How the GDPR Affects Consent Under Canadian Privacy Laws

How the GDPR Affects Consent Under Canadian Privacy Laws

The European Union's General Data Protection Regulation (GDPR) has indirectly led to tighter rules in Canada for getting "meaningful consent." Federal and provincial regulators issued more explicit guidelines on making sure individuals really do understand the permission they give. Despite the GDPR connection, these guidelines involve domestic laws that Canadian organizations must follow.

The GDPR is a set of European Union rules that have legal force across its member countries. Taking effect in May 2018, it was the first overhaul of European data rules in two decades and was designed to reflect the major changes in technology during that time. As with all European Union "directives," the GDPR sets down principles which each member country incorporates into its domestic law.

The GDPR brings together rights for individuals regarding their personal data and obligations for organizations that collect that data. The key points include easier access by individuals to the data an organization holds about them, an explicit requirement for organizations to get informed consent from the individual, and fines for organizations that breach the rules.

Canada's Response to the GDPR

Canada's Response to the GDPR

The respective privacy commissioners of Canada as a whole, Alberta and British Columbia issued a new set of guidelines (taking effect from January 2019) for how organizations must make sure they get meaningful consent from individuals before collecting data.

The guidelines cover seven key principles for doing this. The guidelines are not merely advice or tips; instead the commissioners will directly refer to them when assessing if an organization has breached data privacy laws.

Quebec was a notable absence from the joint guidelines. However, its existing data privacy laws already explicitly refer to individuals giving "manifest, free, and enlightened" consent.

The guidelines appear to be a direct response to the GDPR. This may seem odd as European Union rules don't have direct jurisdiction over Canadian activity. However, they are significant because of a concept called data adequacy.

This is the basis of EU restrictions on transmitting data to a country outside the EU. The idea is to make sure organizations aren't able to bypass European privacy controls, for example by sending data for processing in a country with looser privacy rules.

Canada is among a limited list of countries with data adequacy status, albeit restricted to private organizations using data for commercial purposes. This status means the EU considers Canadian privacy laws strong enough to adequately protect EU citizens if their data is handled or processed in Canada.

The new Canadian guidelines are therefore a way of making sure this data adequacy status continues to hold. However, they apply to all Canadian organizations affected by the relevant rules, whether or not they hold or process any data on European individuals.

Affected Canadian Laws

Affected Canadian Laws

The guidelines affect the application of three laws, one under the jurisdiction of each of the privacy commissioners.

PIPEDA

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to most organizations collecting data on individuals as part of commercial activity. The main exception is for data collected and processed entirely in a province with its own privacy laws that have similar effects.

PIPEDA requires organizations to follow ten "fair information principles" with key points including getting informed consent before collecting personal data, making sure data is accurate and secure and making sure individuals can access data and challenge or correct any mistakes.

Alberta PIPA

Alberta's Personal Information Protection Act (PIPA) offers similar protection for individuals as PIPEDA. The act specifically applies to organizations that operate in the private sector and are under provincial regulation. One significant difference is that Alberta's PIPA covers employee information. This is normally only covered by PIPEDA in the case of federal activity.

British Columbia PIPA

British Columbia's Personal Information Protection Act (PIPA) has similar measures and goals as both PIPEDA and Alberta's PIPA. One of the act's most notable points is that organizations must not only tell individuals what data they collect but also specifically state how and why they will use it. Having collected the data this way, they cannot use it for other purposes without getting fresh consent.

The GDPR has upped the standards when it comes to consent. It promotes getting clear, informed consent that leaves no doubt as to whether the individual actually is consenting to have their personal data collected and processed.

PIPEDA and the provincial laws say you must always have consent, but sometimes this can be implied. For example, if you ask for an email address to sign somebody up for a newsletter and you will not use the address for any other purpose, you may be able to rely on implied consent from the user signing up.

