Skip to content

Consent accountability for Quebec's Law 25.

A driver's license for data access. The data never leaves you; Agreely proves the consent, on demand, and honors revoke and erasure.

Agreely dashboard: Law 25 actions to handle by article, the consent-verification trend, and compliance posture, at a glance

Collecting consent is easy. Proving it is the hard part.

Quebec's Law 25 turned consent into an obligation you must defend. An organization has to show, after the fact, that consent was given for a specific (category, purpose), that it was honored while active, and that it stopped the moment it was withdrawn. A checkbox in a database cannot prove any of that.

01

Prove it on demand

A regulator or auditor can demand proof of lawful consent for any (category, purpose) at any time. Logs you could have edited prove nothing.

02

The gap is structural

Consent lives as a boolean in an app database: easy to overwrite, impossible to prove untouched, and disconnected from the code that touches the data.

03

Revoke and erasure are binding

Withdrawal of consent has to take effect on the very next use, and the right to erasure has to actually destroy the readable claim, not just promise to.

04

A blanket yes is worthless

Law 25 requires consent asked for each purpose, presented distinctly from any other information. A single "I accept all" is without effect, and proving otherwise is on you.

05

The access right runs against the clock

An individual concerned can ask for access to their information, a copy, and its release in a structured, commonly used technological format. You have 30 days to answer, after which the request is deemed refused.

06

One incident, and you reconstruct everything

Faced with a confidentiality incident, you must assess the risk of serious injury, notify the Commission and the individuals concerned with diligence, and keep a register. Without a reliable record of who consented to what, scoping it is guesswork.

07

An obligation with a name on it

Law 25 places personal-information protection in the hands of a named person in charge, whose contact details are public, and puts the burden of proof on the enterprise. Accountability is not a promise: it is a person who must answer, article in hand.

From collection to erasure, every step covered.

Agreely covers every step of an information's life cycle: disclosure at collection (art. 8), consent asked for each purpose (art. 14), proof on demand, withdrawal and erasure (art. 23), governance through the responsable and the register, then audit through a tamper-evident access log. Your information stays with you: Agreely is the proof and accountability layer, not a new data store.

The whole life cycle

Covered end to end

Every step leaves proof bound to the article it satisfies.

Consent documents

Versioned, signed documents carry the purposes, means, rights, and withdrawal.

Law 25 art. 8 / 14

Granular consent

Consent is asked for each purpose, separately.

Law 25 art. 14

Consent withdrawal

Withdrawal is honored on the very next check.

Law 25 art. 8 al. 1 (4)

Tamper-evident access log

Every access and disclosure is recorded, anchored, and verifiable by the regulator.

Law 25 art. 18 al. 2 / 27

Crypto-shred erasure

Erasure destroys the key that makes the claim readable.

Law 25 art. 23

Accountability receipts

Signed receipts demonstrate lawful consent, after the fact.

Law 25 art. 3.1

Proof and governance, beyond consent.

Agreely delivers what Law 25 truly demands: a tamper-evident access log, versioned consent documents, attested offline consent, and a complete governance suite.

Named responsable, confidentiality-incident register, and privacy policy, in one suite. Proof, audit, and accountability; your information never leaves your systems.

Agreely's Compliance Center: named responsable (art. 3.1), policies, retention, out-of-Quebec transfers, incident register, and individual rights, in one suite.

From a question to a proof, in four moves.

Agreely turns a yes-or-no consent question into a signed, anchored proof anyone can check later. The synchronous check stays off-chain; the chain only ever carries the proof.

01

Declare the grid

Define the (category, purpose) cells your product needs consent for.

02

Issue a signed request

Ask the citizen for exactly those cells with a request your company key signs.

03

Approve with a passkey

The citizen consents on their own device, producing a signed receipt.

04

Anchor on-chain

The commitment is anchored so the record is tamper-evident forever.

One call.

Wrap any data use in a single check(). It resolves one (customer, category, purpose) to a synchronous allow or deny, reading a single indexed record. First-party SDKs for TypeScript and PHP, plus a CLI.

import { Agreely } from "@agreely/sdk";

const agreely = new Agreely({ apiKey: process.env.AGREELY_API_KEY! });

// One call. Fail-closed by default.
const ok = await agreely.check("cust_8812", "Phone number", "Billing");

Fail-closed by default

If Agreely cannot be reached, the answer is deny. A revoked, expired, erased, or never-granted cell is always false.

Agent-native CLI

One env var and --json gives pure JSON on stdout with stable exit codes that separate an outage from a denial.

