The recent enactment in Québec of An Act to modernize legislative provisions as regards the protection of personal information (hereinafter called “Act 25”), formerly known as Bill 64, has led to significant changes for organizations that collect, communicate, and use personal information in Québec.

While organizations have already had to comply with the first wave of requirements, which came into force in September 2022, a new set of requirements is coming as soon as September 2023. They will require significant preparation and effort for effective implementation.

Recap of Act 25

Based in large part on Europe’s “General Data Protection Regulation” (GDPR), this new provincial law is intended to give more rights to individuals who share their personal information and, at the same time, it institutes a general principle of transparency. Going forward, a person who consents to share his or her personal information with an organization must understand how that information will be used, communicated, and possibly shared with third parties.

To guide organizations and businesses through this process, our professionals have developed a comprehensive guide that presents the law and the constraints it poses, but also the opportunities that arise from it, presented in 11 areas of compliance.

The following pages describe how KPMG in Canada can help private and public sector organizations comply with and operationalize the requirements related to one of these areas of compliance: transparency and consent.

The importance of obtaining valid consent

To be valid, consent must be expressed in a clear and free manner, obtained by means of simple and clear language. Bill 25 also provides that consent must be obtained directly and not masked within an abundance of information.

In addition to the above, in order for consent to be valid, an organization must inform the individual who is sharing personal information of the following:

  • The purposes for which the information is being collected
  • The means used to collect the information
  • One’s rights of access, correction and withdrawing of consent to use the information collected
  • The categories of third parties to whom it is necessary to release the information for the defined purposes
  • The possibility that the information will be disclosed outside Québec

The Commission d'accès à l'information (CAI) recently published draft guidelines on consent which provide illustrations and set out the CAI's interpretation of certain provisions of the law, in particular with regard to applicable requirements when using sensitive personal information for secondary purposes.

Who needs to give their consent?

The consent requirements must be met for customers and prospects, but also for employees and job applicants: in short, for all individuals who share personal information, i.e., any information that allows an individual to be identified, directly or indirectly, with an organization.

However, as of September 22, 2023, Act 25 will exclude from application of this law, information and contact details relating to business contacts: employer, position, business contact information (email address, company address, business telephone number, etc.).

Operationalization of consent with KPMG

KPMG has a methodology and the practical experience required to help you implement sound consent management strategies.

Operationalization of consent with KPMG


Identify the business needs

  • Serious and legitimate purposes
  • Primary purposes: the personal information needed to provide services or engage in business activities
  • Secondary purposes: other purposes that are not essential to providing services or business activities

Validate the business context

  • People: existing customers, new customers, prospects, job applicants, employees
  • Channel and medium (paper, electronic, digital)
  • Consent obtained directly or through a third party
  • Sensitive or non-sensitive personal information


  • Intended purposes: primary and secondary
  • How consent is obtained for new clients (presumed, opt-out, opt-in) depending on the context and the channel
  • Management strategy for existing clients
  • Requirements for consent management (use – processing of opt-out requests)
  • Functional needs and requirements for a management solution



  • Developing the wording and review of the notice on protection of personal information to cover the information requirements
  • Validation of key moments in the customer journey
  • Changes to the documentation used in business activities involving the collection of personal information as part of the customer journey
  • Tailoring the means to the specific nature of the business activities
  • Optimization of how consent is obtained, based on the customer journey

Management and solution

  • Form of retention
  • Implementation of a solution for validating the status and management of consent withdrawals

Organizations need to implement consent management to ensure that consents from existing and future customers are valid if they are to deliver an optimal experience, maintain the trust of stakeholders and reduce the reputational risks that arise from poor management.

This strategy needs to consider

Compliance requirements
magnifying glass with dollar
Financial resources
connected dots
Physical resources
Human resources
Technological resources

Have a sound basis for planning the implementation

KPMG starts by asking clients to take positions on the issues that will guide the work on implementation.

Positioning Steps to be performed

Scope (who)

For which entities is personal information collected?

Which types of people are targeted for consent?

  • Identify business and operational needs
  • Validate the business context
  • Define use cases
  • Make an inventory of the processes involving the collection of personal information
  • Identify the specific characteristics of each entity (if applicable)

Ways consent will be obtained (how)

How will individuals’ consent be obtained?