The situations where implied consent is insufficient and you must get express consent are as follows:

  • You are collecting sensitive information.
  • You intend to collect, use or disclose the data in a way that the user wouldn't reasonably expect.
  • There's a risk that your use of the data could harm the user. You need express consent so that you know the user has considered this risk.

The 7 Guiding Principles For Meaningful Consent

These are the seven "guiding principles" for obtaining meaningful consent in the joint guidelines from the Canada, Alberta and British Columbia privacy commissioners. They all work towards a common goal: that individuals give meaningful consent. In other words, the individual is freely choosing to give consent, knowing exactly what that entails.

Each of these principles relates in some manner to the measures in the GDPR. Knowing this relationship can help you develop a Privacy Policy that will not only meet your obligations under Canadian laws, but also the GDPR rules that apply if you operate in Europe or handle data relating to European citizens.

1. Emphasize key elements

1. Emphasize key elements

This is not merely about what you say but how you say it. The aim is to strike a balance so that people understand the important facts about what data you collect and why, without being overwhelmed with detail.

One way to do this is to decide whether a particular piece of information is not only useful for the individual to know, but could affect whether or not they are willing to give consent.

Businesses must generally emphasize the following key elements:

  • What personal information is collected
  • What parties the personal information is shared with
  • Why the personal information is collected, used or shared
  • The risk of harm or consequences of any of this

This example from CPA Canada has a lot of legalistic detail but uses headlines that summarize the key principles of the policy:

CPA Canada Privacy Policy: Accountability for personal information clause

GDPR parallels: The GDPR's "right to be informed" requires that any information you give to individuals about their personal data (such as your Privacy Policy) "be easily accessible and easy to understand."

2. Allow individuals to control the level of detail they get and when

2. Allow individuals to control the level of detail they get and when

While the first principle suggests finding a balance between detail and accessibility, this second principle means individuals should be able to opt for a different balance if they wish.

In print this could be a pyramid structure with the key points listed first, then more detailed information. Online this could mean a summary document with the option to expand a particular section for more detail.

The guidelines also say individuals must be able to come back to check the information even after they've given consent. That's because people have the right to withdraw consent later on.

Reach uses an online privacy notice that summarizes the key points with links to the relevant section of a full (and very detailed) Privacy Policy:

Reach Employee Privacy Notice: What data do we process, and How does the company collect data clauses

GDPR parallels: The GDPR says individuals "should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing."

3. Provide individuals with clear options to say "yes" or "no"

3. Provide individuals with clear options to say

This doesn't mean an all-or-nothing approach with individuals either giving or withholding overall consent. You can require an individual to consent to giving the information that's needed to provide a service. However, you should let the individual give this consent while saying no to you collecting other information. This could be data that makes your operations easier but isn't necessary for the service.

This extract from the DAS Privacy Policy makes it clear that customers can withdraw 'optional' consent while still keeping their coverage:

DAS Privacy Policy: Consent clause - Withdrawing consent section

GDPR parallels: This guideline won't always be enough to satisfy the GDPR, which notes that consent might not be valid "where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation."

4. Be innovative and creative

4. Be innovative and creative

This doesn't mean using technology or presenting information about Privacy Policies in an unusual manner just for the sake of it. Instead it's about recognizing the context in which users make consent decisions and identifying the challenges and opportunities this presents.

For example, if somebody is signing up to a service on a mobile device, it might be effective to display privacy information in small chunks at relevant stages rather than expect them to read an entire Privacy Policy in one go.

Some recommendations include using "just-in-time" notices, interactive tools and customized mobile interfaces.

The writers of Virgin Mobile Canada's site clearly knew many of their users would be reading on a phone screen. To make it easier for those users, the Privacy Policy includes some common questions. Tapping on one will expand to give the answer:

Virgin Mobile app Privacy Policy: Questions section

Tapping another question will hide the previous answer and expand to give the newly requested answer without extending the page or requiring the user to scroll down, which makes it easy to navigate through the policy, find specific information and do so even on a small mobile device.

