What is a valid consent under the Personal Information Protection and Electronic Documents Act?
How do you get a meaningful consent?
What are the best practices to implement to ensure individuals give a valid consent?
In this article, we will break down the notion of valid and meaningful consent under PIPEDA and go over the meaningful consent guiding principles recommended by the Canadian Privacy Commissioner.
Let’s dive right in!
What is a valid consent
PIPEDA is a Canadian privacy law designed to protect individual personal data used by companies particularly in the private sector.
Under this privacy law, companies must obtain consent from online users to collect, use and disclose their personal data in the context of their commercial activity.
This begs the question: what is a valid consent?
PIPEDA requires that individuals adequately understand the purpose and consequence of what they are consenting to when asked to share their personal information.
When companies provide sufficient information for the individual to understand what they are consent to, that consent is a valid consent or meaningful consent.
The Canadian Privacy Commissioner has published some guiding principles in obtaining meaningful consent from online users.
Meaningful consent is when an individual gives consent based on full, transparent and complete disclosure of the type of information collected, how it is used and for what purpose.
A meaningful consent is given freely and without any negative consequence or adverse effect on the individual in question.
Let’s look at the seven guiding principles for getting meaningful consent under PIPEDA.
Principle 1: Emphasize essential aspects
The first principle is that organizations must provide information about the collection, use and disclosure of personal information to online users in a complete way.
On the other hand, a user does not need to get every single detail about how a company collects and uses the information as it can lead to information overload.
To find the right balance between giving enough information and too much information, the Privacy Commissioner of Canada states that “certain elements warrant greater emphasis or attention to obtain meaningful consent”.
As a result, companies should emphasize the important aspects of how they collect information and for what purpose.
Since consumers and online users do not have the time or inclination to read extensive privacy policies or website terms of use, companies should emphasize what’s important to the consumer in an easy to digest manner.
What personal information is collected
Be clear with the online user as to what personal information you are going to collect.
Be specific about it.
In other words, tell the individual precisely what information you will be collecting about them so they can give consent based on a good understanding of how their information may be used by your organization.
Who will have access to the personal information
Tell the consumer if you are going to share the information with anyone else.
Most of us do not expect to see our information shared with others without our authorization.
As a result, if you are going to share the personal information with other parties, suppliers or vendors, be clear about it.
Specify what information you will be shared with any third-party so the consumer can understand the extent of your sharing practice.
If you are sharing information with third parties to help you render the services originally required by your customer, make reference to that.
If you are sharing information to third-parties so the third-party uses the information for their own benefit and not in connection with the services you are rendering, you’ll need to make sure the consent you are getting is clear.
What is the purpose of collecting personal information
Tell your online users or customers for what purpose their personal information is being collected.
Emphasize in sufficient detail as to the purpose of your data collection, use and disclosure so the consumer can understand what they are consenting to.
Be clear about your purpose.
Don’t use legal jargon or technical language making it difficult for an average person to understand.
Provide sufficient information about your main purpose for using personal data and any other ancillary use of personal data.
If your organization will use personal data in such a way that a consumer may not reasonably expect, make sure you provide sufficient information about that to ensure the consent is valid.
What is the risk or consequence of collecting personal information
For a consent to be valid under PIPEDA, consumers must understand the potential consequence of the data collection and use.
In other words, a consumer should be informed as to the potential risk or harm they may be exposed to by sharing personal information.
For the risk to be disclosed to the consumer, it must be a meaningful risk.
A meaningful risk is when the risk falls below the balance of probabilities but more than a minimal or remote possibility.
Significant harm could be any of the following:
- Bodily harm
- Humiliation
- Damage to reputation
- Damage to relationship
- Loss of employment
- Loss of business
- Loss of opportunities
- Financial loss
- Identify theft
- Negative impact on the credit record
- Damage to property
- Loss of property
When there is a possibility of significant harm to an individual, PIPEDA prohibits the collection and use of personal data as it will no longer be considered as “appropriate in the circumstances”.
When the possibility of significant harm is residual but more than a remote possibility, consumers must be informed.
When companies evaluate risk and identify possible risk and potential harm to a consumer, they must take steps to mitigate the risk.
If the risk is mitigated but still present and more than a remote possibility, organizations must disclose that to the consumer.
Principle 2: Users to control how much detail they want to get
This second guiding principle is to allow users to decide how much detail they want to get when giving consent.
Companies should present information to users in bite-sized pieces and easily accessible.
In some cases, companies should even consider offering users additional information depending on how much a consumer may want to drill into the details.
Organizations should make it easy for their clients and users to inform themselves about the company’s privacy practices.
The following scenarios should be considered and facilitated by companies:
- A user preferring to do a quick review of the information disclosed
- A user wanting to read the company’s privacy practices in full
- A user wanting to consume the information in pieces over a period of time
- A user wanting to give consent up-front but come back to read the details at a later point
- A user may want to only read details about the services they are getting
No matter how a consumer may want to digest the information communicated by the organization, companies should make it easy for the users to determine how they will consume the information and how much detail they are looking to get.
