Personal Data Collection Consent Form (Quebec)
Province de Québec
Province de Québec
Conformément à la Loi modernisant des dispositions législatives en matière de protection des renseignements personnels (Loi 25, RLRQ c P-39.1), à l'article 37 du Code civil du Québec (C.c.Q.) relatif à la protection des renseignements personnels et à la Loi sur l'accès aux documents des organismes publics et sur la protection des renseignements personnels (RLRQ c A-2.1).
1. DATE ET LIEU
Fait à [Lieu de signature], le [Date du consentement].
2. IDENTIFICATION DE L'ORGANISATION RESPONSABLE DE LA COLLECTE
L'organisation responsable de la collecte, de l'utilisation et de la conservation des renseignements personnels (ci-après désignée l'« Organisation ») est :
Nom : [Nom de l'organisation]
Adresse : [Adresse de l'organisation]
Courriel : [Courriel de l'organisation]
Téléphone : [Téléphone de l'organisation]
Responsable de la protection des renseignements personnels : [Nom du responsable de la protection], courriel : [Courriel du responsable de la protection]
Conformément à l'article 3.1 de la Loi 25, l'Organisation a désigné la personne sus-mentionnée comme responsable de la protection des renseignements personnels, laquelle est chargée d'assurer le respect des obligations prévues par la Loi et de traiter toute demande relative à l'exercice des droits reconnus à l'individu par la présente.
3. IDENTIFICATION DE L'INDIVIDU
L'individu dont les renseignements personnels font l'objet de la présente collecte (ci-après désigné l'« Individu ») est :
Nom complet : [Nom de l'individu]
Adresse : [Adresse de l'individu]
Courriel : [Courriel de l'individu]
Téléphone : [Téléphone de l'individu]
Conformément à l'article 37 C.c.Q., l'Organisation qui constitue un dossier sur l'Individu doit avoir un intérêt sérieux et légitime à le faire, et ne doit collecter que les renseignements nécessaires à l'objet du dossier. L'Individu a le droit de consulter son dossier et d'en contester l'exactitude.
4. RENSEIGNEMENTS PERSONNELS COLLECTÉS
L'Organisation collecte les catégories de renseignements personnels suivantes, dans le strict respect du principe de minimisation prévu à l'article 5 de la Loi 25 (seuls les renseignements nécessaires aux fins déclarées sont collectés) :
Types de renseignements collectés : [Types de renseignements collectés]
Autre type de renseignement collecté : [Autre type : aucun / détail]
5. FINALITÉS DE LA COLLECTE
Les renseignements personnels de l'Individu sont collectés exclusivement aux fins suivantes, conformément à l'exigence de finalité déterminée prévue par la Loi 25 et l'article 37 C.c.Q. :
Finalité(s) principale(s) : [Finalités principales de la collecte]
Finalité(s) secondaire(s) : [Finalités secondaires : aucune / détail]
L'Organisation s'engage à ne pas utiliser les renseignements personnels de l'Individu à d'autres fins que celles énoncées au présent document, sans obtenir au préalable un consentement exprès et distinct, conformément à l'exigence de compatibilité des finalités prévue par la Loi 25.
6. DURÉE DE CONSERVATION ET DESTRUCTION
Durée de conservation des renseignements personnels : [Durée de conservation]
Période précise de conservation (le cas échéant) : [Durée précise : non applicable / détail]
Méthode de destruction ou d'anonymisation : [Méthode de destruction : à préciser / selon la politique interne]
Conformément à l'article 23 de la Loi 25, les renseignements personnels seront détruits ou anonymisés lorsqu'ils ne seront plus nécessaires aux fins pour lesquelles ils ont été collectés, selon le calendrier de conservation établi par l'Organisation et conforme à ses obligations légales.
