Meaningful Consent Under PIPEDA

July 6, 2018 | Imran Ahmad, Katherine Barbacki

As part of its effort to “breathe life” into the way consent under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) is obtained, the Office of the Privacy Commissioner of Canada, along with the Offices of the Information and Privacy Commissioner of Alberta and British Columbia, recently published the Guidelines for obtaining meaningful consent (the “Guidelines”), which will apply as of January 1, 2019.

Overview of the Seven Principles

The Guidelines provide the following seven principles that organizations should follow when seeking meaningful consent for the collection, use or disclosure of personal information from individuals:

  1. Highlight the important elements. Greater emphasis should be placed on the most relevant aspects of how an individual’s personal information will be treated by the organization. For example, individuals should be able to understand quickly what personal information is being collected, with whom it is shared, the purpose(s) of its collection, use or disclosure, the potential risk of harm and any other material consequences.
  2. Give the individual control. The key elements listed above should be presented in a form and manner that allows individuals to control when they choose to review the information and the preferred level of detail required for that individual to grant meaningful consent. One way in which this can be achieved is through the use of a “layered-format”, which is consistent with the approach adopted under Article 4(11) of the European General Data Protection Regulation (“GDPR”).
  3. Give the individual a choice. Individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service. Put simply, individuals must be given a choice, which, in turn, must be explained clearly and made easily accessible.
  4. Be innovative and creative. The Guidelines strongly encourage organizations to take advantage of the various digital platforms and communication methods available to them when deciding how to present their policies. Methods such as “just-in-time” notices, interactive tools and customized mobile interfaces are examples highlighted by the Guidelines of how organizations can deliver policies in a more dynamic way.
  5. Consider the individual’s perspective. The information being provided by organizations during the consent process must be understandable, user-friendly and customized according to the type of product or service being offered. Organizations must use appropriate levels of language and ensure that the information being provided is easily accessible, regardless of the platform on which the information is accessed.
  6. Continuously evolve. The consent process is dynamic and should continuously evolve alongside the organization. Organizations must give individuals reasonable opportunities to have their questions answered and notify individuals of important changes to their privacy policies. This can be done through a variety of means, such as developing and regularly updating FAQs, using new smart technologies and chatbots.
  7. Be accountable. Organizations should be in a position to demonstrate legislative compliance, in particular with respect to how consent is obtained. Pointing to a line buried in a privacy policy will not suffice to demonstrate compliance. They will need to demonstrate that they have a process in place to obtain consent and that such process is compliant with the consent obligations set out in legislation (e.g., by demonstrating that they implemented the principles outlined in the Guidelines and other regulatory publications).

Additional Considerations

In addition to the principles outlined above, the Guidelines suggest that organizations should also consider the following points when implementing the processes by which consent is obtained:

  • While implied consent may be appropriate under certain circumstances, others may require express consent. The sensitivity of the information being collected, used or disclosed by an organization, as well as the reasonable expectations of the individual, are the key factors to be considered for the purpose of determining whether express or implied consent is appropriate.
  • In the vast majority of cases, the consent of a child under the age of 13 will need to be obtained by a parent or guardian.
  • Organizations must adhere to an individual’s withdrawal of consent by ceasing the collection, use or disclosure of personal information and, in most cases, actually deleting the information once collected.
  • Organizations are never exempt from having to respect the obligations imposed by privacy laws, even if a waiver to that effect is obtained from individuals.

Key Takeaways

The Guidelines are timely since they come on the heels of the GDPR coming into force. Many of the recommendations are consistent with what is now considered to be common practice in Europe.

The Guidelines underscore a change in terms of how Canadian organizations must now obtain meaningful consent. This is particularly relevant given the recent reorganization at the Office of the Privacy Commissioner, which established the PIPEDA Compliance Directorate. Organizations should take this opportunity to review and where necessary, revise their privacy policies and practices to be compliant with these Guidelines.

Disclaimer

The blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of the blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.