Privacy Commissioner of Canada’s consent guidelines are in effect as of January 1, 2019

consent

Last spring, the Office of the Privacy Commissioner of Canada released an important guidance document concerning meaningful consent. It now applies as of January 1, 2019. The goal of the guidance document is to provide practical and actionable advice for organizations to ensure they obtain meaningful consent in the online environment pursuant to Personal Information Protection and Electronic Documents Act (PIPEDA).

What is consent?

Under section 6.1 of PIPEDA,
“consent” of an individual is only valid if it is reasonable to expect that an
individual to whom the organization’s activities are directed would understand
the nature, purpose and consequences of the collection, use or disclosure of
the personal information to which they are consenting.

The main elements of consent are explained in clause 4.3 of Schedule 1. More specifically, Principle 3 – Consent emphasizes that,
unless there is an exception, the knowledge and consent of an individual are
required for the collection, use, or disclosure of personal information. An
example of an exception includes a situation where seeking consent may be
impossible or inappropriate when the individual is a minor, seriously ill, or
mentally incapacitated.

Schedule 1 has
several subclauses that elaborate on the concept of consent. For instance,
clause 4.3.2 provides clarification regarding “knowledge and consent”. It
states that organizations must make reasonable efforts to ensure that the
individual is advised of the purposes for which the information will be used. That
is, to make the consent meaningful, the purposes must be stated in such a way
that the individual can reasonably understand how the information will be used
or disclosed.

Another example involves 4.3.7, discussing the ways in which
a person can provide consent. The clause states that there are several ways in
individual can provide consent, namely by using: (I) an application form to
seek consent, collect information, and inform the individual of the use that
will be made of the information (completing and signing the form has the effect
of giving consent to the collection and the specified uses); (II) a checkoff
box to allow individuals to request that their names and addresses not be given
to other organizations (where individuals do not check the box, it can be assumed
that they consent to the transfer of the information to third parties); (III)
consent that is given orally when information is collected over the telephone;
or (IV) consent that is given at the time that individuals use a product or
service.

Indeed, as mentioned in clause 4.3.4, the form of the
consent sought by the organization may vary, depending upon the circumstances
and the type of information. In determining the form of consent to use,
organizations must take into account the sensitivity of the information.

The guidelines

More specifically, the Guidelines for obtaining meaningful consent set out seven guiding principles for meaningful consent. While the Privacy Commissioner recognizes that organizations are best placed to find innovative and creative solutions for developing a consent process that respects their specific obligations, the Privacy Commissioner expects organizations to act in accordance with the following principles:

