Consent Standards under the Proposed Consumer Privacy Protection Act
As part of our blog series on the proposed changes to Canada’s private sector privacy laws, this post examines the proposed consent rules under the new regime for processing personal information.
As noted previously, Canada’s private sector privacy laws will change with the introduction of Bill C-11. Named the Digital Charter Implementation Act, 2020, Bill C-11 seeks to modernize Canadian privacy legislation through the introduction of two acts: the Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act, which would create a new enforcement tribunal.
The Role of Consent in Modern Privacy Law
The role of consent in privacy law reform has been a subject of passionate debate for years, with a 2016 federal consent consultation receiving numerous detailed submissions.
On the one hand, consent has been described by the Office of the Privacy Commissioner of Canada (the “OPC”) as “the cornerstone of the Personal Information Protection and Electronic Documents Act (PIPEDA)”. On the other hand, the OPC accepted that many have “questioned the continued viability of the consent model in an ecosystem of vast, complex information flows and ubiquitous computing” and acknowledged that “it may be that consent is simply not practicable in certain circumstances.” In the federal policy paper Strengthening Privacy for the Digital Age, ISED observed:
Complex data flows involving numerous parties strain an individual's ability to fully comprehend what they are consenting to. Although many organizations have privacy policies in place, these are notoriously long and complex to understand, and most individuals neither have time nor sufficient legal training to understand them. […]
Requiring too much detailed information in the consent process can overwhelm individuals or become yet another screen on a device to click-through in the rush to get to the product or service. […]
Equally, we must focus consent on situations where there is an opportunity for individuals to make a meaningful and informed decision. To do so it will be necessary to identify purposes for which consent may not be necessary or even appropriate.
CPPA attempts to balance these concerns through targeted enhancements to the mechanisms of control over one’s own information, greater transparency, and the implementation of exceptions where seeking consent is not practicable or reasonable.
CPPA at times enlarges or clarifies the consent provisions that exist under PIPEDA, but CPPA also creates a modernized list of exceptions to the consent principle. In doing so, CPPA draws inspiration from the PIPEDA Model Code principles, the European Union’s General Data Protection Regulation (“GDPR”) and other recent privacy reform efforts worldwide. CPPA also draws inspiration from regulatory guidelines that have become touchstones in Canadian privacy law, in particular, the Guidelines for Obtaining Meaningful Consent jointly issued by the OPC and its Alberta and British Columbia counterparts.
Collection, Use and Disclosure of Personal Information - Is it Appropriate and Necessary?
As a further elaboration to the requirements of ss. 3 and 5(3) of PIPEDA, ss. 12 and 13 of CPPA are an important backdrop to a discussion of consent for the processing of personal information, with built-in limitations to the scope of what is generally permitted. An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and the organization must determine and record those purposes at or before the time of collection. Further, an organization may collect only the personal information that is necessary for those determined and recorded appropriate purposes.
In determining if the purposes are appropriate, s. 12(2) of CPPA imposes five mandatory considerations:
- the sensitivity of the personal information;
- whether the purposes represent legitimate business needs of the organization;
- the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;
- whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
- whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
In effect, s. 12 of CPPA provides an answer to critics of the new exceptions to the consent principle: even if an organization avails itself of one or more exceptions, it must take into account these balancing factors, with factors (c), (d), and (e) placing a curb on unprincipled or untrammeled collections, uses or disclosures of personal information.
Consent Standards under CPPA
Unless CPPA provides otherwise, an organization will need to obtain an individual’s valid consent for the collection, use or disclosure of the individual’s personal information, at or before the time of its collection, or if the purpose of the collection, use or disclosure changes, before any use or disclosure for the new purpose. This is consistent with PIPEDA.
But s. 15(3) of CPPA also provides more granularity than PIPEDA in saying that a consent will only be valid if the organization provides the individual with the following, in plain language:
- the purposes for, methods of and any reasonably foreseeable consequences of the collection, use or disclosure of the personal information (s. 15(3)(a)-(c));
- the specific type of personal information that is to be collected, used or disclosed (s. 15(3)(d)); and
- the names or types of any third parties to which the organization may disclose the personal information (s. 15(3)(e)).
In particular, many privacy policies may need revisions in order to properly capture the requirements to reveal the “specific types of personal information” or “types of third parties” to whom personal information is disclosed.
Consent must be expressly obtained unless the organization establishes that it is appropriate to rely on an individual’s implied consent, taking into account (1) the reasonable expectations of the individual, and (2) the sensitivity of the personal information that is to be collected, used or disclosed. This is largely consistent with the guidance under Principles 4.3.2, 4.3.4, 4.3.5 and 4.3.6 of the Model Code to PIPEDA.
In addition, ss. 15(5) and 16 of CPPA provide that:
- an organization must not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of their personal information beyond what is necessary to provide the product or service (a continuation of Principle 4.3.3 of the Model Code to PIPEDA); and
- any consent obtained by an organization by providing false or misleading information or using deceptive or misleading practices will be invalid.
