On May 24, 2018, the Office of the Privacy Commissioner of Canada (the “OPC”) released its finalized consent guidelines, as well as guidance on certain “no-go zones” under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
PIPEDA provides that the “knowledge and consent” of an individual are required for the collection, use, or disclosure (collectively “Processing”) of his/her personal information, and also that “consent is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.” The “Guidelines for obtaining meaningful consent”, which the OPC issued jointly with the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner of British Columbia, set out both mandatory and suggested steps for organizations to obtain “meaningful” consent.
In addition, section 5(3) of PIPEDA provides that an organization is only permitted to collect, use or disclose personal information for purposes that a reasonable person would consider to be appropriate in the circumstances. This reasonableness requirement is separate and apart from the consent requirements under PIPEDA, which means that an organization may be in contravention of PIPEDA even if it obtains consent for unreasonable Processing of personal information. The OPC’s “Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)” sets out five “no-go” zones that it would generally consider to be contrary to the PIPEDA reasonableness requirement.
Set out below is a high level overview of the OPC’s two new guidance documents, as well as key steps organizations should take to avoid enforcement action.
Guidelines for Obtaining Meaningful Consent – To be applied by the OPC beginning on January 1, 2019
On a number of occasions the OPC has expressed concerns about organizations relying upon long and legalistic privacy policies as the basis for Processing personal information. The Guidelines for Obtaining Meaningful Consent (“Consent Guidelines”) are intended to “breathe life” into the ways in which consent is obtained, by providing organizations with seven guiding principles that the OPC expects organizations to follow.
Overall, these principles are intended to provide businesses with the flexibility to design their own consent processes, provided that they create simple, readable privacy notices and policies that their consumers can understand.
The seven guiding principles are as follows:
- Emphasize key elements
Information about Processing of personal information must be readily available in complete form, but organizations should also avoid information overload. Therefore, individuals must be able to quickly review key elements impacting their privacy decisions, up front, including:
- What personal information is being collected. This must be defined with “sufficient precision.”
- With which parties personal information is being shared, including the types of information being shared. In particular, organizations should specify any disclosures to a third party that may use the information for its own purpose.
- The purpose of the data Processing. “Sufficient detail” must be provided, and purposes that are integral to the service should be distinguished from ancillary purposes.
- Any risk of harm or other potential consequences to the individual. This includes only “meaningful risks” of significant harm, which are residual risks that fall below the balance of probabilities (but are more than a mere possibility), after the organization makes reasonable mitigation efforts. Significant harm includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
The OPC has indicated that emphasizing the above four points is a mandatory requirement to meet the consent requirements of PIPEDA.
- Allow individuals to control the level of detail they get and when
Different individuals will require different amounts of information in order to make consent decisions. Privacy information should be layered so consumers can review it quickly, but obtain more information if they wish to do so. Also, the information should remain available to individuals throughout their relationship with the organization, and they should have the opportunity to re-consider their consent choices.
- Provide individuals with clear options to say ‘yes’ or ‘no’
Individuals can only be required to provide personal information that is essential to the product or service being offered. If the personal information is not essential, individuals must be able to easily opt-out. If the personal information is integral to the product or service, the organization must explain why this is the case.
- Be innovative and creative
Organizations should take advantage of digital capabilities in order to create dynamic, user-friendly consent processes that are appropriate to the user interface. Organizations might consider adopting “just-in-time” notices, interactive tools (e.g., videos, infographics), and customized mobile interfaces.
- Consider the consumer’s perspective
Consent processes must be user-friendly and customized to the organization’s target audience. This may involve seeking user input, pilot testing consent processes, consulting with privacy experts or regulators, and/or following an established best practice.
- Make consent a dynamic and ongoing process
- Be accountable: Stand ready to demonstrate compliance
In addition to these seven “guiding principles,” the Consent Guidelines describe some additional considerations applicable to obtaining valid consent, including:
- In determining the appropriate form of consent, the sensitivity of the information and the reasonable expectations of individuals must be taken into account.
- Organizations generally must obtain express consent if the information is sensitive, or if the Processing of the information is outside the individual’s reasonable expectations or gives rise to a meaningful residual risk of significant harm.
- For children under the age of 13, consent must be obtained from a parent or guardian in most circumstances.
- Even with consent, organizations cannot Process information for a purpose that a reasonable person would consider to be inappropriate.
