The role of insights

SEE TIPS

OPC’s new consent guidelines and what they mean to your business

Jul 11, 2018
Consent Privacy

The release of its new Guidelines for obtaining meaningful consent by the Office of the Privacy Commissioner of Canada (OPC) should be viewed as a salient development in a panoply of recent privacy-related news. This includes the federal government’s announcement of the Digital and Data Transformation Consultation and the tabling of a bill in Parliament providing for order-making power within the OPC and significant fines for breach of the Personal Information Protection and Electronic Documents Act (PIPEDA). These important developments were summarized in a blog article by CMA’s Cristina Onosé.

The Guidelines raise the bar distinctly for user control of personal data, focusing on the collection, use and disclosure of data in the digital economy. They follow a more than two-year review and stakeholder consultation by the OPC regarding the role and viability of consent under PIPEDA. Challenges to privacy protection and PIPEDA’s consent model posed by advances in technology, including digital media, big data and artificial intelligence, provided the context. 

In its report on the review, the OPC concluded that consent should remain a central tenet of our privacy framework but that the challenges as to its practicability must be met with enhanced processes, supported by active guidance and oversight by the regulators.

GDPR implications

Not entirely coincidentally, the release of the Guidelines occurred one day before the coming into force of the GDPR, providing enhanced consent rules relative to its predecessor, the 1995 Data Protection Directive, and which, due to the GDPR’s extended extra-territoriality rule, will now apply to many Canadian organizations.  The GDPR, together with the EU’s new e-Privacy Directive (expected to be issued next year), will require organizations to revisit and significantly upgrade their data collection practices.  It will have particular impact on digital media and the now ubiquitous technologies available for tracking, targeting and otherwise collecting digital data, both actively and passively.  Procedures directed at the new EU rule adopted by organizations aiming for compliance with the GDPR likely will align closely with the Guidelines.

Seven guiding principles for meaningful consent

The Guidelines articulate “Seven guiding principles for meaningful consent”.  They also address forms of consent - express or implied - as well as guidance for consent by children.  Significantly, the Guidelines identify which elements of the guidance are considered requirements (“Must do”) versus best practices (“Should do”), the former stated as in effect having the force of law.

The seven principles that organizations are expected to comply with are as follows.

  • Emphasize the key elements - While organizations must make full information about their processing of individuals’ personal information readily available (such as in their privacy policies), they must place additional emphasis on the following four key elements:
  • identification of the personal information being collected;
  • identification of the parties with whom the information is being shared;
  • the purposes for which personal information is being collected - in sufficient detail and appropriate language to ensure a meaningful understanding; and
  • the consequences of providing consent including any meaningful risk of harm that may result not otherwise mitigated.
  • Allow individuals to control the level of detail they get and when they get it - Information must be provided in manageable and easily-accessible ways, including potentially in a layered format, enabling individuals to control the detail and timing of the information provided. 
  • Provide individuals with clear options to say “yes” or “no” - Individuals must be given a separate choice as to any consent for purposes supplementary to that necessary for providing the desired product or service and the choices must be explained clearly and be  easily accessible.
  • Be innovative and creative in designing consent processes - Organizations are encouraged to use a variety of communications strategies – including “just-in-time” notices, interactive tools and customized mobile interfaces.
  • Consider the consumer’s perspective - Consent processes must take into account the consumer’s perspective to ensure that they are user-friendly and that the information is understandable from the point of view of the target audience.  Organizations also should ensure that privacy communications are easily accessible from all devices used by their target audience.
  • Make obtaining consent a dynamic and ongoing process - As an organization’s information processing activities evolve, they should adjust their privacy practices, including adoption of smart technologies.  As well, organizations should periodically audit their practices to ensure that they continue to reflect the descriptions provided in policies and other documents.
  • Be accountable and ready to demonstrate compliance - Organizations should be in a position to demonstrate compliance with the law, including the Guidelines, and in particular that their consent processes are sufficiently understandable by their target audiences, resulting in valid and meaningful consent. 

Appropriate form of consent

As a key adjunct to the principles, the Guidelines contain guidance regarding express versus implied consent. 

As a general rule, organizations must obtain express consent when:

  • the personal information is sensitive,
  • its collection, use or disclosure is outside of the reasonable expectations of the person providing it, or
  • that creates a meaningful risk of significant harm that is not otherwise mitigated.

The Guidelines recognize that the ability of children and youth to provide meaningful consent depends in a significant way on their cognitive and emotional development.  Generally, the threshold age below which consent by young children requires parental consent is identified as thirteen.

