Meaningful Consent

Meaningful Consent

The Office of the Privacy Commissioner of Canada’s Guidelines for obtaining meaningful consent became effective on January 1, 2019. The new guideline builds on examining the current state of consent in Canada (see Background section below), and is meant to assist businesses in distinguishing between those things an organization “must do” to obtain meaningful consent, and those things an organization “should do” related to consent.

The guideline is comprised of seven guiding principles for obtaining meaningful consent. These are:

1. Emphasize key elements (What personal information is being collected, with whom personal information is being shared, for what purposes personal information is collected, used or disclosed and risk of harm and other consequences);
2. Allow individuals to control the level of detail they get and when;
3. Provide individuals with clear options to say ‘yes’ or ‘no’;
4. Be innovative and creative;
5. Consider the consumer’s perspective;
6. Make consent a dynamic and ongoing process; and
7. Be accountable: Stand ready to demonstrate compliance.

Consent – Must Dos

The new guideline lists out the following things an organization must do in order to meet their obligations related to consent:

1. Make privacy information readily available in complete form, while giving emphasis or bringing attention to the four key elements (What personal information is being collected, with sufficient precision for individuals to meaningfully understand what they are consenting to, with what parties personal information is being shared, for what purposes personal information is being collected, used or disclosed, in sufficient detail for individuals to meaningfully understand what they are consenting to and risks of harm and other consequences).

2. Provide information in manageable and easily-accessible ways.
3. Make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service.
4. Consider the perspective of your consumers, to ensure consent processes are user-friendly and generally understandable.
5. Obtain consent when making significant changes to privacy practices, including use of data for new purposes or disclosures to new third parties.
6. Only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate, under the circumstances.
7. Allow individuals to withdraw consent (subject to legal or contractual restrictions).

There are also requirements related to the form of consent and consent for children under the age of 13. 

Background

The new guideline builds on previous publications examining the current state of consent.

In May 2016, the Office of the Privacy Commissioner of Canada (OPC) published a discussion paper exploring potential enhancements to the Personal Information Protection and Electronic Documents Act (PIPEDA). The paper asked organizations, individuals and other interested parties to provide comments related to key issues and potential solutions to the consent model as currently formulated.

On June 15, 2017 the Office of the Privacy Commissioner of Canada (OPC) published a report on qualitative public opinion research conducted with Canadians on the issue of consent under the PIPEDA. The purpose of the research was to understand Canadians’ opinions, attitudes, and concerns with respect to consent.

It was noted that the question of consent became a recurring theme in discussions and emerged as the key measure used by participants for assessing what are acceptable or not acceptable uses of personal information by companies. There was widespread agreement among participants that consent implies both understanding and acceptance of terms and conditions related to the collection and use of their personal information.

On September 21, 2017, the OPC also published their Report on Consent in their 2016-17 Annual Report to Parliament. The report outlined recommendations to address consent challenges posed by the digital age.

Keep In Mind

Consent is one of the foundational elements of PIPEDA. To ensure your organization is always meeting requirements related to consent, you should be able to answer yes (and evidence) the following questions from the OPC’s PIPEDA Self-Assessment Tool related to consent, regardless of the types of products or services you offer:

• You obtain customer consent for any collection, use or disclosure of personal information.
• If you don’t obtain customer consent for the collection, use and disclosure of personal information, you have determined that it is not required under s.7 of PIPEDA.
• You make reasonable efforts to ensure that clients and customers are notified of the purposes for which personal information will be used or disclosed.
• You do not require clients and customers to consent to the collection, use or disclosure of personal information beyond what is necessary to fulfill explicitly specified and limited purposes as a condition of supplying a product or service.
• You assess the purposes and limit the collection, use and disclosure of personal information when it is required as a condition for obtaining a product or service.
• You obtain consent through lawful and fair means.
• You allow a client or customer to withdraw consent at any time subject to legal or contractual restrictions and reasonable notice.
• You inform clients and customers of the implication of the withdrawal of consent.
• You consider the sensitivity and intended use of personal information, and the reasonable expectations of clients and customers in determining which form of consent (implied or expressed) you will accept for the collection, use and disclosure of personal information.

It is important to note that evidence of consent should be retained in a manner that is easily retrievable and easily sortable.  

We’re Here To Help

If you have questions about this new guideline regarding your consent obligations under PIPEDA, or compliance in general, please contact us.