The Office of the Information and Privacy Commissioner of Canada, along with the Privacy Commissioners of Alberta and British Columbia (the “Commissioners”) recently issued Guidelines for Online Consent (“Guidelines”).
The Commissioners were prompted to draft and release these Guidelines after privacy reviews “found significant shortcomings in how organizations communicate their privacy practices to consumers.” The Commissioners were concerned that individuals accessing websites and applications, especially through smartphones, tend to quickly click through privacy notifications and that detailed and complex privacy policies may not be easily understood by the average individual.
The Guidelines serve two purposes. The first is to educate organizations about their obligations to obtain consent under privacy legislation. Privacy legislation requires that organizations provide individuals with information about the purposes for which their personal information is being collected, how it will be used, and whether it will be disclosed further when obtaining their consent.
- Just in time Notices are notices which appear when a request for a particular piece of personal information is made. For example, if an individual’s date of birth is requested, an organization would briefly explain why this information was required near the box where the information needs to be inputted.
The Commissioners also cautioned that organizations whose websites and applications are primarily accessed by children and youth should take additional care in explaining privacy policies and in managing the collection, use, and disclosure of personal information.
Overall, the purpose of the Guidelines is to encourage organizations to develop a new approach to online consent and provide online users with condensed and simplified information about privacy. Organizations should also pay particular attention when obtaining online consent if their website or application is primarily accessed by smartphone or used by children and youth. Lastly, it is also important to note that while these Guidelines are not binding, they will likely be used by the Commissioners to evaluate whether an organization obtained online consent in the event of a complaint or a privacy breach.