  • Emphasize
    key elements
    : organizations must provide information about their privacy
    management practices in a form that is readily accessible to those interested
    individuals who wish to read it in full, and also in a form that allows
    individuals to quickly review the key elements impacting their privacy
    decisions upfront that are set out in a clear and understandable manner. Organizations
    must put additional emphasis on the following key elements: (I) what personal
    information is being collected; (II) with which parties personal information is
    being shared; (III) for what purposes personal information is collected, used
    or disclosed; (IV) and the risks of harm and other consequences of the
    collection, use or disclosure to which they are consenting. Currently, there is
    no prescribed form in which the above elements should be highlighted so as to
    give them prominence, but the Privacy Commissioner encourages organizations to
    consider adopting standardized mechanisms so that best practices emerge in the
    future in different sectors.
  • Allow
    individuals to control the level of detail they get and when
    : information
    must be provided to individuals in manageable and easily-accessible ways, and
    individuals should be able to control how much more detail they wish to obtain,
    and when. Is important for organizations to respect all approaches taken by
    individuals, from quickly reviewing the information, to deeply reviewing the
    privacy practices of an organization, to quickly agreeing and reviewing later.
    The information presented in a layered format helps make the information more
    understandable. The information is to remain available throughout the
    relationship with the individual so the individual can reconsider choices made
    or withdraw consent completely
  • Provide
    individuals with clear options to say ‘yes’ or ‘no’
    : individuals must be
    given a choice, and the choices must be explained. Collections, uses or
    disclosures of personal information over which the individual cannot assert any
    control (other than to not use a product or service) are called conditions of
    service. For a collection, use, or disclosure to be a valid condition of
    service, it must be integral to the provision of that product or service such
    that it is required to fulfill its explicitly specified and legitimate purpose.
    It is important for organizations to be transparent and be prepared to explain
    why any given collection, use or disclosure is a condition of service, particularly
    if it is not obvious. Otherwise, for all other collections, uses and
    disclosures, individuals must be given a choice (unless an exception to the
    general consent requirement applies)
  • Be innovative
    and creative
    : organizations are encouraged to use a variety of
    communications strategies to explain their privacy practices, including “just-in-time”
    notices, interactive tools, and customized mobile interfaces. More
    specifically, “just-in-time” notices address the issue of users feeling a sense
    of urgency when making decisions about sharing their information. Organizations
    are encouraged to bring relevant privacy information to the forefront where it
    is conspicuous, quick to access, and intuitive so these decisions can be made
    more comfortably. Interactive tools can be used when presenting privacy
    information, such as interactive walkthroughs of privacy settings at initial
    sign-up and periodically afterwards as refreshers, videos explaining key concepts,
    and infographics. Lastly, since mobile devices present an additional communication
    challenge, it is important for organizations to highlight privacy issues at
    particular decision points in the user experience where people are likely to
    pay attention and need guidance the most. To that end, privacy information
    needs to be optimized to be effective in spite of the physical limitations of
    screen size
  • Consider
    the consumer’s perspective
    : it is important for consent processes to be
    user-friendly so the information provided is generally understandable from the
    point of view of the organization’s target audience. The information must be
    accessible, using clear explanations, a level of language suitable to a diverse
    audience, and a comprehensible means of displaying and communicating
    information. Accessibility includes ensuring that privacy policies and notices
    are easily accessible from all devices. In order to achieve these goals,
    organizations are encouraged to consider various options including: (I) consulting
    users for their input, (II) pilot testing ideas, (III) involving user
    interaction/user experience (UI/UX) designers in the development of the consent
    process, (IV) consulting with privacy experts and regulators, and (V) following
    established best practices, to name a few
  • Make
    consent a dynamic and ongoing process
    : it is important for organizations to
    treat consent as a dynamic and interactive process that goes beyond a one-time posting
    of a privacy policy. When an organization plans to introduce significant
    changes to its privacy practices, it must notify users and obtain consent prior
    to the changes coming into effect. Significant changes include using personal
    information for a new purpose not anticipated originally or a new disclosure of
    personal information to a third party for a purpose other than processing that
    is integral to the delivery of a service. Organizations are recommended to consider
    periodically reminding individuals about their privacy options and inviting
    them to review these. They are also recommended to periodically audit their
    information management practices to ensure that personal information continues
    to be handled in the way described to individuals
  • Be
    accountable: stand ready to demonstrate compliance
    : it is important for
    organizations to always be ready to demonstrate compliance concerning the
    consent process. This involves being able to show individuals and regulators
    that they have a process in place to obtain consent from individuals, that such
    process is compliant with the consent obligations set out in the legislation,
    and there is compliance with the above-mentioned principles

Moreover, the Privacy Commissioner highlights that it is
important for organizations to consider the appropriate form of consent to use –
express or implied – for any collection, use or disclosure of personal
information for which consent is required.

Typically, consent should be express, but it can be implied
in some rare circumstances. When making this important decision, organizations
must consider the sensitivity of the information and the reasonable
expectations of the individual, both of which will depend on the context.

For the most part, organizations must obtain express consent
when:

  • the information being collected, used or
    disclosed is sensitive
  • the collection, use or disclosure is outside of
    the reasonable expectations of the individual
  • the collection, use or disclosure creates a
    meaningful residual risk of significant harm

The Privacy Commissioner also addresses consent and
children; essentially, the Privacy Commissioner is of the view that for anyone
under the age of 13, consent must be obtained from parents or guardians. For
minors who are able to provide meaningful consent, consent can only be
considered meaningful if organizations have reasonably taken into account their
level of maturity in developing their consent processes and adapted them
accordingly.

