Last spring, the Office of the Privacy Commissioner of Canada released an important guidance document concerning meaningful consent. It now applies as of January 1, 2019. The goal of the guidance document is to provide practical and actionable advice for organizations to ensure they obtain meaningful consent in the online environment pursuant to Personal Information Protection and Electronic Documents Act (PIPEDA).
What is consent?
Under section 6.1 of PIPEDA, “consent” of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
The main elements of consent are explained in clause 4.3 of Schedule 1. More specifically, Principle 3 – Consent emphasizes that, unless there is an exception, the knowledge and consent of an individual are required for the collection, use, or disclosure of personal information. An example of an exception includes a situation where seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated.
Schedule 1 has several subclauses that elaborate on the concept of consent. For instance, clause 4.3.2 provides clarification regarding “knowledge and consent”. It states that organizations must make reasonable efforts to ensure that the individual is advised of the purposes for which the information will be used. That is, to make the consent meaningful, the purposes must be stated in such a way that the individual can reasonably understand how the information will be used or disclosed.
Another example involves 4.3.7, discussing the ways in which a person can provide consent. The clause states that there are several ways in individual can provide consent, namely by using: (I) an application form to seek consent, collect information, and inform the individual of the use that will be made of the information (completing and signing the form has the effect of giving consent to the collection and the specified uses); (II) a checkoff box to allow individuals to request that their names and addresses not be given to other organizations (where individuals do not check the box, it can be assumed that they consent to the transfer of the information to third parties); (III) consent that is given orally when information is collected over the telephone; or (IV) consent that is given at the time that individuals use a product or service.
Indeed, as mentioned in clause 4.3.4, the form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations must take into account the sensitivity of the information.
More specifically, the Guidelines for obtaining meaningful consent set out seven guiding principles for meaningful consent. While the Privacy Commissioner recognizes that organizations are best placed to find innovative and creative solutions for developing a consent process that respects their specific obligations, the Privacy Commissioner expects organizations to act in accordance with the following principles:
- Emphasize key elements: organizations must provide information about their privacy management practices in a form that is readily accessible to those interested individuals who wish to read it in full, and also in a form that allows individuals to quickly review the key elements impacting their privacy decisions upfront that are set out in a clear and understandable manner. Organizations must put additional emphasis on the following key elements: (I) what personal information is being collected; (II) with which parties personal information is being shared; (III) for what purposes personal information is collected, used or disclosed; (IV) and the risks of harm and other consequences of the collection, use or disclosure to which they are consenting. Currently, there is no prescribed form in which the above elements should be highlighted so as to give them prominence, but the Privacy Commissioner encourages organizations to consider adopting standardized mechanisms so that best practices emerge in the future in different sectors.
- Allow individuals to control the level of detail they get and when: information must be provided to individuals in manageable and easily-accessible ways, and individuals should be able to control how much more detail they wish to obtain, and when. Is important for organizations to respect all approaches taken by individuals, from quickly reviewing the information, to deeply reviewing the privacy practices of an organization, to quickly agreeing and reviewing later. The information presented in a layered format helps make the information more understandable. The information is to remain available throughout the relationship with the individual so the individual can reconsider choices made or withdraw consent completely
- Provide individuals with clear options to say ‘yes’ or ‘no’: individuals must be given a choice, and the choices must be explained. Collections, uses or disclosures of personal information over which the individual cannot assert any control (other than to not use a product or service) are called conditions of service. For a collection, use, or disclosure to be a valid condition of service, it must be integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purpose. It is important for organizations to be transparent and be prepared to explain why any given collection, use or disclosure is a condition of service, particularly if it is not obvious. Otherwise, for all other collections, uses and disclosures, individuals must be given a choice (unless an exception to the general consent requirement applies)
- Be innovative and creative: organizations are encouraged to use a variety of communications strategies to explain their privacy practices, including “just-in-time” notices, interactive tools, and customized mobile interfaces. More specifically, “just-in-time” notices address the issue of users feeling a sense of urgency when making decisions about sharing their information. Organizations are encouraged to bring relevant privacy information to the forefront where it is conspicuous, quick to access, and intuitive so these decisions can be made more comfortably. Interactive tools can be used when presenting privacy information, such as interactive walkthroughs of privacy settings at initial sign-up and periodically afterwards as refreshers, videos explaining key concepts, and infographics. Lastly, since mobile devices present an additional communication challenge, it is important for organizations to highlight privacy issues at particular decision points in the user experience where people are likely to pay attention and need guidance the most. To that end, privacy information needs to be optimized to be effective in spite of the physical limitations of screen size
- Consider the consumer’s perspective: it is important for consent processes to be user-friendly so the information provided is generally understandable from the point of view of the organization’s target audience. The information must be accessible, using clear explanations, a level of language suitable to a diverse audience, and a comprehensible means of displaying and communicating information. Accessibility includes ensuring that privacy policies and notices are easily accessible from all devices. In order to achieve these goals, organizations are encouraged to consider various options including: (I) consulting users for their input, (II) pilot testing ideas, (III) involving user interaction/user experience (UI/UX) designers in the development of the consent process, (IV) consulting with privacy experts and regulators, and (V) following established best practices, to name a few
- Be accountable: stand ready to demonstrate compliance: it is important for organizations to always be ready to demonstrate compliance concerning the consent process. This involves being able to show individuals and regulators that they have a process in place to obtain consent from individuals, that such process is compliant with the consent obligations set out in the legislation, and there is compliance with the above-mentioned principles
Moreover, the Privacy Commissioner highlights that it is important for organizations to consider the appropriate form of consent to use – express or implied – for any collection, use or disclosure of personal information for which consent is required.