7. MESURES DE SÉCURITÉ
L'Organisation met en place des mesures de sécurité raisonnables, en tenant compte notamment de la sensibilité des renseignements et des risques potentiels liés à leur utilisation, conformément à l'article 10 de la Loi 25. Ces mesures comprennent notamment le chiffrement des données sensibles, des contrôles d'accès stricts, des journaux d'accès, des formations régulières du personnel et des audits de sécurité périodiques.
En cas d'incident de confidentialité susceptible de causer un préjudice sérieux à l'Individu, l'Organisation s'engage à notifier l'Individu et, le cas échéant, la Commission d'accès à l'information du Québec (CAI), conformément aux articles 3.5 à 3.8 de la Loi 25.
8. DROITS DE L'INDIVIDU
L'Individu dispose des droits suivants à l'égard de ses renseignements personnels, en vertu de la Loi 25 et de l'article 37 C.c.Q. :
Droit d'accès : confirmé — [Droit d'accès confirmé]. L'Individu peut demander à consulter les renseignements personnels le concernant détenus par l'Organisation.
Droit de rectification : confirmé — [Droit de rectification confirmé]. L'Individu peut demander la correction de tout renseignement personnel inexact, incomplet ou équivoque.
Droit de retrait du consentement : confirmé — [Droit de retrait confirmé]. L'Individu peut retirer son consentement à tout moment, sous réserve des délais de préavis raisonnables et des obligations légales de conservation.
Procédure pour exercer ses droits : [Procédure pour exercer ses droits]
L'Individu peut également déposer une plainte auprès de la Commission d'accès à l'information du Québec (CAI) s'il estime que ses droits n'ont pas été respectés (www.cai.gouv.qc.ca).
9. BONNE FOI ET CONSENTEMENT ÉCLAIRÉ
Conformément à l'article 1375 C.c.Q., les parties au présent consentement déclarent agir de bonne foi. L'Individu déclare expressément :
Avoir reçu une communication claire, transparente et distincte des informations relatives à la collecte de ses renseignements personnels, conformément aux exigences de la Loi 25 (s. 8).
Avoir accordé son consentement librement, sans contrainte ni incitation indue, de manière spécifique et éclairée quant aux finalités de la collecte.
Consentement libre et éclairé confirmé : [Consentement libre et éclairé confirmé].
Avoir été informé(e) de ses droits d'accès, de rectification, de retrait et de dépôt de plainte à la Commission d'accès à l'information du Québec.
Notes supplémentaires ou conditions particulières : [Notes supplémentaires : aucune / détail]
10. LOI APPLICABLE
Le présent consentement est régi par les lois de la Province de Québec, notamment la Loi modernisant des dispositions législatives en matière de protection des renseignements personnels (Loi 25, RLRQ c P-39.1), l'article 37 du Code civil du Québec relatif à la protection des renseignements personnels dans les dossiers, la Loi sur l'accès aux documents des organismes publics et sur la protection des renseignements personnels (RLRQ c A-2.1) et l'article 1375 C.c.Q. sur la bonne foi. Tout litige découlant du présent document sera soumis à la compétence des tribunaux du Québec.
11. SIGNATURES
EN FOI DE QUOI, les parties ont signé le présent consentement à la collecte de données personnelles à [Lieu de signature], le [Date du consentement].
Individu
[Nom de l'individu]
Signature
Date: ________________
Organisation (Responsable de la protection)
[Nom de l'organisation]
Signature
Date: ________________
What Is a Personal Data Collection Consent Form (Quebec)?
A Personal Data Collection Consent Form (Quebec) in Quebec a Quebec Data Collection Consent Form (Formulaire de consentement a la collecte de donnees) is a legal document through which an individual voluntarily and knowingly authorizes an organization to collect, use, communicate, and retain their personal information for specified purposes. In Quebec, the protection of personal information is governed by the Act respecting the protection of personal information in the private sector (RLRQ, c. P-39.1), commonly known as Loi 25 or Bill 64, which was substantially modernized and came into full force in September 2023. This legislation, modeled in part on the European General Data Protection Regulation (GDPR), establishes one of the most rigorous personal data protection frameworks in North America.