Lastly, the Privacy Commissioner emphasizes that the
purposes for collection, use and disclosure of personal information must be
appropriate and defined – even if consent is provided, the purposes must be
such that a reasonable person would consider them appropriate in the
circumstances. Also, it is important that individuals can withdraw consent
subject to legal or contractual restrictions; this would have the effect of
stopping any further collection or use of information, and perhaps even
deleting information depending on the circumstances (some laws may require
retention of information for certain periods of time).

What can employers do
in light of this development?

The Privacy Commissioner has created a checklist to assist
organizations in achieving compliance. More precisely, the above-mentioned
measures can be separated into obligations arising from legal requirements
(those things an organization must do to obtain meaningful consent) and best
practices (those things an organization should consider in order to improve
their consent process). Here is a list of these requirements and best
practices:

Requirements

To obtain meaningful consent and meet their related
obligations under Canadian privacy law, organizations must:

  • Make privacy information readily available in
    complete form, while giving emphasis or bringing attention to four key
    elements: (I) What personal information is being collected, with sufficient
    precision for individuals to meaningfully understand what they are consenting
    to; (II) With which parties personal information is being shared; (III) For
    what purposes personal information is being collected, used or disclosed, in
    sufficient detail for individuals to meaningfully understand what they are
    consenting to; (IV) Risks of harm and other consequences
  • Provide information in manageable and
    easily-accessible ways
  • Make available to individuals a clear and easily
    accessible choice for any collection, use or disclosure that is not necessary
    to provide the product or service
  • Consider the perspective of your consumers, to
    ensure consent processes are user-friendly and generally understandable
  • Obtain consent when making significant changes
    to privacy practices, including use of data for new purposes or disclosures to
    new third parties
  • Only collect, use or disclose personal information
    for purposes that a reasonable person would consider appropriate, under the
    circumstances
  • Allow individuals to withdraw consent (subject
    to legal or contractual restrictions)
  • Obtain explicit consent for collections, uses or
    disclosures which generally: (I) involves sensitive information; (II) are
    outside the reasonable expectations of the individual; and/or (III) create a
    meaningful residual risk of significant harm
  • Obtain consent from a parent or guardian for any
    individual unable to provide meaningful consent themselves (anyone under the
    age of 13), and ensure that the consent process for youth able to provide
    consent themselves reasonably considers their level of maturity

Best practices

Organizations are recommended to improve their consent process
by:

  • Allowing individuals to control the amount of
    detail they wish to receive, and when
  • Designing or adopting innovative and creative
    ways of obtaining consent, which are just-in-time, specific to the context, and
    suitable to the type of interface
  • Reminding individuals periodically about the
    consent choices they have made, and those available to them
  • Periodically auditing privacy communications to
    ensure they accurately reflect current personal information management
    practices
  • Standing ready to demonstrate compliance – in
    particular, that the consent process is understandable from the perspective of
    the user
  • When designing consent processes, considering:
    (I) Consulting with users and seeking their input; (II) Pilot testing or using
    focus groups to evaluate the understandability of documents; (III) Involving
    user interaction /user experience (UI/UX) designers; (IV)      Consulting with privacy experts and/or
    regulators; and/or, (V) Following established best practices or standards

Christina Catenacci

Christina Catenacci, BA, LLB, LLM, was called to the Ontario Bar in 2002 and has since been a member of the Ontario Bar Association. Christina worked as an editor with First Reference between February 2005 and August 2015, working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk discussing topics in Labour and Employment Law. Christina has decided to pursue a PhD at the University of Western Ontario beginning in the fall of 2015. Read more

Latest posts by Christina Catenacci (see all)

, , , , , , ,

Leave a Reply