Privacy compliance is top of mind, not the least of all because of GDRP and Canada’s new mandatory breach notification rules. While you are updating your practices and procedures, do not forget that the Guidelines for obtaining meaningful consent (the “Guidelines”) will apply starting on January 1, 2019. If you are not obtaining meaningful consent, you may lose the ability to handle personal information that you need to operate your business. To help, here are five tips to help you obtain meaningful consent for handling personal information.

1. A Privacy Policy May Not be Enough

Giving individuals a clear explanation of how you handle their personal information in a published privacy policy a necessity. But ‘opt-out’ consent will not always do. You need express consent for handling:

• Sensitive information, like health information, financial information, or large volumes of information;
• Information that creates “a meaningful residual risk of significant harm,” like potentially embarrassing information that is at high risk of unauthorized access; and
• Outside of the reasonable expectations of the individual, like when you monitor an individual where they would typically expect privacy.

Also, recognize that “individual consent is a dynamic process that does not end with the posting of a privacy policy or notice.”

TIP: Involve your privacy officer each time you change your practices, particularly to help you understand when you may need fresh consent.

2. Plain Language Your Privacy Policy

The Guidelines criticize the “use of lengthy, legalistic privacy policies” as leading to consent that is “nothing more than illusory.” Consider it from your user’s point of view. If they cannot appreciate how you handle their personal information by reading your privacy policy, it is time for a rewrite.

TIP: Consider an ‘executive summary’ style version that allows the reader to take away high points and read the full policy if they wish.

The Guidelines strongly encourage seeking feedback.

TIP: Consult users and seek their input with focus groups and consult experts.

3. Communicate the Risk

The Guidelines say you should let individuals know the “risk of harm and other consequences,” and “in particular, those residual risks which remain after an organization has applied any mitigation measures designed to minimize the risk and impact of potential harms.” That means you should:

• Consider what personal information you are collecting;
• Consider how your risk mitigation processes work and if they leave any “residual risks”; and
• If there is any “meaningful risk that such residual risk will materialize and will be significant,” notify the affected individuals (such as through your privacy policy).

TIP: Each time an individual provides you with personal information, remind them of how you will handle it and any associated risk.

4. Keep Track

Keep track of how you meet the Guidelines. An organization can demonstrate compliance by showing how their consent processes appropriately emphasize and meet the Guidelines’ expectations. The expectations will be higher for large organizations and organizations of any size that handle high volumes of personal information or sensitive personal information.

TIP: The regulator might call, so be ready to show your work. Your internal processes and policies should show how you obtain meaningful consent from individuals and what you did to comply with the Guidelines.

5. Think of the Children

Persons under age 13 cannot provide meaningful consent (save for in exceptional circumstances). You need a parent or guardian to consent on their behalf. If you are collecting personal information from persons under age 18, tailor your communications so they can understand what they are consenting to, including any risks involved.

Visit our Cybersecurity, Privacy & Data Management page and contact us with any questions or for assistance.