Read the SDK docs

One synchronous read of a single indexed cell. Fail-closed with stable exit codes.

Every Law 25 obligation, and how Agreely meets it.

Show, don't ask to be trusted. For each relevant article of the act (P-39.1), the obligation and the Agreely capability that meets it.

See the article-by-article mapping (Law 25)

Consent

art. 14
Obligation Manifest, free and informed consent, asked for each purpose.
Agreely (category, purpose) catalog with per-cell consent.
art. 8
Obligation Mandatory disclosure list at collection, in plain and clear terms.
Agreely Versioned, signed consent documents.
art. 8 al. 1 (4°)
Obligation Right to withdraw consent.
Agreely Withdrawal honored on the very next check.
art. 4.1
Obligation Minor under 14: consent by the holder of parental authority.
Agreely Parental consent flow.
art. 12.1
Obligation Decision based exclusively on automated processing: disclosure and observations.
Agreely Automated-decision notice and register.

Rights of the individual concerned

art. 27
Obligation Right of access: confirm holding and hand over a copy.
Agreely Access export on request.
art. 27 al. 3
Obligation Delivery in a structured, commonly used technological format.
Agreely Structured export of information collected from the person.
art. 23
Obligation Destruction or anonymization once the purposes are accomplished.
Agreely Crypto-shred erasure and a destruction schedule.
art. 11 al. 2
Obligation Information used for a decision kept at least one year.
Agreely Retention floor applied to the schedule.

Accountability and logging

art. 3.1
Obligation Person in charge of personal information protection.
Agreely Named responsable, published contact, signed receipts.
art. 18 al. 2
Obligation Record certain disclosures to a third party.
Agreely Tamper-evident access log, anchored, citizen unlinkable.
art. 3.2 / 8.2
Obligation Governance policies and a public privacy policy.
Agreely Governance suite and a published policy.

Governance and risk

art. 3.5-3.8
Obligation Measures, notification, and a confidentiality-incident register.
Agreely Confidentiality-incident register.
art. 17 / 3.3
Obligation Communication outside Quebec and a privacy impact assessment.
Agreely Transfer register and privacy impact assessment (EFVP).

Citations verified against the official text of the Act respecting the protection of personal information in the private sector (chapter P-39.1). For information only, not legal advice.

Proof that does not ask you to trust Agreely.

Every grant produces artifacts an auditor can recompute and check on their own. The cryptography, not the company, is what makes the record stand up.

What anyone can confirm
  • The receipt signature is valid
  • The root recomputes identically
  • The anchor is found on the chain
A receipt verifies offline, with no access to Agreely.

On-chain anchoring

Consent roots, revocations, and identity commitments are anchored so the record cannot be quietly rewritten. The chain is proof, never the read path; the check never touches it.

Independently verifiable receipts

Each grant is a signed receipt built from published standards. Anyone with the artifacts can recompute and verify it offline, without trusting Agreely.

Crypto-shred erasure

Law 25's right to erasure (art. 23) is a real destruction, not a promise. Erasing a cell destroys the secret that makes its claim readable, while the surviving cells still verify.

Company and citizen unlinkability

The citizen identity is opaque and tenant-less, and never carries a company's customer reference. Agreely cannot re-identify a person across the companies they consent to.

For citizens

Your consent, on your device.

Agreely's citizen app hands you every consent as a signed receipt, kept on your own device. See what you agreed to, withdraw it whenever you want, and check that a receipt is genuine yourself. No passwords.

  • Your receipt goes with you

    Every consent becomes a cryptographic receipt kept on your device. The app installs to your home screen like any app.

  • Withdraw with a tap

    Withdraw a consent with your passkey (Face ID or Touch ID). The withdrawal is honored from the very next check.

  • Verify it yourself

    Confirm a receipt is authentic and untampered, without having to trust Agreely or anyone else.

  • No passwords, pseudonymous

    Your identity is a passkey tied to an opaque identifier. No company can correlate you from one to another.

Open citizen app my.agreely.ca

The citizen app lives at my.agreely.ca and installs to your home screen like an app (PWA).

Here for a business? Book a meeting

The Agreely citizen app on a phone: the consent review screen, where each purpose is shown separately and approved with a passkey.

Simple pricing, by tier.

Four tiers in Canadian dollars. Every tier includes on-chain anchoring, verifiable receipts, crypto-shred erasure, per-tenant encryption, and Canadian data residency. You move up by active records and seats, never by how often you check.

Priced on your accountability surface, not your traffic. You are billed on active consent records and seats, never on visitors or how often you verify. Check as often as you need.

