A Quebec Data Collection Consent Form (Formulaire de consentement a la collecte de donnees) is a legal document through which an individual voluntarily and knowingly authorizes an organization to collect, use, communicate, and retain their personal information for specified purposes. In Quebec, the protection of personal information is governed by the Act respecting the protection of personal information in the private sector (RLRQ, c. P-39.1), commonly known as Loi 25 or Bill 64, which was substantially modernized and came into full force in September 2023. This legislation, modeled in part on the European General Data Protection Regulation (GDPR), establishes one of the most rigorous personal data protection frameworks in North America.

Under Loi 25, consent to the collection and use of personal information must be manifested in a clear and free manner. Consent must be sought for each specific purpose of collection, and organizations may not refuse to provide a product or service because a person refuses to consent to collection or use that is not necessary for that product or service. This is a fundamental departure from how consent was often obtained previously, where blanket consent provisions were embedded in terms of service and privacy policies that users had little choice but to accept.

Personal information under Loi 25 includes any information relating to a natural person that allows them to be identified, directly or indirectly. This encompasses names, addresses, identification numbers, financial data, health information, location data, digital identifiers such as IP addresses and cookies, biometric data, and any combination of information that, taken together, permits identification of an individual.

Organizations collecting personal information must also comply with the Act respecting access to documents held by public bodies and the protection of personal information (RLRQ, c. A-2.1, the Public Sector Privacy Act), which governs public bodies in Quebec. Private sector organizations fall under Loi 25, while federal organizations may be subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) or its successor, the Consumer Privacy Protection Act (CPPA), though Loi 25 applies to all personal information collected in Quebec.

The Commission d'acces a l'information (CAI) is the regulatory body in Quebec responsible for overseeing compliance with Loi 25. The CAI has broad investigatory and enforcement powers, including the ability to impose administrative monetary penalties of up to 10 million dollars or 2% of worldwide turnover for violations, and pecuniary penalties of up to 25 million dollars or 4% of worldwide turnover for more serious violations. These penalties align Loi 25 with GDPR enforcement levels and represent a significant escalation from the previous penalty regime.

Organizations subject to Loi 25 must designate a person responsible for the protection of personal information, publish and maintain a privacy policy, conduct privacy impact assessments (PIAs) for personal information projects involving third parties or the collection of sensitive information, and report privacy incidents involving sensitive personal information to both the CAI and the affected individuals without delay. The data consent form is a foundational component of the compliance framework, documenting the basis on which personal information is legitimately collected and processed. The principle of accountability under Loi 25 means that organizations cannot simply obtain consent and then do as they please. They must implement governance structures, privacy by design practices, and technical and organizational measures proportionate to the sensitivity of the information collected. Privacy must be embedded into the design of any new system or project that involves personal information, not added as an afterthought. Organizations must also document their personal information processing activities, maintain a record of their privacy impact assessments, and make governance information available to the CAI upon request. The data consent form serves as the visible, individual-facing component of this broader accountability framework, translating complex legal obligations into clear, understandable language for the people whose information is being collected.

A data collection consent form is needed whenever an organization collects personal information about individuals for any purpose that is not obvious from the nature of the transaction or relationship. Under Loi 25 (RLRQ, c. P-39.1), consent is the primary basis for lawfully collecting personal information in the Quebec private sector, and organizations should obtain specific, documented consent before collecting data in the following circumstances.

E-commerce businesses and online retailers must obtain consent before collecting browsing behavior, purchase history, location data, or any information used for targeted advertising or behavioral profiling. The use of cookies and tracking technologies for non-essential purposes, including marketing and analytics, requires explicit opt-in consent under Loi 25, unlike some other jurisdictions where implied consent or opt-out mechanisms may be sufficient.

Healthcare providers, clinics, and wellness practitioners must obtain consent before collecting patient health information, medical histories, treatment data, or test results. While some health information collection is authorized under the Act respecting health services and social services (LSSSS) and the Medical Act, the collection of health data beyond what is strictly necessary for treatment purposes requires explicit informed consent. Research use of health data requires additional ethics board authorization.

Financial institutions, insurance companies, and credit bureaus must obtain consent before collecting financial information, credit data, employment history, or other information used for credit assessment, insurance underwriting, or financial product eligibility. The federal PIPEDA (or CPPA when in force) and Loi 25 together govern personal financial information collected in Quebec, and the more protective provincial standard generally prevails for data collected locally.

Employers must obtain consent before collecting employee personal information beyond what is strictly necessary for the employment relationship, including health information, financial data, social media profiles, GPS tracking data, keystroke monitoring, or biometric access control data. Quebec law, informed by decisions of the CAI and the Commission des droits de la personne et des droits de la jeunesse (CDPDJ), places strict limits on employer surveillance and requires that data collection be proportionate to the legitimate business purpose.

