Law 25 and the consent tax on first-party data
Consent isn’t a compliance cost. It’s the entry price of a data asset that depreciates the moment you collect it badly.
Most loyalty teams in Québec treated Law 25 as a legal project: a banner, a policy, a checkbox, case closed. That framing is the mistake. Granular consent doesn’t only protect the member — it sets the book value of your data asset. Data obtained under vague, bundled, or assumed consent is data you can’t activate without risk, and an asset you can’t transfer, share, or monetize cleanly.
Call it what it is: a consent tax. Every purpose you want to serve — personalization, retail media, partner sharing — requires its own explicit consent, separate from joining the program. Operators who saw this coming in 2023 now harvest marketing-purpose consent rates comfortably north of 70%, because they traded clear value for clear permission. The ones who bundled everything under a single “I agree” are discovering their activatable base is far thinner than their enrolled base.
The strategic implication is counterintuitive: compliance done well raises margin. A member who consents purpose by purpose is a member whose intent you know, whose erasure is traceable, and whose data survives an audit by the privacy regulator. That data is worth more in retail media, because an advertiser pays for a permissioned audience, not for grey volume.
So the metric to watch isn’t the enrollment rate. It’s the marketing-purpose consent rate, segment by segment, and how stable it stays over time. If that ratio erodes, your data asset depreciates — no matter how many cards are in circulation. Law 25 didn’t make data more expensive. It made visible the fact that badly collected data was already worth nothing.