Typically, consent should be express, but it can be implied in some rare circumstances. When making this important decision, organizations must consider the sensitivity of the information and the reasonable expectations of the individual, both of which will depend on the context.
For the most part, organizations must obtain express consent when:
- the information being collected, used or disclosed is sensitive
- the collection, use or disclosure is outside of the reasonable expectations of the individual
- the collection, use or disclosure creates a meaningful residual risk of significant harm
The Privacy Commissioner also addresses consent and children; essentially, the Privacy Commissioner is of the view that for anyone under the age of 13, consent must be obtained from parents or guardians. For minors who are able to provide meaningful consent, consent can only be considered meaningful if organizations have reasonably taken into account their level of maturity in developing their consent processes and adapted them accordingly.
Lastly, the Privacy Commissioner emphasizes that the purposes for collection, use and disclosure of personal information must be appropriate and defined – even if consent is provided, the purposes must be such that a reasonable person would consider them appropriate in the circumstances. Also, it is important that individuals can withdraw consent subject to legal or contractual restrictions; this would have the effect of stopping any further collection or use of information, and perhaps even deleting information depending on the circumstances (some laws may require retention of information for certain periods of time).
What can employers do in light of this development?
The Privacy Commissioner has created a checklist to assist organizations in achieving compliance. More precisely, the above-mentioned measures can be separated into obligations arising from legal requirements (those things an organization must do to obtain meaningful consent) and best practices (those things an organization should consider in order to improve their consent process). Here is a list of these requirements and best practices:
To obtain meaningful consent and meet their related obligations under Canadian privacy law, organizations must:
- Make privacy information readily available in complete form, while giving emphasis or bringing attention to four key elements: (I) What personal information is being collected, with sufficient precision for individuals to meaningfully understand what they are consenting to; (II) With which parties personal information is being shared; (III) For what purposes personal information is being collected, used or disclosed, in sufficient detail for individuals to meaningfully understand what they are consenting to; (IV) Risks of harm and other consequences
- Provide information in manageable and easily-accessible ways
- Make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service
- Consider the perspective of your consumers, to ensure consent processes are user-friendly and generally understandable
- Obtain consent when making significant changes to privacy practices, including use of data for new purposes or disclosures to new third parties
- Only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate, under the circumstances
- Allow individuals to withdraw consent (subject to legal or contractual restrictions)
- Obtain explicit consent for collections, uses or disclosures which generally: (I) involves sensitive information; (II) are outside the reasonable expectations of the individual; and/or (III) create a meaningful residual risk of significant harm
- Obtain consent from a parent or guardian for any individual unable to provide meaningful consent themselves (anyone under the age of 13), and ensure that the consent process for youth able to provide consent themselves reasonably considers their level of maturity
Organizations are recommended to improve their consent process by:
- Allowing individuals to control the amount of detail they wish to receive, and when
- Designing or adopting innovative and creative ways of obtaining consent, which are just-in-time, specific to the context, and suitable to the type of interface
- Reminding individuals periodically about the consent choices they have made, and those available to them
- Periodically auditing privacy communications to ensure they accurately reflect current personal information management practices
- Standing ready to demonstrate compliance – in particular, that the consent process is understandable from the perspective of the user
- When designing consent processes, considering: (I) Consulting with users and seeking their input; (II) Pilot testing or using focus groups to evaluate the understandability of documents; (III) Involving user interaction /user experience (UI/UX) designers; (IV) Consulting with privacy experts and/or regulators; and/or, (V) Following established best practices or standards