What is express consent for data collection?
When should organizations get opt-in consent from individuals?
How can companies comply with PIPEDA as it relates to express consent?
In this article, we will break down the concept of express consent so you can get a complete picture of what it is and how you can make sure you comply with PIPEDA.
Are you ready?
Let’s get started…
What is express consent
Express consent or opt-in consent is when an online user clearly accepts or rejects a request made by a company to collect, use and disclose their personal information.
Under the Canadia privacy law Personal Information Protection and Electronic Documents Act or PIPEDA, consent is a cornerstone topic of this piece of legislation.
When organizations intend to collect, use and disclose personal information related to Canadian citizens, they must inform individuals as to the purpose and how they’ll manage and safeguard the personal data.
Express consent law: PIPEDA
In Canada, the Personal Information Protection and Electronic Documents Act is a federal statute governing how organizations collect, use and disclose personal data.
Under PIPEDA, organizations are required to get valid consent from individuals to process their personal information.
Based on the consent principle outlined in Schedule 1 of PIPEDA, organizations should generally get express consent to collect sensitive information about someone.
Otherwise, companies can choose an opt-out form of consent also called implied consent.
Let’s look at the relevant provisions of PIPEDA with respect to valid consent.
Article 6.1 of PIPEDA: Valid consent
Article 6.1 of PIPEDA indicates that:
“For the purpose of clause 4.3 of Schedule 1, the consent of the individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting”.
This article states that the consent of an individual is only valid if the individual could understand the nature, purpose and consequences of the data collection.
Later in this article, we’ll break down the three elements essential aspects of this article as it relates to the personal information:
- Nature of personal information
- Purpose of the collection
- Consequences of the collection
Article 4.3 of Schedule 1 to PIPEDA: Principle 3 – Consent
Article 6.1 of PIPEDA says “for the purpose of clause 4.3 of Schedule 1”.
What does clause 4.3 of Schedule 1 relate to?
Article 4.3 of PIPEDA’s Schedule 1 relates to the third fair information principle relating to consent.
Let’s summarize the relevant extracts of article 4.3 of Schedule 1 to PIPEDA so we can extract a proper understanding of when we must get a user’s express consent for data collection, use and disclosure.
Article 4.3 of Schedule 1 states:
“The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.”
Article 4.3.1 states:
“To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.”
Article 4.3.4 states:
“In determining the form of consent to use, organizations shall take into account the sensitivity of the information.”
Article 4.3.5 states:
“In obtaining consent, the reasonable expectations of the individual are also relevant.”
Article 4.3.6 states:
“An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.”
When you analyze the above principles, we can summarize everything as follows:
- Generally, organizations must get express consent from individuals when the personal data collected may be sensitive.
- For an individual’s consent to be valid and meaningful, organizations must inform the individual as to what personal information will be collected and for what purpose.
Nature of personal data required for collection
The nature of the personal data is very important.
Organizations must ask themselves: what type of personal information do we need to collect and use to effectively render our services?
The more sensitive the nature of personal data required by a company, the more they should lean towards getting express consent.
How do you determine if the personal information is sensitive or not sensitive?
For example, is a person’s email address sensitive information?
Unfortunately, there’s no answer set in stone.
An email address can be considered sensitive in some cases and non-sensitive in other cases.
An email address in of itself may not be sensitive.
However, when combined with other bits of data, it may acquire a sensitivity imposing an express consent on organizations.
With respect to the use of email addresses in the context of social media, the Canadian Privacy Commissioner, in dealing with a privacy complaint against Facebook indicated that although:
“an email address may not at first blush be considered to be a sensitive piece of personal information, the existing or presumed social connections between people derived from the use of the e-mail address… could be considered sensitive in certain unique contexts.”
As you can see, the Privacy Commissioner reckoned that “in certain unique contexts” email addresses can be considered sensitive information.
Purpose of collection of personal data
The purpose of the collection of personal data is important for consumers to understand.
When you are asked to give your personal information, what is the company going to do with it?
Article 6.1 of PIPEDA states that for consent to be valid, the individual must understand the purpose for which their personal information is being collected.
When organizations need your personal information to render their services, that’s a reasonable purpose.
In such an instance, the company should inform the individual of its specific purpose so they can clearly understand it.
On the other hand, if an organization collects personal data to render services and uses the data to sell it to a third-party, you’d likely feel violated.
In this example, the company had not disclosed its sharing practice or the purpose of sharing your data with a third-party.
The company has violated its obligations under PIPEDA to get valid consent.
