The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law which sets out how businesses are required to handle personal information of individuals in the course of commercial activity. According to PIPEDA, businesses must obtain 'meaningful consent' from individuals for the collection, use or disclosure of their personal information.
The definition of 'meaningful consent' has been a source of confusion, particularly with the advancement of digital technologies and the wealth of data being collected and stored online. What does 'meaningful consent' actually mean and how does a business go about obtaining it from individuals? The Office of the Privacy Commissioner of Canada, along with the Offices of the Information and Privacy Commissioner of Alberta and British Columbia, have released new guidelines for obtaining meaningful consent which come into effect as of January 1, 2019.
According to these guidelines, there are seven principles that organizations must follow in their processes for seeking meaningful consent for the collection, use and/or disclosure of personal information.
1. Highlight key points of your privacy policy.
Although you must make your company's privacy policy readily available in its entirety, doing so on it's own is not enough to establish meaningful consent. Emphasize upfront the aspects of your privacy policy that have the most impact on affected individuals including what information is collected, how it'll be used, the parties that will have access to the information along with the potential risks involved.
2. Allow individuals control over the level of detail they wish to see.
Give individuals the ability to get as much or as little detail as they want regarding how their personal information will be treated. It's recommended that businesses make their privacy practices available in a layered format that is easily accessible anytime.
3. Provide a clear choice to consent or not.
You cannot require individuals to give consent to collection, use or disclosure of their personal information beyond what is required to provide your product or service. It must be clear to individuals that they have a choice and easy for them to provide consent or not.
4. Be innovative and creative.
Organizations are encouraged to leverage the latest technologies in digital platforms and communication channels to present their policies. Rather than simply creating online versions of your written policies, make use of the dynamic capabilities that an online environment allows such as "just-in-time” notices, interactive tools and customized mobile interfaces.
5. Consider the individual's perspective.
The information organizations provide during the consent process should be easily understandable, accessible and customized to the product or service being provided. It's important to remember that consent is only valid when the individual actually understands what specifically they are providing consent for.
6. Your consent process should change over time.
Don't 'set it and forget it.' Your consent process should be adapting over time to changes that your company undergoes. Organizations should be periodically auditing and updating their privacy practices, inviting individuals to review their privacy policies, updating FAQs and notifying individuals of any changes to privacy policies. Again, companies are encouraged to leverage technology (i.e. smart tech, chatbots, etc.).
7. Be accountable.
Organizations must be able to demonstrate compliance with how they obtain consent. They must show that they have implemented procedures and processes in order to comply with guidelines from the Privacy Commissioner.
In addition to the above seven principles, it's also important for businesses to remember:
- Should an individual wish to withdraw consent, you must comply by stopping any further collection, use or disclosure of the individual's personal information and delete the information collected (in most cases).
- Despite any waivers to the contrary, organizations are never exempt from complying with privacy laws.
- In most cases, you must obtain consent by a parent or guardian regarding personal information of children under the age of 13.
For more details and to view the guidelines in full, please see "Guidelines for obtaining meaningful content" on the Office of the Privacy Commissioner of Canada's official website.
