On May 24, 2018, the Office of the Privacy Commissioner of Canada released an important guidance document concerning meaningful consent. Organizations should be aware that the Privacy Commissioner will begin applying it on January 1, 2019. The document provides practical and actionable advice for organizations to ensure they obtain meaningful consent in the online environment pursuant to Personal Information Protection and Electronic Documents Act (PIPEDA).
More specifically, the Guidelines for obtaining meaningful consent provide guidance regarding what organizations should do to ensure that they obtain meaningful consent in light of advancing technology and remain in compliance with PIPEDA. The document was created following extensive consultations with stakeholders and sets out seven guiding principles for meaningful consent. While the Privacy Commissioner recognizes that organizations are best placed to find innovative and creative solutions for developing a consent process that respects their specific obligations, the Privacy Commissioner expects organizations to act in accordance with the following principles:
- Emphasize key elements: organizations must provide information about their privacy management practices in a form that is readily accessible to those interested individuals who wish to read it in full, and also in a form that allows individuals to quickly review the key elements impacting their privacy decisions upfront that are set out in a clear and understandable manner. Organizations must put additional emphasis on the following key elements: (I) what personal information is being collected; (II) with which parties personal information is being shared; (III) for what purposes personal information is collected, used or disclosed; (IV) and the risks of harm and other consequences of the collection, use or disclosure to which they are consenting. Currently, there is no prescribed form in which the above elements should be highlighted so as to give them prominence, but the Privacy Commissioner encourages organizations to consider adopting standardized mechanisms so that best practices emerge in the future in different sectors.
- Allow individuals to control the level of detail they get and when: information must be provided to individuals in manageable and easily-accessible ways, and individuals should be able to control how much more detail they wish to obtain, and when. Is important for organizations to respect all approaches taken by individuals, from quickly reviewing the information, to deeply reviewing the privacy practices of an organization, to quickly agreeing and reviewing later. The information presented in a layered format helps make the information more understandable. The information is to remain available throughout the relationship with the individual so the individual can reconsider choices made or withdraw consent completely
- Provide individuals with clear options to say ‘yes’ or ‘no’: individuals must be given a choice, and the choices must be explained. Collections, uses or disclosures of personal information over which the individual cannot assert any control (other than to not use a product or service) are called conditions of service. For a collection, use, or disclosure to be a valid condition of service, it must be integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purpose. It is important for organizations to be transparent and be prepared to explain why any given collection, use or disclosure is a condition of service, particularly if it is not obvious. Otherwise, for all other collections, uses and disclosures, individuals must be given a choice (unless an exception to the general consent requirement applies)
- Be innovative and creative: organizations are encouraged to use a variety of communications strategies to explain their privacy practices, including “just-in-time” notices, interactive tools, and customized mobile interfaces. More specifically, “just-in-time” notices address the issue of users feeling a sense of urgency when making decisions about sharing their information. Organizations are encouraged to bring relevant privacy information to the forefront where it is conspicuous, quick to access, and intuitive so these decisions can be made more comfortably. Interactive tools can be used when presenting privacy information, such as interactive walkthroughs of privacy settings at initial sign-up and periodically afterwards as refreshers, videos explaining key concepts, and infographics. Lastly, since mobile devices present an additional communication challenge, it is important for organizations to highlight privacy issues at particular decision points in the user experience where people are likely to pay attention and need guidance the most. To that end, privacy information needs to be optimized to be effective in spite of the physical limitations of screen size
- Consider the consumer’s perspective: it is important for consent processes to be user-friendly so the information provided is generally understandable from the point of view of the organization’s target audience. The information must be accessible, using clear explanations, a level of language suitable to a diverse audience, and a comprehensible means of displaying and communicating information. Accessibility includes ensuring that privacy policies and notices are easily accessible from all devices. In order to achieve these goals, organizations are encouraged to consider various options including: (I) consulting users for their input, (II) pilot testing ideas, (III) involving user interaction/user experience (UI/UX) designers in the development of the consent process, (IV) consulting with privacy experts and regulators, and (V) following established best practices, to name a few
- Be accountable: stand ready to demonstrate compliance: it is important for organizations to always be ready to demonstrate compliance concerning the consent process. This involves being able to show individuals and regulators that they have a process in place to obtain consent from individuals, that such process is compliant with the consent obligations set out in the legislation, and there is compliance with the above-mentioned principles
Moreover, the Privacy Commissioner highlights that it is important for organizations to consider the appropriate form of consent to use – express or implied – for any collection, use or disclosure of personal information for which consent is required.
