When a privacy policy is not enough: Canadian Privacy Commissioners issue new guidance on obtaining meaningful consent

Digital platform

Data Protection, Privacy and Security Alert

By:

The Privacy Commissioners of Canada, Alberta and British Columbia have jointly issued guidelines to help organizations obtain meaningful consent from individuals for the collection, use and disclosure of their personal information.

The previously written Guidelines came into effect in January 2019 and are now applied by the Commissioners when evaluating organizational conduct.

The impetus for these Guidelines likely arises in large part from the European Union’s General Data Protection Regulation (“GDPR”), which requires much greater transparency from organizations in order for consent provided by data subjects to be legally valid.  In making clear that the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Alberta Personal Information Protection Act (“Alberta PIPA”), and the British Columbia Personal Information Protection Act (“BC PIPA”) will be interpreted by the respective Commissioners in a way that conforms to GDPR-like consent standards, the Commissioners have taken a solid step toward maintaining Canada’s adequacy status with the EU.

Interestingly, the Québec Commission d’accès à l’information did not join the other Commissioners in issuing these Guidelines. This is likely because the Québec Loi sur la protection des renseignements personnels dans le secteur privé (Act respecting the protection of personal information in the private sector) expressly requires that “consent to the collection, communication or use of personal information must be manifest, free, and enlightened, and must be given for specific purposes” (see section 14).

Guiding principles for a more transparent consent process

The Guidelines set out seven guiding principles for meaningful consent:

1. Emphasize key elements

The Guidelines state that organizations must identify for individuals what personal information is being, or may be, collected about them and for what purposes. This must be done with sufficient precision for individuals to meaningfully understand what they are consenting to. Disclosure to third parties must also be clearly explained.

Further, individuals must be able to understand the consequences of the collection, use or disclosure to which they are consenting. Meaningful risks must be identified, which means a risk that falls below the balance of probabilities but is more than a minimal or mere possibility should be identified by the organization.

2. Allow individuals to control the level of detail they get and when

The Guidelines state that information must be provided to individuals in manageable and easily accessible ways, potentially including layers. This is because one person may be comfortable with a quick review of summary information, but others may need a “deeper dive.”

The Guidelines go on to state that the information should remain available to individuals as they engage with the organization, because consent choices are not made just once. At any time, individuals should be able to reconsider whether they wish to maintain or withdraw their consent. Full information should be available to them as they make those decisions.

3. Provide individuals with clear options to say "yes" or "no"

The Guidelines emphasize that individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service. They must be given a choice about unnecessary collections, uses and disclosures. Previous Commissioner decisions indicate that the term “necessary” does not mean absolutely necessary (i.e. in the sense that it is literally not possible to provide the product/service without collecting, using or disclosing the personal information). Rather, the term “necessary” essentially means “reasonably necessary,” taking all relevant and legitimate factors into account.

For a collection, use or disclosure to be a valid condition of service, it must be integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purposes.

4.  Be innovative and creative

The Guidelines say that organizations should design and/or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used.

While innovation and creativity are clearly worthy goals, it seems unlikely that the Commissioners would chastise an organization or find the organization to be in breach of the consent requirements in their respective legislation simply because the consent was not obtained in an innovative or creative manner. Accordingly, we suggest that organizations see this portion of the Guidelines as an encouragement or “challenge,” but not a strict legal requirement (indeed, the Guidelines note that some statements are intended to communicate “best practices”).

That said, the Guidelines make the fair point that mobile devices present an amplified communication challenge: individuals’ time and attention are at a premium and the medium does not lend itself to lengthy explanations. Accordingly, organizations need to highlight privacy issues at particular decision points in the user experience where people are likely to pay attention in order to obtain informed and meaningful consent from individuals.

5. Consider the consumer’s perspective

The Guidelines point out that consent is only valid where the individual can understand that to which they are consenting. Accordingly, an organization’s consent processes must take into account the consumer’s perspective to ensure that the processes are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience. In order to do this effectively, the Guidelines suggest that organizations consider:

  1. consulting with users and seeking their input when designing a consent process;
  2. pilot testing or using focus groups to ensure individuals understand what they are consenting to;
  3. involving user interaction/user experience designers in the development of the consent process;
  4. consulting with privacy experts and/or regulators when designing a consent process; and/or
  5. following an established "best practice" standard or other guideline in developing a consent process.

6. Make consent a dynamic and ongoing process

The Guidelines emphasize that informed consent is an ongoing process that evolves as circumstances change. Organizations should not rely on a static moment in time but, rather, treat consent as a dynamic and interactive process. Thus, ensuring the effectiveness of individual consent does not end with the posting of a privacy policy or notice.

For example, when an organization plans to introduce significant changes to its privacy practices, it must notify users and obtain consent prior to the changes coming into effect.

The Commissioners recommend that organizations consider periodically reminding individuals about their privacy options and inviting them to review these options.

7. Be accountable – stand ready to demonstrate compliance

The Guidelines state that in order for an organization to demonstrate that it has obtained valid consent, it must be able to do more than point to a line buried in a privacy policy. Instead, organizations should be able to demonstrate – either in the case of a complaint from an individual or a practice query from a privacy regulator – that they have a process in place to obtain consent from individuals and that such process is compliant with the consent obligations set out in the applicable legislation.

Other considerations

In addition to the seven guiding principles described above, the Guidelines ask organizations to keep in mind the following:

  • Organizations need to consider the most appropriate form for consent – in other words, organizations must ask themselves: “Should the consent in this particular situation be express or implied?” While express consent is generally required, there are certain circumstances under which implied consent may be adequate.
  • The purposes for which an organization collects and uses personal information must be appropriate and defined. Consent is not everything.
  • Individuals have the right to withdraw consent, subject to legal or contractual restrictions. A withdrawal of consent may mean that data held by an organization about an individual should be deleted, depending on the circumstances.
  • Organizations must obtain consent from a parent or guardian for any individual unable to provide meaningful consent themselves. (The federal commissioner takes the position that, in all but exceptional circumstances, this means anyone under the age of 13).

DLA Piper (Canada) LLP’s Privacy Team stands by to assist your organization with privacy, data security and access to information issues. For further information, please contact the author or your relationship lawyer at DLA Piper.

This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.