Meaningful consent is a cornerstone of Canadian private sector privacy legislation. Meaningful consent to collect, use and disclose personal information is one of, if not ‘the’ central unifying concept of our private sector privacy laws. Meaningful consent can be a challenge in today’s digital world, with small screens and increasing reliance on lengthy privacy policies. To help organizations stand up to the challenge, the Office of the Privacy Commissioner of Canada (the “OPC”) in connection with the Offices of the Privacy Commissioner of Alberta and British Columbia released the Guidelines for obtaining meaningful consent (the “Consent Guidelines”). The Consent Guidelines are intended to provide practical and actionable guidance for organizations to obtain meaningful consent under the federal private sector legislation, the Personal Information Protection and Electronic Documents Act ("PIPEDA").
The Consent Guidelines encourage businesses to be creative and innovative when developing a consent process, and set out the following seven guiding principles.
- What personal information is being collected,
- With which parties personal information is being shared,
- For what purposes personal information is collected, used or disclosed, and
- Risk of harm and other consequences.
- Allow individuals to control the level of detail they get and when. Provide individuals with information in a manageable and easily accessible way that allows the individual to control how much more detail they wish to obtain and when.
- Provide individuals with clear options to say ‘yes’ or ‘no’. Recall that individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or services. Unless an exception applies, for all other collections, uses and disclosures, individuals must be given a choice. Organizations should assess whether opt-in or opt-out consent is appropriate. In the Consent Guidelines, the OPC gives further insight on determining the appropriate form of consent and encouraged organizations to consider the sensitivity of the information, the reasonable expectations of the individual and the risk of significant harm when making that determination.
- Be innovative and creative. Organizations should do more than simply post their paper-based policies online. Organizations should consider a variety of communication strategies, like just-in-time notices, interactive tools and customized mobile interfaces, to highlight privacy issues at particular decision points in the user experience where people are likely to pay attention and need guidance.
- Make consent a dynamic and ongoing process. Informed consent is an ongoing process that changes as circumstances change. When introducing significant changes to its privacy practices, organizations should notify users and obtain consent prior to the changes coming in to effect.
- Be accountable: Stand ready to demonstrate compliance. Organizations should be able to demonstrate (both in response to a complaint from an individual or a proactive query from a privacy regulator) that they have processes in place to obtain consent and that those processes are compliant with the legislation.
The Consent Guidelines also contain a checklist to help guide organizations in their compliance efforts. Organizations should pay particular attention to the “must do” list.
Now is the time to familiarize yourself with the Consent Guidelines, and ensure your practices are compliant, as the OPC will begin to apply them on January 1, 2019.