Under Loi 25, consent to the collection and use of personal information must be manifested in a clear and free manner. Consent must be sought for each specific purpose of collection, and organizations may not refuse to provide a product or service because a person refuses to consent to collection or use that is not necessary for that product or service. This is a fundamental departure from how consent was often obtained previously, where blanket consent provisions were embedded in terms of service and privacy policies that users had little choice but to accept.
Personal information under Loi 25 includes any information relating to a natural person that allows them to be identified, directly or indirectly. This encompasses names, addresses, identification numbers, financial data, health information, location data, digital identifiers such as IP addresses and cookies, biometric data, and any combination of information that, taken together, permits identification of an individual.
Organizations collecting personal information must also comply with the Act respecting access to documents held by public bodies and the protection of personal information (RLRQ, c. A-2.1, the Public Sector Privacy Act), which governs public bodies in Quebec. Private sector organizations fall under Loi 25, while federal organizations may be subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) or its successor, the Consumer Privacy Protection Act (CPPA), though Loi 25 applies to all personal information collected in Quebec.
The Commission d'acces a l'information (CAI) is the regulatory body in Quebec responsible for overseeing compliance with Loi 25. The CAI has broad investigatory and enforcement powers, including the ability to impose administrative monetary penalties of up to 10 million dollars or 2% of worldwide turnover for violations, and pecuniary penalties of up to 25 million dollars or 4% of worldwide turnover for more serious violations. These penalties align Loi 25 with GDPR enforcement levels and represent a significant escalation from the previous penalty regime.
Organizations subject to Loi 25 must designate a person responsible for the protection of personal information, publish and maintain a privacy policy, conduct privacy impact assessments (PIAs) for personal information projects involving third parties or the collection of sensitive information, and report privacy incidents involving sensitive personal information to both the CAI and the affected individuals without delay. The data consent form is a foundational component of the compliance framework, documenting the basis on which personal information is legitimately collected and processed. The principle of accountability under Loi 25 means that organizations cannot simply obtain consent and then do as they please. They must implement governance structures, privacy by design practices, and technical and organizational measures proportionate to the sensitivity of the information collected. Privacy must be embedded into the design of any new system or project that involves personal information, not added as an afterthought. Organizations must also document their personal information processing activities, maintain a record of their privacy impact assessments, and make governance information available to the CAI upon request. The data consent form serves as the visible, individual-facing component of this broader accountability framework, translating complex legal obligations into clear, understandable language for the people whose information is being collected.
When Do You Need a Personal Data Collection Consent Form (Quebec)?
A data collection consent form is needed whenever an organization collects personal information about individuals for any purpose that is not obvious from the nature of the transaction or relationship. Under Loi 25 (RLRQ, c. P-39.1), consent is the primary basis for lawfully collecting personal information in the Quebec private sector, and organizations should obtain specific, documented consent before collecting data in the following circumstances.
E-commerce businesses and online retailers must obtain consent before collecting browsing behavior, purchase history, location data, or any information used for targeted advertising or behavioral profiling. The use of cookies and tracking technologies for non-essential purposes, including marketing and analytics, requires explicit opt-in consent under Loi 25, unlike some other jurisdictions where implied consent or opt-out mechanisms may be sufficient.
Healthcare providers, clinics, and wellness practitioners must obtain consent before collecting patient health information, medical histories, treatment data, or test results. While some health information collection is authorized under the Act respecting health services and social services (LSSSS) and the Medical Act, the collection of health data beyond what is strictly necessary for treatment purposes requires explicit informed consent. Research use of health data requires additional ethics board authorization.
Financial institutions, insurance companies, and credit bureaus must obtain consent before collecting financial information, credit data, employment history, or other information used for credit assessment, insurance underwriting, or financial product eligibility. The federal PIPEDA (or CPPA when in force) and Loi 25 together govern personal financial information collected in Quebec, and the more protective provincial standard generally prevails for data collected locally.
