What are the different types of consent under PIPEDA?
What factors must be evaluated to decide on the most suitable form of consent?
How can organizations get a valid consent for collecting, using and disclosing personal information under the Canadian privacy law?
In this article, we will discuss the types of consent under PIPEDA in detail.
We will look at express consent, implied consent, opt-out consent and how to evaluate the appropriateness of consent.
Are you ready?
Let’s get started…
Different types of consent under Canadian privacy law
To collect, use and disclose personal information, companies operating in Canada and subject to PIPEDA must obtain meaningful or valid consent from the individuals.
What are the different types of consent individuals can provide?
There are two main types of consent:
As a rule of thumb, individual consent must be express.
In other words, the user must take a positive action to accept or reject giving consent by ticking a box, by choosing an option, by clicking a button and so on.
Without the positive step taken by the consumer, the intended service or feature will not be made available to them.
Implied consent is consent inferred by the user’s actions.
Deemed consent can be obtained in two ways:
- An individual gives personal information and the collection and use of it is obvious in a way that benefits the individual
- The person is given the option to opt-out and they don’t
For example, if the user is informed that by continuing to navigate the website they are deemed to have accepted the terms and conditions, that’s implied consent.
The user is given an option to decline but can continue using the services or registering.
If the consumer does not specifically decline giving consent but continues to use the services or features, the consumer’s behaviour considered as an implied consent to use the services and provide their information.
Valid consent defined under PIPEDA
PIPEDA defines what is a valid consent under article 6.1 as follows:
“the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”
This means that it’s safe for organizations to require express consent from individuals to the collection, use or disclosure of their personal information.
Let’s look at the different types of consent and then we’ll look at how to determine the most appropriate form of consent to get from an individual.
Express consent or explicit consent means that you were presented with clear options to accept or reject giving your consent for the collection, use and disclosure of your personal information.
Under PIPEDA, collecting and using personal information generally requires express consent particularly when the information being collected is sensitive.
Although in some cases, express consent can be verbal, organizations should take the necessary measures to ensure that the express consent is in writing or documented.
An online business or a website can easily obtain the express consent to collect, use and disclose someone’s personal information by providing consumers or online visitors with a clear “I agree” or “I don’t agree” option.
Once a user accepts or rejects, the choice can be recorded and documented as evidence of the acceptance of rejection.
Implied consent or implicit consent is a consent inferred by the consumer’s actions and their circumstances.
When a consumer voluntarily gives personal information to an organization or on a website for obvious purposes, the user consent can be implied.
Another scenario is when a consumer gives personal information in a way that benefits the consumer, that too can lead to implied consent.
For example, if you are purchasing something online and are asked to give your email address, by entering your email address, you are giving your consent to the organization to use your email.
Opt-out consent as a form of implied consent
Opt-out consent is another form of implied consent.
In the context of opt-out consent, the consumer is presented with a choice to reject or decline to give consent.
If the user does not specifically reject or decline to give consent, the user consent can be inferred.
Companies and businesses prefer using opt-out consent as much as possible to collect and use personal information for purposes other than the direct purpose for what it is being collected.
For a consumer to opt out, they must specifically take action to opt out whereas the consent is deemed by the user’s inaction.
Often, consumers do not have the time to read everything and take specific action to opt-out, the result is that businesses end up getting the implied consent more often than not.
How to decide on the appropriate form of consent
Individuals can give express or implied consent to the collection, use and discloser of their personal information.
How do you determine if the purpose for which you need to collect personal information requires express consent, implied consent or opt-out?
Express consent is the general rule
As a general rule, consent must be express.
Depending on the sensitivity of the information and the reasonable expectation of individuals, organizations must evaluate if they can obtain implied consent to represent a valid consent.
So getting implied consent can be done in specific and defined circumstances.
Implied consent in certain situations
In the matter of the Royal Bank of Canada vs. Trang, 2016 SCC 50, the Supreme Court of Canada ruled that:
- the context is essential in determining if personal information is considered sensitive
- Reasonable expectation or reasonableness under privacy laws should not be an impenetrable legal shield even if the personal information is considered sensitive
The Supreme Court of Canada provides the framework for assessing when it is reasonable to imply consent into a relationship.
The Supreme Court ruled that a balanced and contextual approach must be taken to evaluate the reasonableness of the implied consent.
Furthermore, privacy laws must not be used as a trump card to avoid other legal obligations.
In this specific case, the Supreme Court ruled that getting implied consent for the sharing of Trang’s financial information was reasonable in the circumstances in the context that Trang had defaulted on its obligation with the bank.
