What is implied consent?
In what circumstances will opt-out consent be acceptable under Canadian privacy laws?
What criteria should companies consider to obtain a valid implied consent?
In this article, we will break down the implied consent under Canadian privacy laws.
We will look at what it means from a legal perspective, consider the conditions allowing for valid opt-out consent and look at some concrete findings from the Canadian Privacy Commissioner in evaluating some privacy complaints.
Are you ready?
Let’s get started!!
What is implied consent under privacy laws
Implied consent or implicit consent is a type of consent that is granted by a person in light of his or her actions or behaviour in the circumstances.
Unlike express consent, the consumer or individual does not specifically accept or express his or her consent when giving implied consent.
By considering the person’s behaviour, we can infer the person has accepted to provide personal information.
For example, a user visits a web page and gets a notification that by continuing to use the website and accessing the web pages, the user is accepting that his or her navigational information be analyzed for website enhancement and better user experience or agreeing to the use of cookies.
The user is given the option to refuse to enter into the website or continue using the site.
By continuing to use the website, we can consider an implied consent given by the user that his or her navigational information will be analyzed.
This implied consent is inferred by the user’s behaviour and actions in the circumstances.
Implied consent under PIPEDA
The Personal Information Protection And Electronic Documents Act or PIPEDA is the main privacy law in Canada.
PIPEDA defines the rules of the game as it relates to how personal information is collected, used and analyzed by companies.
Valid consent
Section 6.1 of PIPEDA stipulates the following:
For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
Consent will be valid when the individual understands the purpose of the collection, use and disclosure, has a reasonable expectation and understand the consequences.
Consent principle
Schedule 1 of PIPEDA is titled Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information laying out 10 fair information principles that should guide organizations in how they manage privacy laws.
Clause 4.3 of Schedule 1 relates to the third principle of consent and stipulates the following:
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.
4.3.1 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).
4.3.2 The principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
4.3.3 An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
4.3.4 The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
4.3.5 In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual’s name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual’s request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.
4.3.6 The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
4.3.7 Individuals can give consent in many ways. For example:
(a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
(b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
(c) consent may be given orally when information is collected over the telephone; or
(d) consent may be given at the time that individuals use a product or service.
4.3.8 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.
Summary of legal conditions relating to implied consent
Based on Article 6.1 of PIPEDA and the third fair information principle of consent, we can extract the following obligations as it relates to implied consent:
- User consent will be valid only if the user understands the nature, purpose and consequence of the collection, use and disclosure of the personal information
- Organizations that do not have a direct relationship with a person must get the individual’s consent in collecting, using and disclosing their personal information
- Organizations must make a reasonable effort to get user consent
- To decide on the form of consent, the organization must consider the sensitivity of the user’s personal information
- To decide on the form of consent, the organization must consider the reasonable expectation of the individual
- Implied consent will generally be acceptable for less sensitive information
- Users must understand the consequence of the collection, use and disclosure of their personal information
In essence, to determine if implied consent can be validly obtained from an individual to satisfy the Canadia privacy laws, organizations must assess:
- The sensitivity of the personal information
- The reasonable expectation of the individual
- The consequence or risk of harm to the collection, use and disclosure of the personal information
Let’s look at each of these three components in detail.
Assessing the sensitivity of personal information
Assessing the sensitivity of personal information requires that companies analyze and assess the overall context in which personal information is being communicated.
There is no mathematical formula giving you black and white answers here.
You’ll need to objectively evaluate your data collection, use and disclosure to determine if an implied consent can be obtained in such a way that you remain in compliance with the privacy laws in Canada.
Let’s look at some examples that have been handled by the Privacy Commissioner of Canada to better grasp this concept.
Findings related to “friend-suggestion” emails of Facebook
In a complaint against Facebook under PIPEDA (#2012-002), the Privacy Commissioner of Canada investigated instances where “friend suggestions” were sent by email to individuals who had not consented in giving their email addresses to Facebook and were non-users of the platform.
The Privacy Commissioner found that Facebook had failed to meet the “knowledge and consent” requirement under PIPEDA as it had failed to:
- Obtain the consent of the use of non-user email addresses generating friend suggestions
- Inform non-users of the purpose of the use of their email address
- Allow non-users to opt-out before the use of their email address
In its decision, the Privacy Commissioner’s office indicates that although email addresses may not appear to be sensitive personal information, “the existing or presumed social connections between people derived from the use of the e-mail address (…) could be considered sensitive in certain unique contexts”.
In this case, the Privacy Commissioner found that Facebook could have obtained a valid consent by offering non-members the possibility to opt-out and get an implicit consent.
