field is not enough — you must be able to reconstruct what the person saw and approved.

Our role on the IT side

On a compliance engagement, Hilo Tech configures the tools that log these elements (consent platforms like Cookiebot or OneTrust; custom banners; CRM systems with audit fields; Microsoft 365 audit log). The wording of the consent text itself is authored by the client's lawyer — we implement the language they approve.

Quick checklist

  • Every collection purpose has its own consent (no bundled checkboxes).
  • Checkboxes are unchecked by default.
  • The consent text is written in plain French (or the relevant language), without legalese.
  • Separate express consent is obtained for sensitive information.
  • Minors under 14 have a parental-validation mechanism.
  • A simple, free withdrawal mechanism is published.
  • Each consent is timestamped and archived with the exact text displayed.

Common mistakes

  • The European consent wall, pasted as-is. — Many SMBs copy an English GDPR banner without adaptation. The French is missing, the link points to the English policy, and the categories don't match what the CAI expects.
  • Consent obtained once and for all. — A consent valid at sign-up does not cover a new purpose (e.g. transfer to a commercial partner not mentioned at the outset). You must re-ask.
  • The pre-checked "I agree to receive marketing communications" box. — Invalid since September 2023. The user must take an active step.
  • No archiving. — Consent is only demonstrable during an investigation. If your system doesn't keep the timestamp + the text displayed, it's your word against the complaint.
  • Do our cookie banners meet the specific Quebec requirements, which differ from the GDPR?
  • What express-consent wording should we use for health data (if we run a medical practice, pharmacy or telemedicine service)?
  • Do we have a legal basis other than consent for some purposes (legitimate interest, contract performance)?
  • What is a reasonable retention period for the proof-of-consent records themselves?
PreviousScope and definitionsNextConfidentiality incident notification
Back to collection overview Law 25 Guide

Question about this guide?

Pascal and Jérémie can answer directly by email or during a discovery call.

Get in touch
Consent — Law 25 Guide | Hilo Tech Wiki