Employers must obtain consent before collecting employee personal information beyond what is strictly necessary for the employment relationship, including health information, financial data, social media profiles, GPS tracking data, keystroke monitoring, or biometric access control data. Quebec law, informed by decisions of the CAI and the Commission des droits de la personne et des droits de la jeunesse (CDPDJ), places strict limits on employer surveillance and requires that data collection be proportionate to the legitimate business purpose.
Mobile applications and software providers must disclose and obtain consent for all personal data collected through the application, including device identifiers, location data, usage patterns, contacts, and any third-party data sharing. The CAI's guidance on mobile applications requires that consent be granular, specific to each type of data and use, and presented in a user-friendly format before collection begins.
Non-profit organizations and charities must obtain consent before collecting donor information, member data, or beneficiary information for purposes beyond immediate service delivery, including fundraising, newsletter distribution, or advocacy activities. Consent should be renewed periodically and organizations must offer easy opt-out mechanisms.
Research organizations and universities collecting data for academic research must comply with both Loi 25 and the Tri-Council Policy Statement (TCPS2) on ethical conduct of research involving humans, and must obtain research ethics board (REB) approval for data collection projects that involve identifiable personal information. Government bodies and public institutions in Quebec collecting personal information from residents are subject to the Public Sector Privacy Act (RLRQ, c. A-2.1) rather than Loi 25, but the consent principles are broadly similar. Consent is required for data collections that go beyond the statutory mandate of the public body, and individuals have the right to access and correct their information held by public bodies through the Commission d'acces a l'information. Any organization operating in Quebec that experiences a privacy incident involving sensitive personal information must report it to the CAI and notify affected individuals as soon as reasonably possible, documenting the incident in their privacy incident register as required by section 3.8 of Loi 25.
What to Include in Your Personal Data Collection Consent Form (Quebec)
A thorough and legally compliant Quebec data collection consent form must include the following key elements to satisfy the requirements of Loi 25 (RLRQ, c. P-39.1) and the guidance issued by the Commission d'acces a l'information (CAI):
**Identity and Contact Information of the Responsible Organization:** The full legal name of the organization collecting personal information, the name and contact information of the person responsible for the protection of personal information (responsable de la protection des renseignements personnels) as required by section 3.1 of Loi 25, and the organization's mailing address and email address for privacy-related inquiries.
**Specific Purposes of Collection:** A clear, precise description of each specific purpose for which personal information is collected. Loi 25 prohibits collecting personal information for purposes that are not identified in advance. General or vague purposes such as improving services or for business purposes are insufficient. Each purpose must be described specifically enough that the individual understands how their information will be used.
**Categories of Personal Information Collected:** An itemized list of the specific types of personal information to be collected, such as name, address, date of birth, email address, phone number, browsing history, location data, financial information, or health data. The consent form must not collect information that is not necessary for the stated purposes (principle of minimization under section 5 of Loi 25).
**Disclosure to Third Parties:** Explicit identification of any third parties to whom personal information may be communicated, including service providers, affiliates, advertising networks, government bodies, or research institutions. Cross-border transfers of personal information outside Quebec require a privacy impact assessment under section 17 of Loi 25 and must meet the required level of protection.
**Retention Period:** The specific period for which personal information will be retained, or the criteria used to determine that period. After the retention period expires, personal information must be destroyed or anonymized in accordance with Loi 25. Indefinite retention is not permitted without specific justification.
**Rights of the Individual:** A clear statement of the individual's rights under Loi 25, including the right to access their personal information (section 27), the right to correct inaccurate information (section 28), the right to withdraw consent at any time (with the consequences of withdrawal explained), the right to have information destroyed when it is no longer necessary for its purposes, and the right to lodge a complaint with the CAI.
