In April 2018, we reported that the data breach notification, reporting and record-keeping requirements in Canada’s Digital Privacy Act (DPA) come into force on November 1, 2018. 

Firms also should be aware that the Privacy Commissioner of Canada has issued Guidelines for Obtaining Meaningful Consent (Guidelines) regarding the collection, use and disclosure of personal data, and it will begin applying those Guidelines on January 1, 2019. The Guidelines outline seven principles for organizations to consider in developing, maintaining and enforcing policies, procedures and practices in this area. In very general terms, the seven principles are:

1.       Emphasize key elements to improve understanding;

2.       Allow individuals to control the level of detail they get and when they get it;

3.       Provide clear options to say “yes” or “no”;

4.       Use innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used;

5.       Consider the content of privacy communications and their accessibility from the consumer’s perspective;

6.       Make consent and ongoing and dynamic process; and

7.       Be accountable and ready to demonstrate compliance.

The Guidelines address additional topics, such as the circumstances in which express consent is required, factors to consider in determining whether information is sensitive, obtaining consent from children, and the implications of withdrawn consent.