Cybersecurity, Privacy and Data Protection III
In this series of blogs, we will share the section of validity of consent from one of the chapters, Cybersecurity, Privacy and Data Protection of our publications: Cross Border Retailers Guide To Doing Business in Canada 2021.
Validity of Consent
Before an organization can collect, use or disclose an individual’s personal information, the organization needs the individual’s consent or a statutory exception to the consent requirement. Consent can be express or implied. Express consent involves a positive affirmation or acceptance and may be required for sensitive personal information (such as medical or financial information or large volumes of non-sensitive information). Implied consent may be sufficient for non-sensitive personal information (such as a mailing address). Consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. Further, the OPC and Privacy Commissioners of British Columbia and Alberta have issued joint Guidelines for obtaining meaningful consent (as explained in the next section). Exceptions to the consent requirement include disclosures of personal information in the context of certain business transactions and disclosed compelled by law.
Guidelines for Obtaining Meaningful Consent
In determining what constitutes meaningful consent, brands can consult the “Guidelines for obtaining meaningful consent” (the Guidelines 2) jointly issued by the OPC and the Privacy Commissioners of British Columbia and Alberta.
The Guidelines contain seven guiding principles for privacy notices and policies: (i) emphasize key elements about the company’s collection, use and disclosure of individuals’ personal information to help individuals understand the nature, purpose and consequences of what they are consenting to; (ii) allow individuals to control the level of detail they want to receive in order to make a consent decision, and the timing of receiving that information; (iii) provide individuals with clear options to say ‘yes’ or ‘no’ to the collection, use or disclosure of their personal information; (iv) be innovative and creative with the manner in which privacy practices are communicated; (v) consider the consumer’s perspective; (vi) make consent a dynamic and ongoing process; and (vii) be accountable, standing ready to demonstrate compliance.
The seven guiding principles emphasize accessibility and comprehensibility of consent processes, while providing businesses with flexibility on design and form. The Guidelines also give additional guidance with respect to consent and children and a checklist of “must-do” legal requirements and “should-do” best practices.
The practical implications of the Guidelines include notifying individuals of a particular risk associated with the processing of their personal information and weaving privacy notices throughout the user experience.
- Office of the Privacy Commissioner of Canada, “Guidelines for obtaining meaningful consent” (May 2018), online: <https://www.priv.gc.ca/en/privacy-topics/collectingpersonal-information/consent/gl_omc_201805/>.