On June 18, 2015, the Canadian government enacted the Digital Privacy Act, which makes a number of important changes to the Personal Information Protection and Electronic Documents Act. One of the most significant changes is a new, additional requirement for “valid consent” to the collection, use and disclosure of personal information. To comply with that new requirement, organizations should critically assess and adjust their privacy explanations (e.g. privacy policies, notifications and reminders) to adequately and accurately explain, in ways that members of the organization’s target market can reasonably be expected to understand, the nature, purpose and consequences of the organization’s collection, use and disclosure of personal information.

BACKGROUND – MEANINGFUL CONSENT

Canada’s federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) regulates the collection, use and disclosure of personal information in the course of commercial activities by organizations in all provinces except British Columbia, Alberta and Québec (each of which has a substantially similar personal information protection law) and by organizations that operate a “federal work, undertaking or business” or transfer personal information across provincial borders for consideration.

PIPEDA requires compliance with a Model Code for the Protection of Personal Information, which includes Principle 3 – “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate”. The Model Code elaborates on that general principle by explaining that an individual’s consent must be “meaningful”, which requires an organization to make a reasonable effort to ensure that the individual is advised of “the purposes for which the information will be used” and can reasonably understand how the information will be used or disclosed. The Model Code also explains that the appropriate form of consent (express/opt-in or implied/opt-out) will vary depending on the circumstances and the type of personal information, and should be determined in light of the sensitivity of the information and the individual’s reasonable expectations in a given context.

DIGITAL PRIVACY ACT – VALID CONSENT

The stated purpose of the Digital Privacy Act is to modernize PIPEDA to set clear rules for how personal information can be collected, used and disclosed, so that Canadians can have confidence that their personal information is protected. One of the most significant aspects of the Digital Privacy Act is a resulting amendment to PIPEDA to add a new requirement for valid consent. The new section 6.1 provides that an individual’s consent to an organization’s collection, use and disclosure of the individual’s personal information “is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting”.

The government explained the purpose of the “valid consent” requirement as follows: “The new measures also establish stronger rules to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences when companies ask to collect and use their personal information. Companies will need to communicate these requests in clear and simple language for the target audience.”

A plain reading of the “valid consent” requirement indicates as follows:

  • Additional Requirement: The requirement is in addition to, and does not replace, the fundamental requirement that an organization obtain an individual’s consent, express or implied, to the collection, use and disclosure of the individual’s personal information, unless certain exceptions apply.
  • Application: The requirement applies to both express/optin consent and implied/opt-out consent. Consequently, an organization will not be able to rely on an individual’s express consent unless the “valid consent” requirement is satisfied.
  • Broad Understanding: The requirement refers to an individual’s understanding of “the nature, purpose and consequences of the collection, use or disclosure of the personal information”, which is considerably broader than pre-existing requirements that consent be based on an understanding of “the purposes for which the information will be used” and “how the information will be used or disclosed”.
  • Objective Standard – Target Market: The requirement refers to the understanding of “an individual to whom the organization’s activities are directed”, which is an objective standard based on the kinds of individuals (e.g. children or youth) who are part of the organization’s target market.

COMMENT

The “valid consent” requirement is an extension of the fundamental principle of “meaningful” consent, which requires that consent be reasonably informed. Organizations should critically assess and adjust their privacy explanations (e.g. privacy policies, notifications and reminders) to adequately and accurately explain, in ways that members of the organization’s target market can reasonably be expected to understand, the nature, purpose and consequences of the organization’s collection, use and disclosure of personal information. When undertaking that exercise, organizations should consider Canadian Privacy Commissioners’ previous guidance for obtaining meaningful consent, including Guidelines for Online Consent (May 2014).