Privacy compliance is top of mind, not the least of all because of GDRP and Canada’s new mandatory breach notification rules. While you are updating your practices and procedures, do not forget that the Guidelines for obtaining meaningful consent (the “Guidelines”) will apply starting on January 1, 2019. If you are not obtaining meaningful consent, you may lose the ability to handle personal information that you need to operate your business. To help, here are five tips to help you obtain meaningful consent for handling personal information.
- Sensitive information, like health information, financial information, or large volumes of information;
- Information that creates “a meaningful residual risk of significant harm,” like potentially embarrassing information that is at high risk of unauthorized access; and
- Outside of the reasonable expectations of the individual, like when you monitor an individual where they would typically expect privacy.
TIP: Involve your privacy officer each time you change your practices, particularly to help you understand when you may need fresh consent.
TIP: Consider an ‘executive summary’ style version that allows the reader to take away high points and read the full policy if they wish.
The Guidelines strongly encourage seeking feedback.
TIP: Consult users and seek their input with focus groups and consult experts.
3. Communicate the risk
The Guidelines say you should let individuals know the “risk of harm and other consequences,” and “in particular, those residual risks which remain after an organization has applied any mitigation measures designed to minimize the risk and impact of potential harms.” That means you should:
- Consider what personal information you are collecting;
- Consider how your risk mitigation processes work and if they leave any “residual risks”; and
TIP: Each time an individual provides you with personal information, remind them of how you will handle it and any associated risk.
4. Keep track
Keep track of how you meet the Guidelines. An organization can demonstrate compliance by showing how their consent processes appropriately emphasize and meet the Guidelines’ expectations. The expectations will be higher for large organizations and organizations of any size that handle high volumes of personal information or sensitive personal information.
TIP: The regulator might call, so be ready to show your work. Your internal processes and policies should show how you obtain meaningful consent from individuals and what you did to comply with the Guidelines.
5. Think of the children
Persons under age 13 cannot provide meaningful consent (save for in exceptional circumstances). You need a parent or guardian to consent on their behalf. If you are collecting personal information from persons under age 18, tailor your communications so they can understand what they are consenting to, including any risks involved.
By Miranda Lam and Jade Buchanan
- Quebec’s Law 25 and cookies: Not so cookie cutter - November 20, 2023
- Sweeping privacy reform comes into force in Quebec - October 27, 2023
- Legality of search engines and AI systems under PIPEDA and CPPA: Google v Privacy Commissioner - October 23, 2023