Consumers should be able to get the information necessary to give their consent up-front and have access to the information at any point in time in the future after having given consent.
Principle 3: Provide clear options to users
The next principle is to provide clear options to users.
To get a user to decide and give consent, they must be presented with options.
Those options must be clear and unambiguous.
The best options are generally a clear “yes” or “no” answer leaving little room for interpretation as to the consumer’s decision.
Depending on the form of consent you are required to get from a client, such as an opt-in or opt-out form of consent, you’ll need to ensure you make the options very clear for users.
Principle 4: Be creative
The Privacy Commissioner of Canada recommends that companies use technology and their innovative spirit in managing user consent.
The online and digital space is an environment where companies can take advantage of interactive tools and interfaces to help streamline the consent process.
Let’s look at a few possibilities.
Just-in-time notices
Just-in-time notices are a type of intuitive and conspicuous notice presented to the user as they are about to share information.
For example, if a company requires information about the user’s location before the data is collected, the user should be quickly presented with a notice to explain to them why this information is going to be collected.
The just-in-time notice is given to the user immediately before using a particular feature or service provided by a company.
Interactive tools
Interactive tools can be any type of digital tool to help companies convey a message to a consumer.
Companies can present their privacy policies and information in such a way that makes it easy and interactive for online users.
Tools like videos, infographics and images can be used to present the information to users who are generally in a rush and have little time to spend reading about every company’s privacy policy.
Mobile interfaces
Collecting consent on mobile applications may be challenging due to the limited screen size.
Companies should make an effort to make it as easy as possible to obtain user consent on mobile devices.
Getting consent on mobile devices will need to fit in with the overall user experience in such a way that users can make proper decisions but the whole consent process does not turn off online users.
Principle 5: Consider your users’ perspective
When asking for consent from a user, companies must be mindful of the user’s perspective.
In other words, the user must be given information in a clear, simple and easy-to-understand manner.
For consent to be valid, it must be meaningful and the consumer should understand what it is they are consenting to.
To ensure that an individual’s consent is meaningful, companies are encouraged to look at the user’s perspective from the point of view of clarity of language and accessibility.
When we refer to the clarity of language, we are referring to:
- Content is easy to understand
- Avoiding legal jargon
- Using a level of language suitable for your audience
When we refer to accessibility, we are referring to:
- Properly displaying presenting the information to users regardless of the device used to access the information
- Accessing the company privacy policies and consent management platform should be easy
- Navigation of the policies and privacy information should be easy for users
The Privacy Commissioner recommends that organization take reasonable steps to ensure that individuals give a valid consent by:
- Surveying their users
- Doing pilot tests
- Leveraging professionals user interface and user experience
- Consulting with privacy experts
- Follow best practices and guidelines
Principle 6: Make consent an ongoing process
Companies should handle consent in an ongoing manner.
As such, when companies intend to use personal information they had collected for reasons other than why it was initially collected, they should engage with their users to get new consent.
Managing consent in an ongoing way is particularly important for companies handling complex information flows and access to a lot of data.
From time to time, companies should continually evaluate their data collection, use and disclosure activities to ensure that the consent obtained by their users continues to reflect the reality.
Implementing policies and procedures to ensure individual consents are valid and specific can help companies defend against privacy complaints or allegations of violation of the law.
Principle 7: Be accountable to your users
To be accountable means that organizations can explain to consumers when, how and why they collected personal information and used it.
They should be able to demonstrate their company policies and practices in managing proper user consent and show that they’ve studied and evaluated that data flow within their organization.
Also, companies should be able to justify how they’ve obtained a valid consent, either expressly or implicitly.
If the consent was obtained implicitly based on an opt-out model, organizations should be able to justify their analysis as to why they considered an opt-out consent was sufficient.
The privacy reality of every company is different and will be considered on a case-by-case basis.
The measures taken by a large organization collecting sensitive information will not be the same as a small company collecting non-sensitive information.
Takeaways
Consent is one of the primary objectives of the Personal Information Protection And Electronic Documents Act.
For consent to be valid, an individual must give a meaningful consent.
The Canadian Privacy Commissioner has issued a guideline for obtaining meaningful consent.
The Privacy Commissioner recommends that organizations follow the following guiding principles:
- “Emphasize key elements
- Allow individuals to control the level of detail they get and when
- Provide individuals with clear options to say ‘yes’ or ‘no’
- Be innovative and creative
- Consider the consumer’s perspective
- Make consent a dynamic and ongoing process
- Be accountable: stand ready to demonstrate compliance”
Companies adopting these principles in their business operations will have a much better chance of ensuring they get valid and meaningful consent from their clients and prospects.
We hope this article helped you get a better grasp of the notion of consent under PIPEDA.
Have you adopted these principles in your company?
Do you have any feedback to share with us?
We would love to hear from you, drop us a comment!