- If an individual withdraws their consent, the organization must stop collecting further data and should delete existing personal information where possible.
- “Consent is not a silver bullet”. PIPEDA contains other obligations, such as those related to accountability, collection limitation, accuracy and safeguards.
Finally, in response to input received from stakeholders on the draft consent guidelines that were released last year, the OPC provided a “checklist” of things that organizations “must do” versus those that they “should do” for compliance with PIPEDA. This checklist indicates whether the OPC believes that each of the above points is mandatory for legal compliance, versus a recommendation on best practices.
Key Steps for Organizations
The OPC has indicated that the reason for providing that the Consent Guidelines will apply beginning on January 1, 2019, is because they understand that organizations will need to amend their consent processes to comply. However, as any organization that recently underwent a GDPR compliance initiative will know, amending privacy policies and practices will take time. Therefore, all organizations should act promptly to review the Consent Guidelines (especially the “must do” list), and review their existing consent processes to determine and implement any necessary modifications.
Guidance on Inappropriate Data Practices: Interpretation and Application of s. 5(3) – To be applied by the OPC beginning on July 1, 2018.
Section 5(3) of PIPEDA states that: “an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.” Therefore, even with an individual’s consent, personal information can only be Processed for appropriate purposes. In the OPC’s view, this section of PIPEDA separates legitimate forms of information management from unlawful “no-go zones.” The Guidance on Inappropriate Data Practices: Interpretation and Application of s. 5(3) (the “No-go Guidance”) sets out the OPC’s interpretation of s. 5(3), as informed by prior court decisions, and sets out the no-go zones that would generally be considered to be noncompliant with PIPEDA.
Overall, according to the No-go Guidance, the guiding principle in applying section 5(3) is that individuals’ privacy rights should be balanced against the organization’s need to Process personal information.
Similar to the Consent Guidelines, the No-go Guidance clearly indicates that organizations must show that Processing of personal information is reasonable in the circumstances, even if individuals have consented to such Processing.
In determining whether the purposes for Processing personal information are appropriate in the circumstances, courts will take into account the specific factual circumstances, including:
- The sensitivity of the personal information;
- Whether the information was collected for a bona fide business need;
- Whether the information effectively meets that business need;
- Whether there are less invasive means of achieving that same end; and
Based on the above, the No-go Guidance sets out six “no-go zones”, which the OPC currently considers to be offside PIPEDA.
- Collection, use or disclosure that is otherwise unlawful
Organizations should be aware of Canada’s federal and provincial laws, and should not Process personal information in any way that violates those laws. For example, organizations cannot Process personal information in a manner that violates credit reporting laws, nor can they require individuals to undergo genetic testing or disclose testing results.
- Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law
Data analytics, or other profiling/categorization, which leads to discrimination contrary to human rights laws is generally considered inappropriate under PIPEDA. Unfair or unethical profiling/categorization that does not violate human rights laws may also be found to be inappropriate, and will be assessed on a case-by-case basis.
- Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual
Data collection is not appropriate where it is certain or likely to cause significant harm to the individual, including: bodily harm, humiliation, damage to reputation or relationships, loss of employment or professional opportunities, financial loss, identity theft, and/or loss of or damage to property.
- Publishing personal information with the intended purpose of charging individuals for its removal
Organizations cannot publish sensitive personal information online for the primary purpose of charging individuals for its removal. This amounts to blackmail, and has previously been declared offside PIPEDA.
- Requiring passwords to social media accounts for the purpose of employee screening
Employers cannot require job applicants or employees to disclose their social media passwords for the purposes of obtaining or maintaining employment.
- Surveillance by an organization through audio or video functionality of the individual’s own device
Even with the individual’s consent, organizations cannot collect audio, text, or video information from an individual’s phone or computer. However, it may be permissible for the audio or video functionality of a device to be regularly or constantly turned on if necessary to provide a service, if the individual is fully aware of and in control of this function; provided that the information is not recorded, used, disclosed or retained except for the purpose of providing the service.
Key Steps for Organizations
The OPC has provided only a short transition period before it will begin applying the No-go Guidance, on the basis that these prohibited practices are consistent with prior interpretations of PIPEDA. Therefore, organizations should evaluate their current information handling practices before July 1, 2018, to ensure that they do not engage in any Processing of personal information that could fall within any of the OPC’s no-go zones.