The recent enactment in Québec of An Act to modernize legislative provisions as regards the protection of personal information (hereinafter called “Act 25”), formerly known as Bill 64, has led to significant changes for organizations that collect, communicate, and use personal information in Québec.
While organizations have already had to comply with the first wave of requirements, which came into force in September 2022, a new set of requirements is coming as soon as September 2023. They will require significant preparation and effort for effective implementation.
Recap of Act 25
Based in large part on Europe’s “General Data Protection Regulation” (GDPR), this new provincial law is intended to give more rights to individuals who share their personal information and, at the same time, it institutes a general principle of transparency. Going forward, a person who consents to share his or her personal information with an organization must understand how that information will be used, communicated, and possibly shared with third parties.
To guide organizations and businesses through this process, our professionals have developed a comprehensive guide that presents the law and the constraints it poses, but also the opportunities that arise from it, presented in 11 areas of compliance.
The following pages describe how KPMG in Canada can help private and public sector organizations comply with and operationalize the requirements related to one of these areas of compliance: transparency and consent.
The importance of obtaining valid consent
To be valid, consent must be expressed in a clear and free manner, obtained by means of simple and clear language. Bill 25 also provides that consent must be obtained directly and not masked within an abundance of information.
In addition to the above, in order for consent to be valid, an organization must inform the individual who is sharing personal information of the following:
- The purposes for which the information is being collected
- The means used to collect the information
- One’s rights of access, correction and withdrawing of consent to use the information collected
- The categories of third parties to whom it is necessary to release the information for the defined purposes
- The possibility that the information will be disclosed outside Québec
The Commission d'accès à l'information (CAI) recently published draft guidelines on consent which provide illustrations and set out the CAI's interpretation of certain provisions of the law, in particular with regard to applicable requirements when using sensitive personal information for secondary purposes.
Who needs to give their consent?
The consent requirements must be met for customers and prospects, but also for employees and job applicants: in short, for all individuals who share personal information, i.e., any information that allows an individual to be identified, directly or indirectly, with an organization.
However, as of September 22, 2023, Act 25 will exclude from application of this law, information and contact details relating to business contacts: employer, position, business contact information (email address, company address, business telephone number, etc.).
Operationalization of consent with KPMG
KPMG has a methodology and the practical experience required to help you implement sound consent management strategies.
Orientations
Identify the business needs
- Serious and legitimate purposes
- Primary purposes: the personal information needed to provide services or engage in business activities
- Secondary purposes: other purposes that are not essential to providing services or business activities
Validate the business context
- People: existing customers, new customers, prospects, job applicants, employees
- Channel and medium (paper, electronic, digital)
- Consent obtained directly or through a third party
- Sensitive or non-sensitive personal information
Positioning
- Intended purposes: primary and secondary
- How consent is obtained for new clients (presumed, opt-out, opt-in) depending on the context and the channel
- Management strategy for existing clients
- Requirements for consent management (use – processing of opt-out requests)
- Functional needs and requirements for a management solution
Achievements
Implementation
- Developing the wording and review of the notice on protection of personal information to cover the information requirements
- Validation of key moments in the customer journey
- Changes to the documentation used in business activities involving the collection of personal information as part of the customer journey
- Tailoring the means to the specific nature of the business activities
- Optimization of how consent is obtained, based on the customer journey
Management and solution
- Form of retention
- Implementation of a solution for validating the status and management of consent withdrawals
Organizations need to implement consent management to ensure that consents from existing and future customers are valid if they are to deliver an optimal experience, maintain the trust of stakeholders and reduce the reputational risks that arise from poor management.
This strategy needs to consider
Have a sound basis for planning the implementation
KPMG starts by asking clients to take positions on the issues that will guide the work on implementation.
| Positioning | Steps to be performed |
|---|---|
Scope (who) For which entities is personal information collected? Which types of people are targeted for consent? |
|
Ways consent will be obtained (how) How will individuals’ consent be obtained? |
|
Wording of the consent (what) How will the organization fulfil its obligation to inform individuals when obtaining consent? |
|
Management of existing consents How should previously obtained consents be managed? |
|
Once a general direction of the consent strategy has been defined, the organization will need to implement and manage it. This includes:
- Updating policies on the protection of personal information and the wording of the various existing consent forms and communications
- Implementing the processes and solutions required to consolidate the consent obtained from various sources and ensure conservation
- Establishing the functional requirements and choosing technological solutions based on the existing technological architecture
- Implementing consent management and withdrawal solutions
- Defining a retention method
Beyond the organization’s responses to its regulatory obligations, the implementation phase provides it with an opportunity to review and help optimize processes that are already in place. It is crucial to include a customer experience (CX) component when implementing a new consent strategy to ensure that the strategy takes into account future marketing needs (communications, customer knowledge, personalization, etc.). This will minimize the impact on sales and on the experience delivered to the organization’s prospects and customers.
Use and retention of consents
Under Bill 25, consent is valid only for the time required to achieve the purposes for which it was requested.
So organizations must also determine when it will be necessary and appropriate to seek consent for the subsequent use of an individual’s personal information. KPMG helps organizations set a standard that is based on risk appetite, regulatory requirements, and organizational needs.
Implementing a technological solution for consent management
To ensure effective consent management, organizations can choose to use the various technological solutions available on the market.
KPMG’s multidisciplinary team helps organizations define the functional requirements, establish the transitional management metric, and identify and implement the target consent management solution.
The following are key high-level steps and underlying activities for selecting, deploying, and operationalizing a technological solution for consent management:
Vision and strategy
- Criteria for success
- Engagement
- Maturity assessment
- Roadmap
Building blocks / Program design
- Basics: language, taxonomy, common frameworks
- Opportunity for convergence, alignment of functionalities, integration point
- Establishment of high-level business, functional and technical requirements
Vendor selection
- Buy vs. build
- Tool selection
- Supplier demonstrations
- Evaluation criteria
- Tender scoring
Enablement
- Solution configuration and implementation
- Panning the conversion and executing the data migration
- Testing strategy, performance test and acceptance by users
- Post-production support plan for deployment
Privacy by default: what is the impact on consent?
Organizations must also prepare for the introduction of the default privacy requirement. According to this rule, a technology, that collects data such as IP address, MAC address or e-mail address for profiling, geolocation or identification purposes cannot be activated by default. Instead, it must be enabled through positive action taken by the individual using the technology. For example, the advertising targeting cookies used by a website cannot be stored on a user’s device unless the user has explicitly given consent. This is usually done through a pop-up message or banner informing the user that the site uses cookies and allowing the user to choose whether or not to accept them. The purpose of default privacy used for cookies is to increase transparency and give users more control over how websites track and collect their data.
Note that this requirement does not apply to the cookies required to operate the website or application.
| Initialization phase |
|---|
|
| First visit | Subsequent visits |
|---|---|
|
|
The experience and knowledge you need
KPMG in Canada is a leader in protection of personal information. Our multidisciplinary teams of professionals have successfully carried out numerous projects to bring organizations into compliance with Act 25 and understand the challenges your organization may face. Our leaders also contribute to projects to comply with the legislation that will result from the adoption of Bill C-27. This is why KPMG in Canada takes a holistic approach to consent management, considering not only compliance issues but also the organization’s business and operational needs.
Contact us for a more in-depth discussion with our privacy leaders to ensure that your company is implementing sound consent management.
Connect with us
Stay up to date with what matters to you
Gain access to personalized content based on your interests by signing up today
Connect with us
- Find office locations kpmg.findOfficeLocations
- kpmg.emailUs
- Social media @ KPMG kpmg.socialMedia