Canada: Privacy Commissioner Issues Key Guidelines For Consent And Inappropriate Data Practices

Last Updated: June 7 2018
Article by Alex Cameron, Daniel Fabiano and Robin Spillette

On May 24, 2018, the Office of the Privacy Commissioner of Canada published two important guidance documents in respect of activities regulated pursuant to the Personal Information Protection and Electronic Documents Act ("PIPEDA"):

The publication of the above guidance documents comes on the heels of the Commissioner's consultation on consent and the recent updating of guidance on "Recording of Customer Telephone Calls". In this bulletin, we review the Consent Guidelines and Data Practices Guidance and highlight implications for organizations that are subject to PIPEDA.

GUIDELINES FOR OBTAINING MEANINGFUL CONSENT

The Consent Guidelines provide that organizations should follow seven key principles in seeking to obtain meaningful consent under PIPEDA. These are reviewed below.

1. Emphasize key elements

Emphasizing key elements in consent (and any associated public-facing privacy policy) can improve an individual's understanding of the consequences of giving consent, and thereby contribute to meaningful consent. The Consent Guidelines provide that organizations must generally put particular emphasis on the following elements:

  1. What personal information is being collected, used and disclosed: Organizations should identify all information that will or may be collected, with sufficient precision to permit individuals to understand what they are consenting to.
  2. The purpose for which the information is being collected, used or disclosed: Organizations should describe these purposes in sufficient detail to ensure that individuals have a meaningful understanding of them; vague descriptions should be avoided. Any purposes that are not integral to the provision of the organization's products or services, and any uses that would not be reasonably expected given the context, should be emphasized.
  3. Information-sharing with third parties: Where organizations share information with a large number of third parties, or where the parties may change over time, an organization should list the types of organizations with which they are sharing information, and give users the ability to access more details if they desire. Any third parties that will be using the information for their own purposes, rather than for advancing the purposes of the first party, should be emphasized.
  4. Whether there is a risk of harm arising from the collection, use or disclosure of information: Organizations should consider emphasizing harms that may be associated with the activity for which consent is sought, including both direct as well as indirect harms (e.g. unauthorized use of information). The risk of harm refers to any risk of significant harm (that is, more than minimal or a mere possibility) after accounting for any mitigating procedures taken by the organization. Individuals must be aware of the consequences of their consent in order for that consent to be meaningful. This includes indirect risks, such as third party misuse of information.

2. Allow individuals to control the level of detail

Organizations should make privacy disclosures more manageable and accessible by allowing individuals to decide how, when, and how much information about an organization's privacy practices the individual accesses at any given time. Layered disclosure is one such approach. Layered disclosure starts by displaying more abstracted, general information, and allows individuals to obtain more detail on discrete topics if they wish. Additionally, privacy disclosures should be readily available so that an individual can return and re-read about an organization's privacy practices. This approach supports meaningful consent, as it allows individuals an opportunity to reconsider and potentially withdraw consent if they object to any of the organization's practices.

3. Provide individuals with clear options to say 'yes' or 'no'

Organizations must not require individuals to consent to the collection, use or disclosure of more information than is necessary for the product or service which is being provided. For a collection, use, or disclosure to be "necessary", it must be integral to the provision of that product or service (i.e. required to fulfill the explicitly specified and legitimate purpose). If any other information is to be collected on an opt-in or opt-out basis, individuals should be able to choose whether or not to consent to the collection of this additional information, and this choice should be clear and accessible, unless an exception to consent applies.

4. Be innovative and creative

Organizations should think about moving away from simply transposing paper-based policies into their digital environments, and seek innovative ways to obtain consent. 'Just-in-time' notices, for example, are an alternative to obtaining all consents 'up-front'. For example, a cell phone application that, rather than asking for access to location data upon installation, asks for this consent the first time the individual attempts to use the application in a way which requires location data, provides more context to the individual and a better understanding of what is being collected and why. Other interactive tools such as videos, or click-through presentations which explain privacy policies, and mobile interfaces, could also be used. Additional information regarding mobile apps is provided in the Commissioner's guidance: "Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps".

5. Consider the target individual's perspective

To ensure that consents and privacy disclosures are user-friendly and understandable, organizations must be mindful of the perspective of target individuals. This involves the use of an appropriate level of language, clear explanations, and a comprehensible display. It also involves consideration of the types of devices that target individuals will be using (laptops, mobile phones, tablets, etc.). Organizations may wish to understand the perspective of target individuals by consulting with them, running pilot tests and focus groups, engaging with privacy experts, and following industry best-practices.

6. Make consent a dynamic and ongoing process

Consent should be an ongoing, dynamic and interactive process (and not a one-off process). Periodic reminders and refreshers about an organization's privacy practices should be implemented, as well as an ongoing and practical ways for individuals to obtain more information.

7. Be accountable: stand ready to demonstrate compliance

Organizations should be ready to prove that they have obtained meaningful consent, including showing that their consent process is understandable and accessible. One such way to do this is for organizations to be aware of these guidelines, as well as the guidance provided by the Commissioner in "Getting Accountability Right with a Privacy Management Program", and to show that they have followed them.

