The Office of the Information and Privacy Commissioner of Canada, along with the Privacy Commissioners of Alberta and British Columbia (the “Commissioners”) recently issued Guidelines for Online Consent (“Guidelines”).

The Commissioners were prompted to draft and release these Guidelines after privacy reviews “found significant shortcomings in how organizations communicate their privacy practices to consumers.”  The Commissioners were concerned that individuals accessing websites and applications, especially through smartphones, tend to quickly click through privacy notifications and that detailed and complex privacy policies may not be easily understood by the average individual.

The Guidelines serve two purposes. The first is to educate organizations about their obligations to obtain consent under privacy legislation. Privacy legislation requires that organizations provide individuals with information about the purposes for which their personal information is being collected, how it will be used, and whether it will be disclosed further when obtaining their consent.

The second purpose is to encourage organizations to tailor their communication of privacy practices to the online environment: only providing a link to a privacy policy may be inadequate. The Guidelines outline that consent can be obtained in any number of ways: for example, it may be express, such as through a check box, or implied by an individual’s behaviour, such as posting on a website or downloading an application. Organizations, however, are required to keep a record of an individual’s consent and how it was obtained.

The Guidelines also encourage organizations to take a dynamic approach to communicating their privacy practices and policies and suggest using “just in time notices” or “layered notices” in addition to providing a link to the privacy policy:

  1. Just in time Notices are notices which appear when a request for a particular piece of personal information is made. For example, if an individual’s date of birth is requested, an organization would briefly explain why this information was required near the box where the information needs to be inputted.
  1. Layered Notices are an executive summary of the important points of the privacy policy. An organization would initially direct individuals to the summary and provide individuals with the option to click through to the full privacy policy.

The Commissioners also cautioned that organizations whose websites and applications are primarily accessed by children and youth should take additional care in explaining privacy policies and in managing the collection, use, and disclosure of personal information.

Overall, the purpose of the Guidelines is to encourage organizations to develop a new approach to online consent and provide online users with condensed and simplified information about privacy. Organizations should also pay particular attention when obtaining online consent if their website or application is primarily accessed by smartphone or used by children and youth. Lastly, it is also important to note that while these Guidelines are not binding, they will likely be used by the Commissioners to evaluate whether an organization obtained online consent in the event of a complaint or a privacy breach.