Typically, consent should be express, but it can be implied in some rare circumstances. When making this important decision, organizations must consider the sensitivity of the information and the reasonable expectations of the individual, both of which will depend on the context.
For the most part, organizations must obtain express consent when:
- the information being collected, used or disclosed is sensitive
- the collection, use or disclosure is outside of the reasonable expectations of the individual
- the collection, use or disclosure creates a meaningful residual risk of significant harm
The Privacy Commissioner also addresses consent and children; essentially, the Privacy Commissioner is of the view that for anyone under the age of 13, consent must be obtained from parents or guardians. For minors who are able to provide meaningful consent, consent can only be considered meaningful if organizations have reasonably taken into account their level of maturity in developing their consent processes and adapted them accordingly.
Lastly, the Privacy Commissioner emphasizes that the purposes for collection, use and disclosure of personal information must be appropriate and defined – even if consent is provided, the purposes must be such that a reasonable person would consider them appropriate in the circumstances. Also, it is important that individuals can withdraw consent subject to legal or contractual restrictions; this would have the effect of stopping any further collection or use of information, and perhaps even deleting information depending on the circumstances (some laws may require retention of information for certain periods of time).
What can employers take from this development?
As can be seen from the above discussion, it is important for organizations to be aware of these guiding principles regarding meaningful consent, given that they will begin to apply January 1, 2019.
This is a significant responsibility, and the Privacy Commissioner has created a checklist to assist organizations in achieving compliance. More specifically, the above-mentioned measures can be separated into obligations arising from legal requirements (those things an organization must do to obtain meaningful consent) and best practices (those things an organization should consider in order to improve their consent process). Here is a list of these requirements and best practices:
To obtain meaningful consent and meet their related obligations under Canadian privacy law, organizations must:
- Make privacy information readily available in complete form, while giving emphasis or bringing attention to four key elements: (I) What personal information is being collected, with sufficient precision for individuals to meaningfully understand what they are consenting to; (II) With which parties personal information is being shared; (III) For what purposes personal information is being collected, used or disclosed, in sufficient detail for individuals to meaningfully understand what they are consenting to; (IV) Risks of harm and other consequences
- Provide information in manageable and easily-accessible ways
- Make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service
- Consider the perspective of your consumers, to ensure consent processes are user-friendly and generally understandable
- Obtain consent when making significant changes to privacy practices, including use of data for new purposes or disclosures to new third parties
- Only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate, under the circumstances
- Allow individuals to withdraw consent (subject to legal or contractual restrictions)
- Obtain explicit consent for collections, uses or disclosures which generally: (I) involves sensitive information; (II) are outside the reasonable expectations of the individual; and/or (III) create a meaningful residual risk of significant harm
- Obtain consent from a parent or guardian for any individual unable to provide meaningful consent themselves (anyone under the age of 13), and ensure that the consent process for youth able to provide consent themselves reasonably considers their level of maturity
These are the things that organizations are recommended to do in order to improve their consent process:
- Allow individuals to control the amount of detail they wish to receive, and when
- Design or adopt innovative and creative ways of obtaining consent, which are just-in-time, specific to the context, and suitable to the type of interface
- Periodically remind individuals about the consent choices they have made, and those available to them
- Periodically audit privacy communications to ensure they accurately reflect current personal information management practices
- Stand ready to demonstrate compliance – in particular, that the consent process is understandable from the perspective of the user
- In designing consent processes, consider: (I) Consulting with users and seeking their input; (II) Pilot testing or using focus groups to evaluate the understandability of documents; (III) Involving user interaction/user experience (UI/UX) designers; (IV) Consulting with privacy experts and/or regulators; and/or, (V) Following established best practices or standards