Additional topics addressed in the Consent Guidelines

Appropriate form of consent

In addition to the seven guiding principles above, the Guideline reminds organizations of the need to consider what type of consent is appropriate given the circumstances. While in some situations implied consent may be adequate, there are some circumstances which will generally require express consent, including: (a) when the information being collected, used or disclosed is sensitive in nature; (b) when an individual would not reasonably expect certain information to be collected, used or disclosed given the circumstances, and (c) when there is a more than minimal risk of significant harm.

Consent and children

Another contextual factor is whether the target individuals include children. When children are involved, organizations should take into account the fact that children will generally have different emotional and cognitive processing abilities than adults. This affects their ability to understand how their personal information is being used, and hence will affect their ability to give meaningful consent. The OPC requires that, for children 13 and under, a parent or guardian give consent on the child's behalf. When the target individuals include minors who are able to provide consent themselves, organizations should still take their maturity into account, and should be ready to show how they have done so.

At the conclusion of the Consent Guidelines, the Commissioner provides a useful checklist of "Should do" and "Must do" action items for organizations seeking to obtain meaningful consent under PIPEDA.

GUIDANCE ON INAPPROPRIATE DATA PRACTICES

Concurrently with publishing the Guidelines, the Commissioner published the Data Practices Guidance, which sets out various considerations that organizations should keep in mind when assessing whether a certain practice may be contrary to subsection 5(3) of PIPEDA.

Subsection 5(3) of PIPEDA is an overarching requirement which provides that: "An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances." In order words, even with an individual's consent, there are certain purposes that would be unacceptable under PIPEDA on the grounds that a reasonable person would not consider them to be appropriate.

Like meaningful consent, whether or not a purpose is inappropriate requires a contextual approach. As summarized in the Data Practices Guidance, the following factors have been applied by the Commissioner and the courts:

  • Whether the organization's purpose represents a legitimate need / bona fide business interest;
  • Whether the collection, use and disclosure would be effective in meeting the organization's need;
  • Whether there are less invasive means of achieving the same ends at comparable cost and with comparable benefits; and
  • Whether the loss of privacy is proportional to the benefits (which includes consideration of the degree of sensitivity of the personal information at issue).

In addition, as set forth in the Data Practices Guidance, the Commissioner has established a list of prohibited purposes under PIPEDA, which they have deemed "No-Go Zones." The Commissioner considers that a reasonable person would not consider the collection, use or disclosure of information to be appropriate in these circumstances. Currently, the list of "No-Go Zones" may be summarized as follows:

  • Collection, use or disclosure that is otherwise unlawful (e.g. violation of another law);
  • Collection, use or disclosure that leads to profiling or categorization that is unfair, unethical or discriminatory in a way which is contrary to human rights law;
  • Collection, use or disclosure for purposes that are known or likely (on a balance of probabilities) to cause significant harm to the individual (e.g. bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record or damage to or loss of property);
  • Publishing personal information with the intended purpose of charging individuals for its removal (i.e. "blackmail");
  • Requiring passwords to social media accounts for the purpose of employee screening; and
  • Surveillance by an organization through the use of electronic means (e.g. keylogging) or audio or video functionality of the individual's own device.

While these "No-Go Zones" are important to note, organizations should also remember that the list is not binding, determinative or exhaustive, and that subsection 5(3) requires a contextual analysis. What a reasonable person would consider appropriate is a flexible and evolving concept which will be revisited by the Commissioner from time to time.

IMPLICATIONS FOR ORGANIZATIONS SUBJECT TO PIPEDA

The Commissioner's guidance documents do not have the force of law and are not binding on organizations. However, they plainly set out the Commissioner's expectations, provide a benchmark against which the Commissioner will assess practices in the context of a complaint, audit or investigation, and provide a useful reference for organizations seeking to comply with PIPEDA.

It is also important to note that, over time, previous Commissioner guidance documents, including "Guidelines for Processing Personal Data Across Borders", have come to set the de facto standard and practices under PIPEDA. Organizations should familiarize themselves with the new guidance documents and consider steps to amend practices as necessary. For example, organizations which use mobile and online interfaces can refer to work which is already being done regarding the implementation of privacy icons, and privacy dashboards to help obtain meaningful consent. These and other potential solutions are discussed in the Commissioner's discussion paper, "Consent and Privacy".

Finally, in considering compliance with the new guidelines discussed in this bulletin, organizations should be mindful of the consequences of failing to obtain meaningful consent or failing to process information for appropriate purposes as required by PIPEDA. For example, a failure to obtain meaningful consent from a large number of individuals could undermine the basis upon which key business operations are premised. This could not only render those operations non-compliant with PIPEDA but also give rise to class action litigation risk for a privacy breach (e.g. processing personal information for commercial purposes without adequate consent).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Miller Thomson LLP
Borden Ladner Gervais LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Miller Thomson LLP
Borden Ladner Gervais LLP
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions