What Does 'Meaningful Consent' Under PIPEDA Mean for Businesses Today?

New guidelines for obtaining meaningful consent have been released which will apply as of January 1, 2019.
Categories: Business Insights
Aug 1st, 2018 | By: CapriCMW

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law which sets out how businesses are required to handle personal information of individuals in the course of commercial activity. According to PIPEDA, businesses must obtain 'meaningful consent' from individuals for the collection, use or disclosure of their personal information.

The definition of 'meaningful consent' has been a source of confusion, particularly with the advancement of digital technologies and the wealth of data being collected and stored online. What does 'meaningful consent' actually mean and how does a business go about obtaining it from individuals? The Office of the Privacy Commissioner of Canada, along with the Offices of the Information and Privacy Commissioner of Alberta and British Columbia, have released new guidelines for obtaining meaningful consent which come into effect as of January 1, 2019. 

According to these guidelines, there are seven principles that organizations must follow in their processes for seeking meaningful consent for the collection, use and/or disclosure of personal information. 

1. Highlight key points of your privacy policy.

Although you must make your company's privacy policy readily available in its entirety, doing so on it's own is not enough to establish meaningful consent. Emphasize upfront the aspects of your privacy policy that have the most impact on affected individuals including what information is collected, how it'll be used, the parties that will have access to the information along with the potential risks involved.

2. Allow individuals control over the level of detail they wish to see.

Give individuals the ability to get as much or as little detail as they want regarding how their personal information will be treated. It's recommended that businesses make their privacy practices available in a layered format that is easily accessible anytime. 

3. Provide a clear choice to consent or not.

You cannot require individuals to give consent to collection, use or disclosure of their personal information beyond what is required to provide your product or service. It must be clear to individuals that they have a choice and easy for them to provide consent or not.

4. Be innovative and creative.

Organizations are encouraged to leverage the latest technologies in digital platforms and communication channels to present their policies.  Rather than simply creating online versions of your written policies, make use of the dynamic capabilities that an online environment allows such as "just-in-time” notices, interactive tools and customized mobile interfaces.

5. Consider the individual's perspective.

The information organizations provide during the consent process should be easily understandable, accessible and customized to the product or service being provided. It's important to remember that consent is only valid when the individual actually understands what specifically they are providing consent for.

6. Your consent process should change over time. 

Don't 'set it and forget it.' Your consent process should be adapting over time to changes that your company undergoes. Organizations should be periodically auditing and updating their privacy practices, inviting individuals to review their privacy policies, updating FAQs and notifying individuals of any changes to privacy policies. Again, companies are encouraged to leverage technology (i.e. smart tech, chatbots, etc.).

7. Be accountable.

Organizations must be able to demonstrate compliance with how they obtain consent. They must show that they have implemented procedures and processes in order to comply with guidelines from the Privacy Commissioner.

In addition to the above seven principles, it's also important for businesses to remember:

  • Should an individual wish to withdraw consent, you must comply by stopping any further collection, use or disclosure of the individual's personal information and delete the information collected (in most cases). 
  • Despite any waivers to the contrary, organizations are never exempt from complying with privacy laws.
  • In most cases, you must obtain consent by a parent or guardian regarding personal information of children under the age of 13.


For more details and to view the guidelines in full, please see "Guidelines for obtaining meaningful content" on the Office of the Privacy Commissioner of Canada's official website.

Recent Blog Posts

Business Insurance / Construction, Real Estate, mass timber, sustainable housing
BC Proposes Building Code Changes to Allow 18-Storey Mass Timber Buildings

The provincial government has proposed changes to the British Columbia Building and Fire Codes (BC…

Dec 27th, 2023 | By: CapriCMW
Business Insurance / Small Business, SME, commercial property
Applications Open for BC's Securing Small Business Rebate Program

As of November 22, 2023, small businesses in BC can apply for a new provincial rebate to help them…

Dec 12th, 2023 | By: CapriCMW
Employee Benefits / employment law, employee benefts, pay transparency, pay equity
New Pay Disclosure Requirements Now in Effect for BC Employers

As of November 1, 2023, employers are required to include wage or salary ranges in job postings open…

Nov 16th, 2023 | By: CapriCMW
Search the Blog

Confidence and Freedom

At CapriCMW, we provide personalized insurance and custom risk solutions to give you the confidence and freedom to focus on what matters to you. Talk to an Advisor or get a quote today.

Get a Quote    Or call 1-800-670-1877

Can’t find what you are looking for? Ask us!