Mobile applications and software providers must disclose and obtain consent for all personal data collected through the application, including device identifiers, location data, usage patterns, contacts, and any third-party data sharing. The CAI's guidance on mobile applications requires that consent be granular, specific to each type of data and use, and presented in a user-friendly format before collection begins.

Non-profit organizations and charities must obtain consent before collecting donor information, member data, or beneficiary information for purposes beyond immediate service delivery, including fundraising, newsletter distribution, or advocacy activities. Consent should be renewed periodically and organizations must offer easy opt-out mechanisms.

Research organizations and universities collecting data for academic research must comply with both Loi 25 and the Tri-Council Policy Statement (TCPS2) on ethical conduct of research involving humans, and must obtain research ethics board (REB) approval for data collection projects that involve identifiable personal information. Government bodies and public institutions in Quebec collecting personal information from residents are subject to the Public Sector Privacy Act (RLRQ, c. A-2.1) rather than Loi 25, but the consent principles are broadly similar. Consent is required for data collections that go beyond the statutory mandate of the public body, and individuals have the right to access and correct their information held by public bodies through the Commission d'acces a l'information. Any organization operating in Quebec that experiences a privacy incident involving sensitive personal information must report it to the CAI and notify affected individuals as soon as reasonably possible, documenting the incident in their privacy incident register as required by section 3.8 of Loi 25.

A comprehensive and legally compliant Quebec data collection consent form must include the following key elements to satisfy the requirements of Loi 25 (RLRQ, c. P-39.1) and the guidance issued by the Commission d'acces a l'information (CAI):

**Identity and Contact Information of the Responsible Organization:** The full legal name of the organization collecting personal information, the name and contact information of the person responsible for the protection of personal information (responsable de la protection des renseignements personnels) as required by section 3.1 of Loi 25, and the organization's mailing address and email address for privacy-related inquiries.

**Specific Purposes of Collection:** A clear, precise description of each specific purpose for which personal information is collected. Loi 25 prohibits collecting personal information for purposes that are not identified in advance. General or vague purposes such as improving services or for business purposes are insufficient. Each purpose must be described specifically enough that the individual understands how their information will be used.

**Categories of Personal Information Collected:** An itemized list of the specific types of personal information to be collected, such as name, address, date of birth, email address, phone number, browsing history, location data, financial information, or health data. The consent form must not collect information that is not necessary for the stated purposes (principle of minimization under section 5 of Loi 25).

**Disclosure to Third Parties:** Explicit identification of any third parties to whom personal information may be communicated, including service providers, affiliates, advertising networks, government bodies, or research institutions. Cross-border transfers of personal information outside Quebec require a privacy impact assessment under section 17 of Loi 25 and must meet the required level of protection.

**Retention Period:** The specific period for which personal information will be retained, or the criteria used to determine that period. After the retention period expires, personal information must be destroyed or anonymized in accordance with Loi 25. Indefinite retention is not permitted without specific justification.

**Rights of the Individual:** A clear statement of the individual's rights under Loi 25, including the right to access their personal information (section 27), the right to correct inaccurate information (section 28), the right to withdraw consent at any time (with the consequences of withdrawal explained), the right to have information destroyed when it is no longer necessary for its purposes, and the right to lodge a complaint with the CAI.

**Sensitive Personal Information:** If the organization collects sensitive personal information, including health information, financial information, biometric data, or information about private life, the consent form must expressly identify this and obtain specific consent for the collection of each category of sensitive information. The CAI considers sensitive information to warrant heightened protection.

**Consent for Each Distinct Purpose:** A separate, specific consent for each distinct purpose of collection and use. Omnibus consent covering multiple unrelated purposes in a single checkbox or signature is insufficient under Loi 25. Where possible, consent should be granular, allowing individuals to consent to some uses but not others.

**Withdrawal of Consent:** The mechanism and procedure for withdrawing consent, including how to submit a withdrawal request, the timeframe within which the organization will process the withdrawal, and the practical consequences of withdrawal, such as the inability to access certain services.

**Privacy Policy Reference:** A reference to the organization's full privacy policy (politique de confidentialite), which must be published, easily accessible, and written in clear, simple language as required by Loi 25. The privacy policy contains the detailed information about data handling practices that supports the consent form.

**Good Faith Obligation:** An express acknowledgment that both parties act in good faith (bonne foi, art. 1375 CCQ) and that the organization will handle personal information with the care and respect to which individuals are entitled under Quebec law.