Organizations subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) – those that collect, use or disclose personal information in the course of commercial activity in Canada – have seven new reasons to conduct an audit of privacy policies and practices ASAP. As of January 1, 2019, Canada's Office of the Privacy Commissioner (and those of the provinces of Alberta and British Columbia) is applying new "Guidelines for obtaining meaningful consent": seven new guiding principles to help organizations ensure they obtain "meaningful consent" from their customers for the collection, use and disclosure of personal information.

The Guidelines are more than mere suggestions: they include mandatory elements for such consent to satisfy the legal requirement of "meaningful" consent". "Meaningful consent" essentially means that a person who is consenting to the collection, use or disclosure of their personal information has a solid understanding – before they decide to hand over any of their personal information – of what, why, how, when and where that personal information will be collected, used and disclosed. Canadians understand that today's digital economy requires them to share their personal information with the organizations with which they do business. The Canadian Marketing Association's (CMA) May 2018 study, "Data Privacy – What the Canadian consumer really thinks", revealed that 66% of Canadians agree that disclosing personal information is "increasingly part of modern life", and 35% think it's "essential for the smooth running of modern society". Yet, as the Privacy Commissioner succinctly summarized in the Office of the Privacy Commissioner's 2016-17 Annual Report to Parliament on PIPEDA and the Privacy Act following consultations on which the Guidelines are based: Canadians want and expect better control over their personal information – and better protection of their privacy. Given knowledge is power and transparency is key, the new Guidelines aimed at ensuring consent is meaningful are an important step toward meeting the expectations of consumers in today's digital world. The court has the last word on consent under PIPEDA. But if there's litigation, judges will likely be influenced by the Guidelines; and if there's an investigation of a complaint, implementing them will likely foster resolution with the Privacy Commissioner.

The new Guidelines mean organizations that collect, use or disclose personal information in the course of commercial activity are well-advised to, at the very least, conduct an audit of their consent practices and processes to ensure compliance with PIPEDA's consent requirements. And with the new data breach response obligations now in effect, it means it's likely most efficient to carry out a more fulsome review of all privacy practices and processes in that audit. Here are seven key steps to help organizations conduct an audit of their consent practices and processes for compliance with the Guidelines, and three reasons why the new Guidelines could mean it's time for an audit of all privacy practices and processes.

7 Steps to Comply With "Meaningful Consent" Guidelines

Here are seven key steps to help you ensure you obtain "meaningful" consent from your customers.

1. Make privacy information accessible, available and digestible.

People must have the information they need to decide whether they want to share their personal information. So don't bury that information in a privacy policy you've simply posted on your website that a customer might – or might not – read: it won't ensure that you've obtained "meaningful consent". Put it front and center, and emphasize the what, why, how and when of information collection, use and disclosure, and the possible risks of harm to which your customer is exposed if they give the consent. And ideally, give your customers the ability to control the amount of detail about the consent process that they want to receive and when.

2. Be user-friendly and intuitive.

Look at your process for obtaining consent through the eyes of your customers: is it user-friendly and intuitive? It needs to be; if it's not, think of how to change it to make it so. It's critical that you design consent practices and processes from the perspective of your customers – and remember that not all customers are the same. You need to have a deep and solid understanding of your customers and design consent practices and processes that speak to them depending on:

  • How technically (or otherwise) sophisticated – or unsophisticated – they are.
  • How old (or young) they are; for example, the Privacy Commissioner's view is that 13 is the minimum age at which children can consent.
  • How much information they will likely need – or want – to decide whether to give consent.

So get ahead of the curve: adopt innovative and creative ways for customers to give their consent – just before or at the time of collection, specific to the context, and suitable to the interface. For example, make sure that your customers can navigate your privacy policy and consent process as effectively from their smartphone as they can from their laptop or personal computer.

3. Give your customers a clear and easy choice.

When personal information is not necessary in order for you to provide your customers with your product or service, but you're still asking for it, make it easy for them to say "yes" or "no" to sharing it with you.