Starter

$89 CAD / mo
billed annually
  • Active consent records 2,500
  • Consent requests / mo 1,000
  • API keys 2
  • Custom domain No
  • Seats 3
  • Support Email
Get started

Business

$999 CAD / mo
billed annually
  • Active consent records 150,000
  • Consent requests / mo Unlimited
  • API keys Unlimited
  • Custom domain Yes
  • Seats Unlimited
  • Support Priority + target uptime
Get started

Enterprise

Custom

For high volumes and contractual requirements. Dedicated stack and a negotiable SLA.

  • Active consent recordsCustom
  • IsolationDedicated database and stack
  • SeatsUnlimited
  • SupportCustom contract (negotiable SLA)
Contact us

Professional services

Integration, onboarding, and training. Our team helps you connect Agreely to your systems and trains your teams to use it.

Book a meeting
Annual billing, in Canadian dollars. You move up by active records and seats.

Quebec's Law 25, in plain terms.

The questions we hear most about Quebec's Law 25, consent proof, and where Agreely fits.

What is Quebec's Law 25?

Law 25 is the common name for Quebec's overhaul of personal-information protection ; in the private sector it amends the P-39.1 act (Act respecting the protection of personal information in the private sector). Phased in between 2022 and 2024, it requires valid consent, stronger rights for the individual concerned, and documented accountability. Any person carrying on an enterprise that collects personal information in Quebec is subject to it.

Does consent have to be asked for each purpose?

Yes. Article 14 requires manifest, free and informed consent, given for specific purposes and “asked for each of those purposes”. A single “accept all” box that bundles several uses is non-compliant: consent not asked separately for each purpose is without effect. When the request is made in writing, it must also be presented distinctly from any other information given to the individual concerned.

What is consent proof, and does Law 25 require one?

Law 25 puts the burden on the enterprise to show it obtained valid consent ; collecting consent is easy, but proving it after the fact is what is required. A checkbox in a database you could have edited proves neither when consent was given, nor for which purpose, nor that it was honored until withdrawal. Consent proof is a verifiable record, bound to the specific purpose (art. 8 and 14), that a regulator or auditor can check on demand.

What must you disclose when you collect personal information?

Article 8 requires that, at collection and in plain and clear terms, you inform the individual concerned of the purposes, the means used, their rights of access and rectification, and their right to withdraw consent. Where applicable, you must also name the third party on whose behalf collection is made, the categories of recipients, and the possibility of a communication outside Quebec. On request, you add the categories of persons with internal access, the retention period, and the contact details of the person in charge of personal-information protection.

What rights does an individual have under Law 25?

The individual concerned can ask for access to their information and a copy (art. 27), ask to rectify inaccurate information (art. 28), and withdraw consent at any time (art. 8, para. 4). Computerized information collected from them must, on request, be released in a structured, commonly used technological format (art. 27, al. 3). The person in charge must answer in writing, with diligence and within 30 days at the latest ; failing that, the request is deemed refused (art. 32).

Does Law 25 require a privacy officer?

Yes. Article 3.1 places personal-information protection in the hands of a person in charge ; by default this is the person with the highest authority in the enterprise, who may delegate the function in writing. That person's title and contact details must be published, notably on the enterprise's website. The named person answers access requests and carries accountability, article in hand (the statutory term is “responsable de la protection des renseignements personnels”, not “DPO”).

Is there a right to erasure in Quebec, and what does it mean?

Once the purposes of collection are accomplished, article 23 requires the enterprise to destroy the personal information or anonymize it according to best practices, subject to any retention period set by law. In Quebec, “anonymized” sets a strict bar: the process must be irreversible, which is distinct from mere de-identification. Cessation of dissemination and de-indexing (art. 28.1) cover what the public often calls the “right to be forgotten”, but that is not the statutory term.

How does Agreely help with Law 25 compliance?

Agreely is the proof and accountability layer: it asks consent for each purpose, produces a signed, verifiable receipt, and honors withdrawal and erasure on the very next check. Your information stays with you ; Agreely does not become a new store of your personal information, it proves consent on demand and keeps a tamper-evident access log. Agreely does not on its own guarantee your compliance: it tools specific obligations (art. 8, 14, 23, 27, 3.1), while your policies, deadlines, and internal practices remain yours and your legal counsel's.

For information only, not legal advice.

Consent you can prove

Make consent accountable.

Start with the one-call mental model, then read the protocol that makes every grant verifiable, revocable, and anchored.

View the protocol