**Sensitive Personal Information:** If the organization collects sensitive personal information, including health information, financial information, biometric data, or information about private life, the consent form must expressly identify this and obtain specific consent for the collection of each category of sensitive information. The CAI considers sensitive information to warrant heightened protection.
**Consent for Each Distinct Purpose:** A separate, specific consent for each distinct purpose of collection and use. Omnibus consent covering multiple unrelated purposes in a single checkbox or signature is insufficient under Loi 25. Where possible, consent should be granular, allowing individuals to consent to some uses but not others.
**Withdrawal of Consent:** The mechanism and procedure for withdrawing consent, including how to submit a withdrawal request, the timeframe within which the organization will process the withdrawal, and the practical consequences of withdrawal, such as the inability to access certain services.
**Privacy Policy Reference:** A reference to the organization's full privacy policy (politique de confidentialite), which must be published, easily accessible, and written in clear, simple language as required by Loi 25. The privacy policy contains the detailed information about data handling practices that supports the consent form.
**Good Faith Obligation:** An express acknowledgment that both parties act in good faith (bonne foi, art. 1375 CCQ) and that the organization will handle personal information with the care and respect to which individuals are entitled under Quebec law.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Personal Data Collection Consent Form (Quebec) (Quebec) [Legal document template]. Forms Legal. https://forms-legal.com/quebec/personal/consent/data-collection-consent-form-quebec
"Personal Data Collection Consent Form (Quebec) (Quebec)." Forms Legal, 2026, https://forms-legal.com/quebec/personal/consent/data-collection-consent-form-quebec.
@misc{formslegal-data-collection-consent-form-quebec,
author = {{Forms Legal}},
title = {Personal Data Collection Consent Form (Quebec) (Quebec)},
year = {2026},
howpublished = {\url{https://forms-legal.com/quebec/personal/consent/data-collection-consent-form-quebec}},
note = {Free legal document template. Based on Civil Code of Québec (CCQ), Book Five: Obligations}
}Frequently Asked Questions
Loi 25 (An Act to modernize legislative provisions as regards the protection of personal information, RLRQ c P-39.1) is Quebec's landmark privacy law that came into force in phases between 2022 and 2023. It significantly strengthens protections for personal information in both the public and private sectors, bringing Quebec's privacy regime closer to the European GDPR standard. Key obligations under Loi 25 include: (1) designating a person in charge of the protection of personal information (privacy officer); (2) conducting privacy impact assessments (PIAs) before implementing projects involving personal information; (3) implementing a governance framework for personal information; (4) obtaining free, specific, and enlightened consent before collecting personal information; (5) informing individuals of the purpose of collection and their rights; (6) establishing retention schedules and destroying or anonymizing information when no longer needed; and (7) reporting privacy incidents to the Commission d'accès à l'information (CAI) and to affected individuals when the incident creates a serious risk of harm. Non-compliance with Loi 25 can result in administrative penalties of up to 25 million dollars or 4% of worldwide turnover, whichever is greater.
Under Loi 25, a valid consent to the collection of personal information in Quebec must be: (1) free — the individual must not be under duress or be required to consent as a condition of receiving essential services; (2) enlightened — the individual must have received clear, comprehensible information about the nature of the information collected, the purposes, and the parties who may access it; (3) given for a specific purpose — consent must be tied to a clearly identified purpose and cannot be bundled with unrelated consents; (4) clear and explicit — there must be an affirmative act by the individual, silence or pre-checked boxes do not constitute valid consent; and (5) documented — the organization must be able to demonstrate that valid consent was obtained. Additionally, for sensitive information (such as health data, biometric data, or financial information), consent must be explicitly given and cannot be implied. The consent form must also inform individuals of their rights of access, rectification, and withdrawal.