4. Ask ... then ask again (and again, if necessary).

Your customers might have agreed to give you their personal information to use (or share with others) for one purpose, but now you want to use (or share) it for another purpose. You'll need to get fresh consent from your customer before you do this or before you make any other significant change to how you use or share their information.

5. Make sure that what you're asking is reasonable.

Only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate – in the circumstances. For example, don't ask your customer for their credit card information as part of an account-opening process if all you really need is a name and email address.

6. Let people change their minds.

People have the right to change their minds and withdraw their consent to the use and disclosure of their personal information. Make sure your organization can accommodate this subject, of course, to legitimate reasons for information to be retained (for example, if there is a legal or contractual restriction on the deletion of data).

7. Know when implied consent is not enough.

There are times when "implied" (as opposed to "express") agreement is enough for "meaningful consent" – and there are times when it's not. When the agreement relates to the collection, use or disclosure of personal information that meets any of the following criteria, only express – and not implied – agreement is enough for "meaningful consent":

  • The information is sensitive, such as health or financial information.
  • The collection, use or disclosure might be outside the individual's reasonable expectations, such as the collection of information about the individual's location when that's not expected.
  • The collection, use or disclosure creates a residual risk of significant harm; for example, there's a risk of identity theft if the personal information is compromised.

3 Reasons the Guidelines Could Mean a Full Privacy Audit

The new Guidelines could also mean that, if you haven't recently done so, it might make sense to broaden the scope of your audit to include all your privacy practices and processes. Here are three reasons why.

1. Privacy breach prevention is still crucial.

The Guidelines expressly note that consent isn't a "silver bullet". This is a crucial point organizations could easily overlook – at their peril: obtaining "meaningful consent" that meets the PIPEDA standard won't save an organization that doesn't have all its other privacy ducks in a row. In particular, it won't save you from the Digital Privacy Act's strict and onerous new mandatory privacy breach response requirements with respect to any data security safeguard breach. It's prudent, if not essential, for all organizations to implement a cyber security risk mitigation plan to minimize the growing liability risks of suspected and actual data breaches (including compliance with the Digital Privacy Act). It also won't save you from non-compliance with the myriad of other requirements of PIPEDA, or non-compliance with other privacy laws, like Canada's Anti-Spam Legislation (CASL).

2. Privacy law is moving fast.

Privacy law is one of the most rapidly developing areas of the law. This means it can be tough for organizations to keep themselves – and their privacy practices and processes – up to speed, and makes regular privacy practice and process audits a must. In addition to new privacy laws (like the November 2018 Digital Privacy Act), decisions of Canadian courts often affect how all organizations do business, and courts are increasingly interpreting and setting legal parameters around privacy rights. The Guidelines specifically reference but two Supreme Court decisions (Royal Bank of Canada v. Trang and R. v. Spencer) of many that cumulatively demonstrate a trend to greater legal recognition – and protection – of Canadians' privacy rights and expectations, including in: Internet files on work-issued laptop computers; data in a computer (including a "smart phone"); their online activities; basic cell phone contents; and co-owned personal computers.

3. Proof of privacy and consent compliance is a practical necessity.

The Guidelines caution organizations that they "should" be ready to demonstrate compliance with PIPEDA, and particularly its consent requirements. Theoretically, this is a "should"; practically, it's a "must". The clichéd legal advice is to "document, document, document": it doesn't just matter what you did, it matters what you can prove you did. If an organization faces an investigation by the Office of the Privacy Commissioner, its ability to prove it complied with privacy laws, including PIPEDA generally and its consent requirements (including the Guidelines) specifically, is imperative to its ability to respond in the investigation – and in the court of public opinion. This means you should document and maintain records of every step of every action you take to do the following – and should ensure your internal privacy practices and processes incorporate such documentation:

  • Determine your organization's privacy and consent practices and processes.
  • Implement those practices and processes; for example, conduct employee training to ensure there are no internal gaps about those privacy practices and processes.
  • Periodically review and reassess those practices and processes, such as by conducting a consent and/or privacy audit because of the new Guidelines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.