New Class of “Business Activities” that May Not Require Individual Consent
As noted in our introduction, it has been broadly recognized that, while consent may once have been a “cornerstone” of privacy law, it is no longer appropriate in all cases. Even the GDPR, considered by many to be the strongest data protection law in the world, creates an omnibus “legitimate interests” category in Article 6(1)(f). As the UK Information Commissioner’s Office comments:
Legitimate interests is different to the other lawful bases as it is not centred around a particular purpose (eg performing a contract with the individual, complying with a legal obligation, protecting vital interests or carrying out a public task), and it is not processing that the individual has specifically agreed to (consent). Legitimate interests is more flexible and could in principle apply to any type of processing for any reasonable purpose.
Because it could apply in a wide range of circumstances, it puts the onus on you to balance your legitimate interests and the necessity of processing the personal data against the interests, rights and freedoms of the individual taking into account the particular circumstances. This is different to the other lawful bases, which presume that your interests and those of the individual are balanced.
Under the CPPA, the new “business activity” category does similar work.
Under s. 18 of CPPA, an organization may collect or use an individual’s personal information without their knowledge or consent if the collection is made for a “business activity”, which includes activities:
- necessary to provide or deliver products or services the individual requested from the organization;
- that are part of due diligence to prevent or reduce the organization’s commercial risk;
- necessary for the organization’s information, system or network security, or for the safety of a product or service the organization provides or delivers; or
- where it is impractical to obtain the individual’s consent due to the lack of a direct relationship.
Other types of business activities may also be prescribed by regulations.
In addition to the activity falling into one of the above listed categories, the collection or use must be (1) such that a reasonable person would expect it for that activity, and (2) not for the purpose of influencing the individual’s behavior or decisions. The s. 12 “appropriate purposes” requirement provides further safeguards to ensure that the s. 18 use is minimally intrusive, aimed at a “legitimate business need”, and proportionate.
Other Exceptions to Consent Requirement
CPPA contains several other exceptions to the general requirements for consent, some of which are similar to those under PIPEDA, and some of which are new.
Exceptions that reflect PIPEDA include:
- the use and disclosure of personal information produced by an individual in the course of their employment, business or profession;
- for prospective or completed business transactions (except if the primary purpose or result is the purchase, sale or lease of personal information), as long as the information is first de-identified, which is a new and controversial requirement under CPPA given the burdens it risks imposing;
- collection for the purpose of making a disclosure that is required by law or solely for journalistic, artistic, or literary purposes;
- disclosure for statistical purposes or for scholarly study or research purposes.
CPPA also confirms and codifies a widely-agreed interpretation of PIPEDA that an organization may transfer an individual’s personal information to a service provider without their knowledge or consent.
Other noteworthy new exceptions to the general requirement to obtain consent under CPPA include:
- the use of an individual’s personal information to de-identify the information;
- the use of an individual’s personal information for the organization’s internal research and development purposes, provided the information is first de-identified; and
- the disclosure of an individual’s personal information to a government, health care or post-secondary institution or public library in Canada for a “socially beneficial purpose” related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose, provided the information is first de-identified.
Withdrawal of Consent
Subject to CPPA, federal or provincial law or to the reasonable terms of a contract, s. 17 of CPPA allows an individual to withdraw consent upon reasonable notice to an organization. On receipt of such notice, the organization must inform the individual of the consequences of withdrawing consent and, as soon as feasible after that, cease collecting, using, or disclosing the individual’s personal information in respect of which the consent was withdrawn.
This is largely consistent with Principle 4.3.8 of the Model Code, but with the benefit of clarifying the circumstances in which a contract may trump a withdrawal of consent. (As an example, it reinforces the long-understood conception that a person paying for a good or service in installments cannot unilaterally withdraw consent for the organization in order to frustrate the contract.)
What This Means for Organizations
CPPA has not yet been passed into law and may still undergo revisions. At the time of publication, regulations under CPPA have also not been released. While we may not yet have the final text for the proposed law, and there will likely be a transitional period for compliance, organizations may wish to begin identifying any gaps between their current practices and CPPA requirements, and planning for the implementation of changes required for compliance with CPPA. Steps that could be taken now to prepare for compliance with the proposed new consent standards include:
- reviewing the organization’s processes for obtaining individuals’ consent for the collection, use and disclosure of personal information;
- reviewing the organization’s privacy management program that includes policies, practices and procedures to comply with the law, including in relation to the protection of personal information, handling requests and complaints and internal training, with reference to the volume and sensitivity of personal information under the organization’s control; and
- considering the scope of personal information collected, used and disclosed, and whether it is necessary for the organization’s appropriate purposes.
If you have any questions, please contact a member of McCarthy Tétrault’s Cyber/Data Group.