Beyond stating general principles, the Personal Information Protection and Electronic Documents Act ("PIPEDA") does not provide much guidance on how (or how not) to obtain the "knowledge and consent" of an individual which is necessary for a valid consent. However, in comments sprinkled through more than 170 decision summaries published late last year, the former Privacy Commissioner ("Commissioner") elaborated to some extent on his interpretation of the consent principles of PIPEDA. In those decisions, the Commissioner established broad guidelines recommending that organizations inform individuals in a prominent, comprehensible and relatively specific manner as to:

  1. what personal information is to be collected and from whom;
  2. how and why this information is to be used; and
  3. to whom this information is to be disclosed and why.

The Commissioner also stated that an immediate, convenient and inexpensive means of opting out of non-essential uses and disclosures of information must be offered.

The Commissioner’s latest and most specific pronouncement on consent requirements is found in a summary of a decision on an individual’s complaint that a magazine had been selling or renting his name and address to third parties without his consent. While the masthead of each magazine issue contained notification of the practice in question and of the procedure by which a subscriber could opt out of having his/her name included on this list, the original subscription card made no mention of this disclosure and opt-out option. The notification on the masthead appeared in small print and was "buried in a dense paragraph of miscellany" on the page. The names or types of companies to which subscriber information was forwarded were not identified.

In its defence, the magazine pointed out that it had been following the practice of most magazines and the guidelines established by the Canadian Marketing Association. As such, the magazine expressed concern that it would be put at a competitive disadvantage if it undertook a higher level of disclosure than the rest of the industry.

The Commissioner determined that the magazine’s purpose notification was inaccessible and that the opt-out option was not presented at the time of subscription. Thus, the magazine had failed to obtain the complainant’s knowledge and consent. The Commissioner recommended that in the future the magazine inform its subscribers of its non-essential uses and disclosures of their information by:

  1. including a purpose statement and a checkoff box on the subscription form;
  2. displaying the statement prominently and in regular size type and including in it a description of the items to be disclosed (for example, name and address) and the organizations to which the disclosures are to be made; and
  3. providing and prominently advertising a mechanism, including a toll-free telephone number, where subscribers can conveniently, inexpensively and promptly withdraw their consent at any time.

The Commissioner held that the magazine could continue to use the opt-out form of consent, provided that the organizations to which disclosure is to be made are identified at least by type and that the items of information to be disclosed remain limited to name and address.

The Commissioner was dismissive of the magazine’s "industry standard" defence. The Commissioner’s unequivocal view was that his conclusions were never meant to be subject to industry approval and that, rather, PIPEDA (and presumably his interpretation of it) is the new industry standard for the management of personal information. The Commissioner made it abundantly clear that his "recommendations" are meant not for negotiation, but for adoption.

It remains to be seen whether the new Commissioner will adopt an equally inflexible stance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.