Findings regarding online health-related advertisements on Google
In another complaint filed against Google (#2014-001) with respect to the targeted and tailored online advertising in the health and medical space, the form of consent of the individual was analyzed in accordance with the requirements of PIPEDA.
A complaint was lodged by an individual as he had searched for medical devices online and following his search, various Google AdSense advertisements targeted him with medical device advertisements.
The Privacy Commissioner found that an individual’s online behaviour and activity related to health-related websites or medical products constituted sensitive information.
As a result, it was inappropriate to rely on implicit or implied consent to use such information for remarketing or retargeting.
In this particular matter, the Privacy Commissioner concluded that to comply with the consent obligations under PIPEDA, Google should have obtained the express consent from the individual.
The reasonable expectation of the individual
Once the sensitivity of the information is analyzed, if the information is considered non-sensitive, then you can move to the second evaluation criteria for an implied consent: the reasonable expectation of the individual.
When a person gives consent for a specific use or purpose, the reasonable expectation of the person is that their personal information will be used for that specific purpose.
For example, if you buy a product online, you may provide the company with your name, contact information address and other relevant information so the company can send you the product.
It’s reasonable to expect that the company may use your personal information and share it with the postal authorities to ship you the product.
However, it is not reasonable to expect that the company will provide your contact information to an unrelated third-party for any other use.
Just like we did for the sensitive information, let’s look at a few examples of how the Canadian Privacy Commissioner views the reasonable expectation criteria.
Findings against Air Canada regarding Aeroplan memberships
In this matter, several individuals filed a complaint against Air Canada (#2002-42) regarding information sharing under its Aeroplan Frequent Flyer Program based on an opt-out consent form.
Aeroplan used information about individuals, their preferences and interests to provide special promotions and exclusive offers tailored to the individual needs and interests.
In this matter, Air Canada shared personal information without having obtained the user consent and without fully providing details as to its information-sharing practices.
The Privacy Commissioner found Air Canada to violate PIPEDA and made the following recommendations:
- Air Canada should have informed all of its Aeroplan members of the collection, use and disclosure of personal information
- Individuals should have been informed of the purpose and use of their information
- Information sharing requires the express consent of individuals
- Air Canada must implement measures to get express consent in such cases
- Proper confidentiality agreements must be put in place with third parties to protect the personal information
When information is shared with third parties outside of the purpose based on which an individual had initially consented, organizations must get express consent to comply with the law.
Risk of harm and consequence to the individual
The risk of harm is a third evaluation criterion to be considered when deciding if an implied consent can be sufficient to collect, use and disclose personal information.
When evaluating the risk of harm, companies should assess the potential consequence on the individual in the event their personal information is collected and used.
The notion of risk must be evaluated broadly and consider possible scenarios when an individual can suffer adverse consequences or prejudice if their personal information is misused.
When evaluating risk, different levels of risk can be identified:
- High risk or probable risk
- Meaningful risk
- Very improbable risk or very remote
If the level of risk is high or probable, the organizations must not collect, use and disclose personal information as it will directly violate Article 6.1 of PIPEDA whereby it will not be “appropriate in the circumstances”.
If the risk is very improbable or very remote, then organizations can obtain implied consent and implement all reasonable measures and safeguards to protect personal information.
If the risk is higher than very improbable but not high enough to be inappropriate, companies must establish mechanisms and processes to mitigate such risk before collecting and using the information and must disclose the potential consequences and risks to the individual.
Once the residual risk and significant harm are mitigated rendering the risk very improbably or remote, companies can reassess the type of consent to potentially move to an opt-out consent as opposed to express and opt-in consent.
Takeaways
Companies operating in Canada must obtain user consent when collecting, using and disclosing their personal information.
There are two types of consent possible under Canadian law:
- Express consent (opt-in)
- Implied consent (opt-out)
Generally speaking, companies should aim to get express consent from individuals to use their personal information particularly when the information is sensitive.
It can be acceptable to get implied consent when certain conditions are met and in certain circumstances.
To determine if implied consent can be obtained to represent a valid consent under Article 6.1 of PIPEDA, organizations must:
- Evaluate the sensitivity of the information
- Assess the reasonable expectation of individuals
- Evaluate the consequences and harm to the individuals
If the above conditions are met, companies can successfully implement opt-out consent forms and rely on inferred individual consent to collect, use and disclose personal information.
This evaluation must be done by every organization based on the specific reasons why information is being collected, its intended purpose and overall circumstances.
The same information can be considered as sensitive in some situations requiring an opt-in consent and in some other cases can be less sensitive justifying an opt-out consent.
We hope that this article helped you better understand the implied consent under Canadian privacy laws, particularly PIPEDA.
Do you have any particular experience to share with us regarding implied consent?
We would love to hear from you.
Drop us a comment!
