Consent: Is It Meaningful?

Obtaining meaningful consent is fundamental to any organization’s use, collection and disclosure of personal information.  Failure to obtain meaningful consent may lead to severe regulatory consequences.  A very recent and high profile example of the consequences is that on January 21, 2019, Google was fined for €50 million for breaching the European Union’s General Data Protection Regulation (“GDPR”) for its lack of proper consent from users for targeted advertising and its lack of transparency as to how user data is processed.  While most Canadian organizations do not have the same business model as Google and are also not subject to the GDPR, the same issues exist in Canada.  In Canada, the Office of the Privacy Commissioner of Canada (“OPC”) has recently required Canadian organizations to become much more focused on the process they use to achieve OPC’s requirement of obtaining meaningful consent from users.  This is fundamental to OPC’s Canadian private sector privacy regulation.  It means the user must know, understand and consent to the nature, purpose and consequences of the collection, use or disclosure of the user’s personal information to which he or she is consenting.[1]

On January 1, 2019, OPC began to apply a set of new guidelines for obtaining meaningful consent to the collection, use and possible disclosure of personal information (the “Guidelines”) that were issued by OPC with the Offices of the Privacy Commissioner of Alberta and British Columbia on May 24, 2018.   All private sector businesses in Canada subject to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) or its substantially similar provincial counterparts, the Alberta Personal Information Protection Act and the British Columbia Personal Information Protection Act (“BC PIPA”), are expected to follow the Guidelines.  Although the Guidelines were published in the context of PIPEDA, organizations subject to its provincial counterparts, particularly those that collect, use or disclose sensitive personal information, should be compliant with the Guidelines as these provincial counterparts are substantially similar to PIPEDA and they share the same principles of consent.  Obtaining meaningful consent is becoming more difficult, and failure to do so may subject a business to enforcement action.  The Guidelines, however, do not provide a template of an one-size fit all, gold-standard consent process.  Therefore, it is prudent for businesses to seek legal assistance to develop creative and tailored solutions to obtain meaningful consent in ways that are suitable to the nature of the business, particularly an online business, and are compliant with the Guidelines.

Here is an overview of the seven guiding principles for meaningful consent as per the Guidelines[2]:

1. Emphasize key elements

Certain elements about the collection, use and disclosure of personal information require greater emphasis to obtain meaningful consent from the consenting individuals.  Such emphasis allows individuals to review the key elements impacting their decisions right up front instead of being buried in a privacy policy.  The key elements are:

• With sufficient precision, what personal information is being, or may be, collected about the individuals;
• With sufficient description in meaningful language, for what purposes personal information is collected, used or disclosed
• With which third parties or at least the types of third parties personal information is being shared, including the types of information being shared and whether such third parties may use the information for their own purposes; and
• Risk of harm and other consequences, if any, from disclosure even if mitigation measures designed to minimize the risk has been applied.

2. Allow individuals to control the level of detail

Individuals may require different levels of detail to provide a meaningful consent.  To respect the different personal approaches, organizations should provide information to the individuals in manageable and easily-accessible ways and allow the individuals to control how much more detail they wish to obtain, and when.  Organizations may consider presenting information in both simple and detailed versions to allow individuals to control the desired level of details provided to them.

3. Provide individuals with clear options to say “yes” or “no”

Individuals must be given a clear choice to consent to or refuse the collection, use, or disclosure of some or all of their personal information.  Organizations may be required to prove certain personal information if such information is a valid condition of service because it is integral to the service provided or falls under an exception to the general consent requirement.  Otherwise, individuals must have clear options to opt-out.

4. Be innovative and creative

Organizations are encouraged to be innovative in designing consent processes that can be implemented just-in-time, specific to the context, and appropriate to the type of interface used.  In particular, organizations are not encouraged to simply transpose their paper-based privacy policies from the offline environment to the digital space to obtain online consent. Instead, organizations should better utilize the tools that the digital space offers to improve the consent processes, including introducing just-in-time notices, interactive tools, and customized mobile interfaces to obtain meaningful consent from individuals.

5. Consider the consumer’s perspective

To ensure individuals can understand what they are consenting to, organizations should consider both the content of privacy communications and their accessibility from the user’s perspective.  Clear explanations, ease of accessibility to privacy policies and notices, and suitable level of language and display of information are essential.

6. Make consent a dynamic and ongoing process

Informed consent is beyond a mere posting of a privacy policy or notice – it is an ongoing process that changes as organizations innovate, grow and evolve.  Organizations should provide interactive and dynamic ways to address users’ questions regarding the use, collection, and disclosure of their personal information, particularly when significant changes to the organizations’ privacy practices are introduced.  Organizations are encouraged to periodically audit their information management practices.

7. Be accountable: stand ready to demonstrate compliance

Organizations must be ready to demonstrate that they have obtained valid consent through having a process in place to obtain such consent from the individuals that is compliant with the consent obligations set out in legislation.

In addition to the above guiding principles, the OPC provides further considerations in the Guidelines for organizations to obtain valid consent:

• Organizations must generally obtain express consent when the information being collected, used or disclosed is sensitive, outside of the reasonable expectations of the individual, and/or can create a meaningful residual risk of significant harm to the individual;
• Generally, the OPC deems an individual under the age of 13 to be a minor and unable to meaningfully consent to the collection, use and disclosure of personal information in all but exceptional circumstances – instead, such consent must be obtained from the individual’s parents or guardians. For minors able to provide meaningful consent, consent can only be considered meaningful if organizations have reasonably taken into account their level of maturity in developing their consent processes and adapted them accordingly;
• For a consent to be valid, the purposes for which an organization collects and uses personal information must be defined and be appropriate to a reasonable person under the circumstances;
• Individuals have the right to withdraw consent, subject to legal or contractual restrictions; and
• Consent does not waive an organization’s other obligations under privacy laws.

OPC recognizes that obtaining meaningful consent is increasingly difficult, and the Guidelines are designed to provide the much needed guidance on how to do so.  It is prudent for organizations subject to PIPEDA and its provincial counterparts to review their privacy policies and consent process and revise accordingly.

[1] https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/principles/p_consent/

[2] https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/