Happy New Year! The Bar is raised on obtaining consent under Canadian federal privacy law
Privacy Commissioner issues guidance on their understanding of meaningful consent, which they’ll begin to implement and enforce in 2019
The Office of the Privacy Commissioner of Canada (the “OPC”) has released “Guidelines for obtaining meaningful consent,” which it says it will begin to enforce as of January 1, 2019. This follows a round of consultations carried out by the OPC beginning in 2016.
The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is principles-based and has a lot of flexibly in its application. Consent can be implied or express, depending on a range of factors. However, recent amendments to the Act have added to the requirements for obtaining consent and what is sufficient:
6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
The OPC Guidelines focus on 7 principles:
- Emphasize Key Elements: what personal information is being collected, with which parties personal information is being shared, for what purposes personal information is collected, used or disclosed, and the risk of harm or other consequences.
- Allow individuals to control the level of detail they get and when (e.g. layering documents, being able to return to the policy)
- Provide individuals with clear options to say ‘yes’ or ‘no’
- Be innovative and creative: consider using “just in time” notices (offering an explanation and asking for consent at the time an action is to be taken, rather than as a blanket upon first engagement with the service), interactive tools, customized mobile interfaces
- Consider the consumer’s perspective
- Make consent a dynamic and ongoing process (e.g. privacy check-ups)
- Be accountable – stand ready to demonstrate compliance
The OPC guidelines also say that there children are involved organizations must take precautions to ensure that minors providing consent have the capacity to do so, and that individuals lacking that capacity are supported by the consent of a parent or guardian. The OPC is of the view that children under 13 lack the capacity to consent.