  • Make an inventory of the purposes for which personal information is collected
  • Make an inventory of use interfaces, tools, solutions and consent collection scenarios, along with the associated risks
  • Define a strategy for obtaining consent (opt-in/opt-out and level of granularity)
  • Determine the preferred methods based on the interfaces and the strategy for obtaining consent

Wording of the consent (what)

How will the organization fulfil its obligation to inform individuals when obtaining consent?

  • Validate the consent requirements
  • Decide on the wording to be used for each user interface

Management of existing consents

How should previously obtained consents be managed?  

  • Make an inventory and analyze existing consents
  • Identify the consent withdrawal capabilities of the existing systems
  • Determine the preferred means of effectively asking for consent again (where appropriate)

Once a general direction of the consent strategy has been defined, the organization will need to implement and manage it. This includes:

  • Updating policies on the protection of personal information and the wording of the various existing consent forms and communications
  • Implementing the processes and solutions required to consolidate the consent obtained from various sources and ensure conservation
  • Establishing the functional requirements and choosing technological solutions based on the existing technological architecture
  • Implementing consent management and withdrawal solutions
  • Defining a retention method

Beyond the organization’s responses to its regulatory obligations, the implementation phase provides it with an opportunity to review and help optimize processes that are already in place. It is crucial to include a customer experience (CX) component when implementing a new consent strategy to ensure that the strategy takes into account future marketing needs (communications, customer knowledge, personalization, etc.). This will minimize the impact on sales and on the experience delivered to the organization’s prospects and customers.

Data gathering, touchpoints and client experience

Use and retention of consents

Under Bill 25, consent is valid only for the time required to achieve the purposes for which it was requested.

So organizations must also determine when it will be necessary and appropriate to seek consent for the subsequent use of an individual’s personal information. KPMG helps organizations set a standard that is based on risk appetite, regulatory requirements, and organizational needs.

Implementing a technological solution for consent management

To ensure effective consent management, organizations can choose to use the various technological solutions available on the market.

KPMG’s multidisciplinary team helps organizations define the functional requirements, establish the transitional management metric, and identify and implement the target consent management solution.

The following are key high-level steps and underlying activities for selecting, deploying, and operationalizing a technological solution for consent management:

bullseye Vision and strategy
  • Criteria for success
  • Engagement
  • Maturity assessment
  • Roadmap
pencil compass Building blocks / Program design
  • Basics: language, taxonomy, common frameworks
  • Opportunity for convergence, alignment of functionalities, integration point
  • Establishment of high-level business, functional and technical requirements
handshake Vendor selection
  • Buy vs. build
  • Tool selection
  • Supplier demonstrations
  • Evaluation criteria
  • Tender scoring
wrench and screwdriver Enablement
  • Solution configuration and implementation
  • Panning the conversion and executing the data migration
  • Testing strategy, performance test and acceptance by users
  • Post-production support plan for deployment
Ongoing project management
Training, awareness raising and buy-in

Privacy by default: what is the impact on consent?

Organizations must also prepare for the introduction of the default privacy requirement. According to this rule, a technology, that collects data such as IP address, MAC address or e-mail address for profiling, geolocation or identification purposes cannot be activated by default. Instead, it must be enabled through positive action taken by the individual using the technology. For example, the advertising targeting cookies used by a website cannot be stored on a user’s device unless the user has explicitly given consent. This is usually done through a pop-up message or banner informing the user that the site uses cookies and allowing the user to choose whether or not to accept them. The purpose of default privacy used for cookies is to increase transparency and give users more control over how websites track and collect their data. 

Note that this requirement does not apply to the cookies required to operate the website or application.

Initialization phase
  • Site scanning and cookie classification

User vision
First visit Subsequent visits
  • Selection of options and documentation of consent (creation of a unique key)
  • Preferences recorded in a consent register
  • Validation using the unique key
  • A new consent is a requested if changes are identified following a scan

The experience and knowledge you need

KPMG in Canada is a leader in protection of personal information. Our multidisciplinary teams of professionals have successfully carried out numerous projects to bring organizations into compliance with Act 25 and understand the challenges your organization may face. Our leaders also contribute to projects to comply with the legislation that will result from the adoption of Bill C-27. This is why KPMG in Canada takes a holistic approach to consent management, considering not only compliance issues but also the organization’s business and operational needs.

Contact us for a more in-depth discussion with our privacy leaders to ensure that your company is implementing sound consent management.

Connect with us

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today

Connect with us