5 October 2017
The Office of the Privacy Commissioner of Canada (‘OPC’) released, on 28 September 2017, draft guidance on obtaining meaningful online consent (‘the Consent Guidance’) under the Personal Information Protection and Electronic Documents Act 2000 (‘PIPEDA’). The Consent Guidance, which outlines measures for organisations to implement when collecting personal data in the online environment, follows the OPC’s consultation on consent under PIPEDA (‘the Consultation’), the results of which were published in the OPC’s annual report last week.
Keith Rose, Associate at McCarthy Tetrault LLP, told DataGuidance, “Broadly speaking, the OPC is addressing the challenge of applying a principle-driven regulatory framework in a complex and rapidly-evolving technological environment, which is the same challenge that businesses and practitioners face. The Guidance aims to promote a more dynamic and nuanced approach to consent, in which individuals have meaningful choices about how their personal information is collected, used, and disclosed, and the ability to reconsider those choices over time. The Guidance also puts organisations on notice that they may be called upon to demonstrate the effectiveness of the measures they take to obtain informed consent.”
In particular, the Consent Guidance emphasises the use of flexible methods to gain consent and privacy policies, based around ensuring individuals understand the nature, purpose and consequences of what they are consenting to. It emphasises seven principles in doing so, which include identifying what personal information is being collected, with which parties personal information is shared; and the risk of harm to individuals in doing so.
The OPC believes that the form of consent, express vs. implied, should depend on the sensitivity of the information and the reasonable expectations of individuals
Éloïse Gratton, Partner and National Co-Leader of the Privacy and Data Protection Practice Group at Borden Ladner Gervais, commented, “The OPC believes that privacy policies serve a range of important legal purposes, in order to hold organisations accountable for their personal information management practices and has issued guiding principles for organisations to follow in developing privacy policies. In particular, the OPC believes that the form of consent, express vs. implied, should depend on the sensitivity of the information and the reasonable expectations of individuals. Moreover, incorporating the notion of the risk of harm into Canadian data protection law [as the OPC suggests] will be useful in providing a framework under which our laws remain efficient in light of modern technologies and the Internet.”
The Consent Guidance also suggests other practices organisations should implement for valid consent to be obtained, including to provide tailored notices to individuals when their information is used, and that organisations be able to demonstrate they have obtained valid consent, beyond the inclusion of relevant provisions in their privacy policies.
Rose concluded, “Beyond providing easily-digestible up-front information on the key elements identified by the Guidance, organisations will need to think about a deeper integration of privacy management issues into how choices about how personal data is collected, used, or disclosed are built into user interactions. In turn, this means that organisations will need to embed their privacy and data protection advisors into their project teams, as an integral part of their product or service lifecycle. Finally, organisations should take note that the OPC is strongly signalling a more proactive and inquisitive approach to enforcement. Although there may be questions about how far the OPC’s existing powers can be stretched, it is actively seeking legislative changes to its investigative and enforcement toolbox.”
Kaveh Lahooti | Privacy Analyst