The European Union’s General Data Protection Regulation (GDPR) came into force on May 25, 2018. To assist Canadian organizations with their potential compliance efforts with respect to this legislation, the following is intended to provide a non-exhaustive, high-level comparison between the consent provisions of:

  1. the GDPR;
  2. Canada's Personal Information Protection and Electronic Documents Act (PIPEDA);
  3. the Personal Information Protection Acts of Alberta and British Columbia (collectively, the PIPAs); and
  4. Canada’s Anti-Spam Legislation (widely known as CASL).

While there are important nuances to each of these regulatory frameworks, they broadly draw on fair information practices that result in substantial commonality among them. In fact, a number of elements in Canadian private sector privacy law, especially in the PIPAs, have anticipated some provisions in the GDPR.

Express Consent

The Alberta and B.C. Privacy Commissioners have held that consent must be “meaningful” (i.e., an individual must understand what an organization is doing with their information).

On or before collecting personal information about an individual, an organization must generally disclose to the individual verbally or in writing: (i) the purposes for the collection of the information; and (ii) the position name or title and the contact information of a person who is able to answer the individual's questions about the collection. Consent can also be implied or deemed in certain circumstances.

The PIPAs provide that an organization shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information about an individual beyond what is necessary to provide the product or service.

Canada’s privacy regulators plan to adopt new guidelines applicable to meaningful consent as of January 1, 2019.

GDPR

PIPEDA

PIPAs

CASL

Express consent is generally required to control or process personal data, except in certain circumstances.

Consent means any freely given, specific, informed and unambiguous indication of an individual’s wishes which, by a statement or by a clear affirmative action, signifies an agreement to the processing of their personal data.

The GDPR provides that, when assessing whether consent is freely given, “utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

Consent is generally required for the collection, use or disclosure of personal information. Consent can be express, implied or deemed.

Express consent is only valid if it is reasonable to expect that an individual would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

PIPEDA provides that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. Canada’s privacy regulators plan to adopt new guidelines applicable to meaningful consent as of January 1, 2019.

The Alberta and B.C. Privacy Commissioners have held that consent must be “meaningful” (i.e., an individual must understand what an organization is doing with their information).

On or before collecting personal information about an individual, an organization must generally disclose to the individual verbally or in writing: (i) the purposes for the collection of the information; and (ii) the position name or title and the contact information of a person who is able to answer the individual's questions about the collection. Consent can also be implied or deemed in certain circumstances.

The PIPAs provide that an organization shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information about an individual beyond what is necessary to provide the product or service.

Canada’s privacy regulators plan to adopt new guidelines applicable to meaningful consent as of January 1, 2019.

CASL provides that a sender must hold the consent of a recipient in order to send the recipient a commercial electronic message (CEM), unless the CEM is exempt. Consent can be express or implied/deemed under CASL.

Unlike the principle-based forms of express consent under privacy statutes, CASL sets out various formalities that must be met in order for an express consent to be valid, including certain informational disclosures that must be made at the time consent is collected. The purpose for which an organization seeks consent must be clearly set out, with consent limited to that purpose.

Express consent under CASL may be obtained orally or in writing. CASL puts the onus of proof upon an organization alleging that it holds express consent, obligating an organization to put forward evidence in its own favour or face regulatory consequences. CASL provides that a request for express consent is a CEM and therefore cannot be sent without consent.

 

Implied/Deemed Consent

GDPR

PIPEDA

PIPAs

CASL

The GDPR provides that the control or processing of personal data is lawful absent express consent in certain circumstances analogous to implied/deemed consent under PIPEDA and the PIPAs.

For example, where processing of personal data is necessary for the performance of a contract to which the data subject is party, such processing is lawful even absent express consent.

PIPEDA recognizes that consent may be implied or deemed in certain cases.

PIPEDA recognizes the validity of opt-out consent by way of pre-checked boxes in certain situations.

PIPEDA permits organizations to rely on implied or deemed consent depending on the circumstances, for example the reasonable expectations of individuals who purchase goods or services.

The PIPAs recognize that consent may be implied or deemed in certain cases.

Under the PIPAs, an individual is deemed to consent to the use, collection or disclosure of personal information for a particular purpose where the individual voluntarily provides information to an organization for such purpose, and it is reasonable that such person would voluntarily do so, among other situations.

The PIPAs recognize implied consent in various situations, including certain situations where an organization gives an individual notice of an intent to collect, use or disclose personal information, and the individual does not object after being given a reasonable opportunity to do so.

Unlike the principle-based forms of express consent under privacy statutes, CASL recognizes implied/deemed consent only in certain limited prescribed cases.

Under CASL, implied consent arises where a sender and recipient have an existing business relationship or an existing non-business relationship.

CASL provides that specific factual circumstances must exist in order for either of these relationships to form. CASL recognizes a limited form of implied consent where an individual discloses or publishes an electronic address without a disclaimer–note that this kind of implied consent is subject to certain restrictions on content.

CASL recognizes a limited form of deemed consent in specific circumstances related to referrals. This consent can only be used once before it expires.

CASL permits the holder of an express consent to share it with third parties in certain circumstances.

Exceptions to Consent

GDPR

PIPEDA

PIPAs

CASL

The GDPR provides that there are exceptions from the requirement for consent in certain circumstances, including compliance with legal obligations and for the performance of official duties.

PIPEDA also provides that there are exceptions from the requirement for consent in certain circumstances, including compliance with legal obligations and for law enforcement purposes.

The PIPAs also provide that there are exceptions from the requirement for consent in certain circumstances, including compliance with legal obligations and for law enforcement purposes.

CASL and its regulations create a variety of exceptions to the consent requirement, including for CEMs sent by a registered charity for the primary purpose of fundraising.

For a more general comparison between the GDPR, PIPEDA and the PIPAs, please see our previous post on this subject: Understanding the GDPR: A Comparison Between the GDPR, PIPEDA and PIPA.