“Meaningful Consent” under Canadian Privacy Law
Businesses commonly collect information in the course of their operations – customer accounts, billing information, website use statistics, email lists, and more. Privacy law questions may come up for start-ups and small businesses navigating information collection and use, particularly when selling goods or services online via websites or mobile apps. How can businesses ensure that they obtain meaningful consent as part of their personal information practices and avoid being subject to privacy-related complaints or reputational damage? Canada’s privacy law regime governing private sector companies is set out in the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and in substantially similar laws in Alberta, British Columbia, and Quebec.[1] One of our previous blog posts provided an overview of PIPEDA and Canada’s key privacy law principles.[2] This post focuses on the third privacy principle: consent.[3] Here, we discuss the consent principle for businesses subject to privacy laws and some practices for obtaining consent for any use, collection, and disclosure of personal information. As a quick refresher, “personal information” means any “information about an identifiable individual”, and includes information that could identify an individual on its own or when combined with other information.[4] For example, someone’s age, employment history, financial information, location information, contact lists, or even hotel check-in and check-out times can be personal information.[5] So where does consent come in? The general rule is that an individual has to both know about and consent to any collection, use, or disclosure of their personal information.[6] To make sure someone knows about a proposed use or disclosure of their information, a business must “make a reasonable effort” to tell the person the appropriate purpose for which the business will be using or disclosing the information, and generally at the time of collection.[7] PIPEDA requires “meaningful consent”, so the person has to reasonably understand the description of the purpose.[8] This requires a certain level of detail – something like “service improvement” may be insufficient for a person to reasonably understand the purpose.[9] Additionally, a business cannot require consent as a condition to providing a product or service if it is asking for information that is not actually necessary for its specified purpose.[10] This may be an area for businesses to assess privacy compliance – in a 2019 survey of just over 1000 companies in Canada, 65% of businesses said that they have a privacy policy, but only 45% said that they clearly tell customers if the collection, use, or disclosure of personal information is a condition of obtaining the services offered.[11] A business can still ask for more information than it needs to carry out the purpose, but it has to give the individual a choice of whether or not to provide it.[12] Ideally, a consenting customer will be notified of what the Officer of the Privacy Commissioner of Canada (OPC) calls the “key elements” impacting their privacy decisions – what information is collected, who it will be shared with, the purposes of collection, use, and disclosure, and any risks of significant harm that the business cannot reduce under its privacy and information-handling practices.[13] This can all be done in easily-understandable language that is accessible to a range of potential users.[14] Tricky situations can come up where an organization may obtain consent for a specific purpose, but then uses or discloses information for a different purpose. For example, businesses cannot use products containing personal information to promote their business (a commercial purpose) without informed consent – such as a videographer using a customer’s wedding video in subsequent promotional material.[15] The OPC suggests that organizations obtain consent for any “significant changes” to privacy practices, including using data for new purposes or generally when disclosing it to a third party.[16] Businesses also have to be careful not to accidentally disclose information without consent – for example, leaving phone messages with personal information on machines that are accessible by other people.[17] The way a business asks for consent and the acceptable form of consent can vary in the circumstances.[18] Some personal information is sensitive, making it necessary to obtain express consent – for example, financial or medical information, although seemingly non-sensitive information could also be sensitive depending on context.[19] Express consent would also generally be needed if the proposed collection, use, or disclosure is not what a person would reasonably expect from a business (for example, location tracking could be outside of reasonable expectations), or if it creates a risk of significant harm to the person.[20] Businesses must also consider whether they are collecting any personal information from minors and adjust their practices if necessary. The ability of children to provide meaningful consent varies according to their development and may depend on which privacy law applies – for example, the OPC (federal) considers children under 13 unable to provide meaningful consent, while in Alberta it depends on the child’s understanding of the nature and consequences of the action.[21] Even if a child can meaningfully consent, the consent process must reasonably account for their maturity level.[22] If a child cannot consent, parental or guardian consent is needed to collect personal information.[23] When a business seeks consent or provides privacy information, we commonly think of a privacy policy. However, businesses can also use different tools to facilitate meaningful interactions. This is particularly important for apps where information is being viewed on a small screen and a user may not pay attention to a privacy policy when it initially pops up.