Evaluating the personal information to decide on the form of consent
We know that we must generally aim to get express consent from an individual to be well protected.
Depending on the sensitivity and reasonable expectation of the consumer, we can also obtain an implied consent.
Let’s look at how organizations should evaluate the sensitivity, the individual’s reasonable expectation and risk.
The sensitivity of the personal information
The more the information is sensitive, the more organizations should consider getting express consent from users.
It may not be easy to determine what is sensitive or what’s not.
To make things more ambiguous, sensitive information can be collected and used based on implied consent as we’ve seen in the Royal Bank of Canada vs. Trang case.
The Royal Bank of Canada vs. Trang case requires that the “degree of sensitivity” of personal information be evaluated contextually to determine if an implied consent can be reasonable as opposed to express consent.
Non-sensitive information can acquire a sensitive status when combined with other information.
The moral of the story is that organizations must exercise diligence and care in evaluating what is being collected and what is the purpose behind it.
Companies should categorize the information as sensitive or non-sensitive based on a contextual approach.
If the information is considered sensitive, then this exercise will direct companies to get express consent.
If the information is considered non-sensitive, then organizations may consider implied consent.
Evaluating the individual’s reasonable expectation
The next step is to evaluate what’s the reasonable expectation of the individual in the purpose or use of personal information.
This evaluation will require that organizations evaluate the individual’s circumstances to determine if an individual may have a reasonable expectation on the collection, use and disclosure of their personal information.
For example, if an individual provides his or her email address to get information about a product or a service, that person does not expect that the organization tracks their geographic location, gets access to their contact list and so on.
If the company needs access to the geographic location or contact list, that consent must be expressly obtained.
Companies may also need to share an individual’s personal information with third-parties.
That can be reasonably expected in some cases and not in other cases.
If a company shares information with its subcontractors or third-party suppliers to render services to you, that’s reasonably expected.
However, if a company shares personal information with unrelated third parties so they use the personal information in their benefit, that’s will not be reasonably expected and express consent will be required.
Evaluating the risk of harm
The risk of harm is another essential factor to consider when looking to decide on the form of consent from an individual.
If there is an important risk of harm, personal information should not even be collected or used in the first place.
If the risk of harm is low but more than a mere remote probability, users should be informed of such risk and express consent must be obtained.
In other words, if there is a meaningful risk that a residual risk materializes, individuals should be notified of the potential consequences.
When evaluating the sensitivity and reasonable expectation of an individual, the underlying contextual analysis of the risk is important.
Consent must be appropriate in the circumstances
No matter the type of consent given by an individual, the collection, use and disclosure of personal information must be appropriate in the circumstances.
If that purpose for which personal information is being collected is not appropriate, then the form of consent is no longer relevant as the organization should not even collect the personal data.
Under PIPEDA, organizations must not collect and use personal information if it’s not appropriate in the circumstances.
If the collection, use and disclosure of information meet the appropriateness of purpose, then organizations should evaluate whether they need to get an express consent or an implied consent from the user.
In that case, the evaluation process should consider:
- The sensitivity of the personal information
- The individual’s reasonable expectation
- Risk of harm and damage to the individual
Based on that, a decision should be made about the type and form of consent.
The Personal Information Protection and Electronic Documents Act (PIPEDA) represents a comprehensive Canadian privacy law governing how organizations collect, use and disclose personal information.
PIPEDA requires that organizations get a valid consent for collecting, using and disclosing their personal information.
To get a valid consent, companies can get two types of consent:
- Express consent
- Implied consent
Express consent is when an individual gives consent or declines giving consent for the collection, use and disclosure of their personal information.
Implied consent is given when an individual voluntarily shares information and directly benefits from the sharing of such information.
Implied consent can also be obtained through an opt-out form of consent.
The opt-out consent is when an individual is given a clear choice to decline giving consent or continue using the services or accessing a feature.
When the user continues using the services, their behaviour and actions allow organizations to infer acceptance.
As a general rule, organizations should aim to get express consent when the information:
- Involves sensitive information
- The company may use the information outside of the intended purpose
- When there is a meaningful risk of significant harm to the individual
In other circumstances, implied consent can be acceptable.
To decide if implied consent is acceptable, organizations must carefully analyze the following factors:
- Sensitivity of the personal information
- Reasonable expectation of the individual in how their personal information will be used
- Potential risk or harm
Every company’s situation is different.
As a result, looking at the different types of consent and evaluating the most appropriate form of consent is something each organization must evaluate based on their unique circumstances.
We hope this article helped you get information on the types of consent under PIPEDA.
We would love to hear from you if you have any comments on the type of consent.
Drop us a comment!