Under Loi 25 and CCQ art. 37, individuals in Quebec have several important rights regarding their personal information. The right of access allows individuals to request a copy of all personal information held about them by an organization. The right of rectification allows them to have inaccurate, incomplete, equivocal, or outdated information corrected. The right to withdraw consent allows individuals to revoke their consent at any time, subject to reasonable notice requirements and legal retention obligations. The right to portability — new under Loi 25 — allows individuals to request that their personal information be communicated in a technology-neutral, commonly used format so they can transfer it to another organization. The right to de-indexing allows individuals to request the de-indexing of information about them in search engines if it causes them serious harm. The right to complain to the Commission d'accès à l'information (CAI) allows individuals to file a complaint if they believe an organization has violated their privacy rights. All these rights must be clearly communicated in the data collection consent form.
Under Loi 25 (article 3.3 of the amended Act Respecting the Protection of Personal Information in the Private Sector), a privacy impact assessment (évaluation des facteurs relatifs à la vie privée — EFVP) is required in the following situations: (1) any project involving the acquisition, development, or overhaul of an information system or electronic service delivery system that involves personal information; (2) any communication of personal information outside Quebec — whether to another province or a foreign jurisdiction; (3) any new project or initiative that significantly changes the way personal information is collected, used, or disclosed. The EFVP must assess the risks to the privacy of individuals and include measures to mitigate those risks. For cross-border transfers, the EFVP must also evaluate whether the legislation of the receiving jurisdiction offers an adequate level of protection equivalent to Quebec's Loi 25. If not, additional protective measures must be implemented, and specific contractual provisions ensuring equivalent protection must be included in any agreement with the foreign party.
Collecting personal information without proper consent in Quebec can result in significant legal consequences under Loi 25 and the Civil Code of Quebec. From an administrative standpoint, the Commission d'accès à l'information (CAI) has broad investigative and enforcement powers. Organizations that fail to comply with Loi 25 can be subject to administrative monetary penalties (AMPs) of up to 10 million dollars or 2% of worldwide turnover for compliance violations, and up to 25 million dollars or 4% of worldwide turnover for more serious violations. From a civil liability standpoint, individuals who suffer harm as a result of an unauthorized collection or disclosure of their personal information may claim damages under article 1457 C.c.Q. (civil liability for fault) and article 37 C.c.Q. Additionally, the Privacy Act equivalent at the federal level (PIPEDA or its successor, the Consumer Privacy Protection Act, if enacted) may also apply to organizations subject to federal jurisdiction. Courts in Quebec have increasingly recognized the right to moral damages for privacy violations even where no financial harm can be demonstrated.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Politique de confidentialité (Québec — Loi 25)
Créez gratuitement une politique de confidentialité du Québec conforme à la Loi 25 (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels) et à la LPRPSP. Couvre la désignation du responsable de la protection, les finalités de collecte, le partage avec des tiers, les transferts hors Canada, les droits des personnes (accès, rectification, suppression, portabilité) et les mesures de sécurité. Conforme à la Loi 96.
Consentement à l'utilisation de l'image (photo/vidéo) (Québec)
Créez un formulaire de consentement à l'utilisation de l'image conforme au droit québécois, protégeant le droit à l'image en vertu des arts. 35-36 C.c.Q., de la Charte des droits et libertés de la personne et de la Loi 25. Précise les utilisations autorisées, la durée et la révocabilité.
Consentement à la vérification des antécédents (Québec)
Créez un formulaire de consentement à la vérification des antécédents conforme à la Loi 25, à l'art. 37 C.c.Q. et à la Charte québécoise. Autorise les vérifications du casier judiciaire, du crédit, de l'historique d'emploi, des diplômes, du dossier de conduite et des références, avec protection contre la discrimination pour les pardons judiciaires.
Accord SaaS (Québec)
Create a Quebec SaaS agreement covering subscription fees, service levels, data privacy (Law 25/Bill 64), acceptable use, IP ownership, uptime guarantees, data portability, and termination under CCQ and Quebec's privacy legislation.