[24] One tool is to set up a “layered-format” to present information.[25] This is where a business makes privacy information available in different levels of detail – it might show a summary of key information up-front and provide links to further information.[26] Digital platforms may also put together a privacy “dashboard” allowing users to easily view and change their privacy settings.[27] Attention-grabbing tools can also draw attention when consent becomes relevant, rather than only requesting consent when a user first signs up for a service.[28] A “just-in-time” notice is a small notice that might pop-up when a user is about to input personal information (for example, their age) or when they access a feature that will collect personal information (for example, their location).[29] Graphics, colours, or alert sounds can draw attention when information is about to be collected or when someone can choose whether to provide consent.[30] People can withdraw their consent at any time (subject to any legal restrictions or restrictions in a contract and on reasonable notice to the business).[31] A business has to tell people about the consequences of withdrawing consent (for example, if it would no longer be able to provide certain services).[32] Personal information can sometimes be collected, used, or disclosed without a person’s knowledge or consent – for example, an organization can disclose personal information to comply with subpoenas, court orders, or requests by lawful government authorities. [33] However, this will only be the case for the limited and specific circumstances set out in the privacy statutes. Privacy law compliance is important, and it’s a good idea to brush up on the requirements in the early stages of a business while designing information-handling practices and setting up privacy communications with customers. It may seem like a lot learn at first, but it doesn’t need to be hard – in the survey discussed above, 92% of companies that have taken steps to comply with privacy laws said it was not difficult to bring their privacy practices into compliance.[34] If you want more information about consent or other areas of privacy law, please contact the BLG Business Venture Clinic! ____________________ [1] SC 2000, c 5, Part 1 [PIPEDA]; Personal Information Protection Act, SA 2003, c P-6.5 [PIPA]; Personal Information Protection Act, SBC 2003, c 63; Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1. [2] “Data Processing Regulations in Canada – a Primer on PIPEDA” (1 January 2020), available online: BLG Business Venture Clinic <http://www.businessventureclinic.ca/blog>. [3] PIPEDA, s 2(1), Schedule 1, s 4.3; PIPA, ss 1(1), 7(1). [4] PIPEDA, s 2(1); PIPA, s 1(1); “Summary of privacy laws in Canada” (last modified 31 January 2018), online: Office of the Privacy Commissioner of Canada (OPC) <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/>. [5] Ibid; see also “Seizing opportunity: Good privacy practices for developing mobile apps” (last modified 24 October 2012), online: OPC <https://www.priv.gc.ca/en/privacy-topics/technology/mobile-and-digital-devices/mobile-apps/gd_app_201210/#fn2-rf>; “Hotel check-in/check-out times are personal information and must not be disclosed without consent” (last modified 5 December 2013), online: OPC <https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2013/pipeda-2013-007/>. [6] PIPEDA, Schedule 1, s 4.3; PIPA, s 7(1). [7] PIPEDA, Schedule 1, ss 4.3.1 and 4.3.2; “Guidelines for obtaining meaningful consent” (last modified 24 May 2018), online: OPC <https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/>. [8] “Guidelines for obtaining meaningful consent”, ibid. [9] Ibid. [10] PIPEDA, Schedule 1, s 4.3.2; PIPA, s 7(2) (in PIPA, the information cannot be beyond what is necessary to provide the product or service). [11] Phoenix SPJ, 2019-20 Survey of Canadian Businesses on privacy-related issues, Final Report, 31 January 2020, online: OPC <https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2020/por_2019-20_bus/>. [12] “PIPEDA Fair Information Principle 3 – Consent” (last reviewed August 2020), online: OPC <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/principles/p_consent/>. [13] “Guidelines for obtaining meaningful consent”, supra note 7. [14] Ibid. [15] “Videographer posts client’s wedding video on social media without consent” (last modified 19 December 2019), online: OPC <https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2014/pipeda-2014-020/>. [16] “PIPEDA Fair Information Principle 3 – Consent”, supra note 13. [17] “Phone message left at client’s workplace disclosed personal information without consent” (last modified 30 January 2013), online: OPC <https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2012/pipeda-2012-009/>. [18] PIPEDA, Schedule 1, ss 4.3.4 and 4.3.6. [19] Ibid; PIPEDA, Schedule 1, ss 4.3.4 and 4.3.6; “Form of Consent” (last modified 11 December 2015, currently under review), online: OPC <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_07_consent/>. [20] “Guidelines for obtaining meaningful consent”, ibid. [21] Ibid. [22] Ibid. [23] Ibid. [24] “Seizing opportunity”, supra note 5. [25] “Guidelines for obtaining meaningful consent”, supra note 7. [26] Ibid; “Seizing opportunity”, supra note 5. [27] Ibid. [28] Ibid. [29] Ibid. [30] “Seizing opportunity”, ibid. [31] PIPEDA; Schedule 1, s 4.3.8; PIPA, s 9 (PIPA allows people to withdraw or vary consent with reasonable notice). [32] PIPEDA, above. [33] PIPEDA, ss 7, 7.2, 7.3, 10.1(3); PIPA, ss 14, 17, 20. [34] See Phoenix SPJ, supra note 11.
0 Comments
Leave a Reply. |
BVC BlogsBlog posts are by students at the Business Venture Clinic. Student bios appear under each post. Categories
All
Archives
May 2024
|