“Must do”/”Should do” checklists

The guidelines conclude by providing two useful checklists indicating procedures that are required for compliance (i.e. are “legal” requirements), as opposed to simply best practices.  The following are key items in the “must do” checklist:

  • make full privacy information available, while giving emphasis to the four key elements;
  • provide information by manageable and easily-accessible means;
  • provide a clear and easily accessible choice for any consent not required for the primary transaction;
  • ensure consent processes are user-friendly and understandable from a consumer perspective;
  • obtain consent for significant changes to privacy practices and any new data uses;
  • only collect, use or disclose information for purposes that a reasonable person would consider appropriate in the circumstances;
  • obtain express consent for sensitive information, unexpected uses, or where there is meaningful risk of significant harm; and
  • obtain consent of a parent for children under 13 and ensure older youth are able to consent.

Implications of the Guidelines

The regulators consider a significant portion of the Guidelines to have the force of law and have stated that they expect them to be adopted by all organizations commencing January 1, 2019. 

The rules set out in the Guidelines, while for the most part not unfamiliar, articulate more rigorous procedures for consent than are currently followed by many mainstream data collectors.  The requirements to more explicitly highlight four key information elements, to provide information in a manageable and accessible form, and to clearly provide a yes/no choice for information uses that are not central to a transaction – to call out only some of the new requirements – will require in many cases significant adjustments to information collection and (online) tracking protocols. 

The arguably new requirement – to disclose significant potential risks of harm, whether financial, emotional or reputational – likely will pose a new governor on many open-ended information collection practices.

Release of the Consent Guidelines is the most significant development in this current very active privacy environment. While other developments – such as the GDPR – have less direct impact, or represent broader policy changes that will take a longer time to institute (e.g. the Digital Data Consultation), the Guidelines will have immediate effect and are explicit in their compliance requirements.

AUTHORED BY
profile picture

David Young

Principal David Young Law

Ethics and Standards Committee



UPCOMING EVENTS & LEARNING OPPORTUNITIES

|

VIEW ALL

Carousel title 2

/

Recent Work |

View All

Brand marketing: The essence of marketing

Apr 18
Tag:Brand Tag:Thought Leadership
Council

Cannes you have your Lion and eat it too?

Apr 16
Tag:Agency Tag:Partners
Council

Harnessing hyper-personalization in modern marketing

Mar 27
Tag:Marketers Tag:Thought Leadership
Council

Humour in creative campaigns

Mar 15
Tag:Creativity
Council

Navigating global brand positioning

Mar 08
Tag:Brand Tag:Thought Leadership
Council

Media trends to watch for in 2024

Mar 01
Tag:Media Tag:Trends
Council

Advice for marketers from the CMA Insights Council

Feb 29
Tag:Insights Tag:Thought Leadership

Taking Stock: Canada’s Digital Charter

Feb 29
Tag:Digital Tag:Standards

Proposed online harms law: What marketers need to know

Feb 28
Tag:Digital Tag:Standards
Council

Six tips for achieving your 2024 goals with consumer insights

Feb 20
Tag:Insights Tag:Thought Leadership

Ontario adopts updated consumer protection law

Feb 01
Tag:Consumer Protection Tag:Standards

Embracing AI as more than a buzzword

Jan 22
Tag:Adtech Tag:ai

Tips to avoid deceptive marketing

Jan 17
Tag:Deceptive Marketing Tag:Standards
Council

Knowing when to exceed customer expectations

Jan 15
Tag:CX Tag:Thought Leadership
Council

Enrich CX with a passwordless future

Jan 11
Tag:CX Tag:Thought Leadership

How AI is infusing empathy into digital CX

Jan 08
Tag:ai Tag:CX

Upskilling for marketers: Future-proofing talent

Jan 03
Tag:Professional Development Tag:Talent

Get up to speed on California’s privacy law

Dec 19
Tag:Privacy Tag:Standards

Contests 101: What marketers need to know

Dec 13
Tag:Contests Tag:Standards
Council

Unpacking consumer trends for future-ready marketing

Dec 08
Tag:Consumers Tag:Trends

The momentum and opportunity of AI for marketers

Dec 01
Tag:ai

Ontario’s proposed protections for consumers

Nov 21
Tag:Consumer Protection Tag:Standards

Have your say: New federal consultations affecting biometrics and generative AI

Nov 13
Tag:ai Tag:data

What You Should Know: Final consent guidance from Quebec’s privacy regulator

Nov 08
Tag:Privacy Tag:Standards

Opportunity on the open internet

Nov 03
Tag:Adtech Tag:Trends

Quebec privacy regulator releases final consent guidance

Nov 02
Tag:Privacy Tag:Standards

Mastering personalization in marketing with AI

Oct 31
Tag:ai Tag:Personalization
Council

Inflation trends this holiday season

Oct 27
Tag:Consumers Tag:Thought Leadership

Experts weigh in on recent developments in Canada’s privacy and AI landscape

Oct 26
Tag:ai Tag:Privacy

A celebration of Canadian marketing excellence

Oct 20
Tag:Awards

Major Sponsors

  • BMO-800x450
  • canada-post_2022
  • CIBC-800x450
  • Microsoft-2023

Featured Member