Consequences of collection of personal data
The third component in the legal requirements for valid consent is to inform the individual or consumer of the consequences of giving their personal data.
Article 5(3) of PIPEDA states:
“An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.”
For a company to be legally authorized to collect personal data, the collection, use and disclosure must be appropriate in the circumstances.
If there is a high risk of harm or adverse consequence for the individual, then organizations should not collect the information that may be inappropriate in the circumstances.
If the risk is so remote and extremely unlikely, then companies can even consider an opt-out consent as a form of consent.
However, in instances when the risk of harm or consequences to an individual is above a remote possibility but below probable risk, then organizations must disclose the risk to the individual and get express permission to collect, use and disclose their personal information.
Companies must also implement measures to mitigate the risk to individuals to prevent any adverse consequences to the individual.
When to get express consent for personal data collection
Organizations should get an individual’s express consent in the following circumstances:
- The personal information collected, used or disclosed is sensitive
- The collection, use and disclosure will be outside of an individual’s reasonable expectation
- The collection, use and disclosure can pose a meaningful residual risk of significant harm
How to ensure an individual’s express consent is meaningful
Companies can implement measures and policies designed to ensure that an individual’s consent is valid and meaningful.
To give you an example of what a valid and meaningful consent means, let’s look at a concrete example.
Imagine that an online advertising company collects your personal data and information when you navigate on their website for the purpose of delivering targetted advertisements to you.
If they disclose that specific purpose to you and you accepted it, then we have a valid and meaningful consent.
If the same company collects your personal information for targetted advertisement but they tell you that they are collecting the data for website performance improvement, then your consent was not valid or meaningful.
The real purpose of the data collection was not disclosed to you.
Alternatively, if they do tell you about the targetted advertising but do not tell you that they also share your personal information with third-party companies who will use it for their own benefit, there too we have a problem with the consent obtained.
So how can a company ensure its users give valid consent?
Make your privacy information complete
Your privacy information should provide complete information about the collection, use and disclosure of personal information.
To be complete, you will need to:
- Indicate what type of personal data you will be collecting and using
- Be precise about the type of data you will be collecting and using
- Inform the user if you will share the personal data with anyone
- Advise users for what purpose you will use their personal information or share it with a third-party
- Be clear about the risks of harm or adverse consequences to the user
Consider the perspective of the individual
Be mindful of your customers using mobile devices, tablets and desktop computers.
Consider the user experience when you are designing the actual steps for users to give you consent.
Make the process simple and easy.
Limit your collection of personal data
As much as possible, limit the amount of personal information and data you will collect and use.
If you collect too much personal information, you may unnecessarily expose yourself to additional obligations under PIPEDA.
If you can collect just enough information and keep the information non-sensitive, you can get a valid consent using the opt-out form or implied consent.
Implied consent is what businesses love as it’s much easier to get user consent.
If you collect too much information, then you may exceed a ‘sensitivity threshold’ requiring you to get express permission to collect and use personal data.
Be mindful of how much information you really need to collect.
Other factors to consider
Here are some other factors you should consider in making sure you get meaningful consent from your clients, customers or prospects:
- Provide your privacy information in manageable pieces
- When you need to use personal information for reasons beyond the purpose of the initial consent, make sure you get a new consent from the individual
- Allow individuals to withdraw their consent in an easy way to the extent possible
- Make sure parents or guardians give consent for their children or teenagers
Express consent is when an individual or person must provide his or her consent for the collection, use or disclosure of personal information before an organization actually collects the data.
In other words, before or at the moment an individual’s personal information is being collected, organizations must obtain the person’s express permission to collect and use their information.
Express consent is also referred to as an opt-in consent.
Opt-in consent essentially means that the individual must specifically accept or opt-in and agree to the collection and use.
Typically, if a user does not opt-in, then the company should not collect the user’s information and must not render the services requiring the collection and use of personal information.
The decision to opt-in or opt-out should be implemented immediately.
Under PIPEDA, article 6.1 states that an individual’s consent must be valid.
The consent can be valid when a person can reasonably understand:
- The purpose of the collection
- Nature of information being collected
- Consequences of the collection
Companies should get a person’s express consent when:
- The information collected is sensitive
- The information will be used for other purposes
- There is a residual risk that can pose significant harm to the person
By implementing practices and policies to ensure an individual gives a valid and meaningful consent, companies can ensure they comply with the terms of PIPEDA.
We hope that this article helped you better understand express consent under PIPEDA.
How does your organization handle the process of getting a valid and meaningful consent?
We would love to hear from you!
Drop us a comment.