GDPR parallels: The GDPR gives specific examples of technical methods of confirming consent including "a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data."

5. Consider the consumer's perspective

5. Consider the consumer's perspective

This is all about being user-friendly. This can be difficult when you are developing a Privacy Policy and consent request from your own perspective, which is naturally more about meeting the rules than helping the user.

One way around this mismatch is to carry out user-testing or focus groups when developing Privacy Policies and sign-up/consent processes. Don't just rely on asking if testers found the process simple, but ask questions to see if they really did comprehend the information needed to give meaningful consent.

Google's Privacy Policy uses the consumer's perspective by centering the introduction around letting customers know that Google works to protect personal information, and also gives users control over different aspects of their information:

Google Privacy Policy intro statement

Remember that the experience of a customer deciding whether to give consent may vary depending on their device. For example, the Toronto Star's mobile app Privacy and Anti-Spam Notice begins with a list of key points that are just short enough to fit on a mobile phone screen without the user needing to scroll down:

Toronto Star mobile Privacy Policy: Highlights list

GDPR parallels: The GDPR notes that when using electronic means to ask for consent, "the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."

6. Make consent a dynamic and ongoing process

This is all about going beyond the idea of a Privacy Policy and consent form being a "one and done" event. Instead, it means keeping individuals informed about any planned changes to a Privacy Policy, giving them a chance to review their consent and withdraw it if they are no longer content.

The guidelines even suggest actively contacting customers every so often to remind them about the Privacy Policy and prompt them to review their options.

The Kellogg Privacy Policy is open and clear about how customers can review and withdraw consent:

Kellogg Privacy Policy: How can you review your personal information clause

GDPR parallels: The GDPR explicitly and succinctly states that "it shall be as easy to withdraw as to give consent."

7. Be accountable: Stand ready to demonstrate compliance

7. Be accountable: Stand ready to demonstrate compliance

In effect, this is about privacy and consent being a comprehensive process rather than trying to get by on technicalities and small print.

Meeting this requirement is partly about procedures. For example, you may need to show that your website creation team are trained to understand the need for consent and to include details of the user's rights and options wherever possible. You'll also need to show that you have thought carefully about what personal data you really need to collect to provide your services.

However, the wording and application of your Privacy Policy also needs to show an overall culture of seeking meaningful consent. This could mean:

  • Using clear language to show you aren't trying to mislead users.
  • Referring to consent and privacy options prominently, particularly at the points where a user is about to provide personal data.
  • Being up-front about the consequences of consenting to data collection rather than relying on the customer inferring what could happen.
  • Testing the Privacy Policy and the relevant website pages on focus groups and asking questions to see if they comprehend the key points.
  • Including multiple links across your site to your Privacy Policy whenever the context is relevant.

The introduction to Nivea's Privacy Policy uses a creative way to illustrate the company's commitment to data protection:

Nivea Privacy Policy: Introduction statement

GDPR parallels: The GDPR notes that "where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given."

Children and Consent

With both Canada's data privacy legislation and its implementation, the rules on consent are not based primarily on age. Instead, the emphasis is on whether or not the person is able to give meaningful consent, taking into account their maturity and the complexity of the relevant information.

Some good guidelines for dealing with consent from children are as follows.

Get parental (or guardian) consent for children aged under 13. This will avoid any confusion and will also make life easier if you come under laws from other countries such as COPPA from the United States that bars consent from those under 13.

If you know under-18s will be using your site, put extra care into making your Privacy Policy clear and understandable. Use simpler language and explain key concepts.

If you do allow under-18s to consent to data collection, keep records of the work you've done and changes you've made to make your Privacy Policy suitable for people of those ages.

Summary

Let's recap the key points and context of the new Canadian guidelines:

  • The guidelines are issued jointly by the privacy commissioners for Canada, Alberta and British Columbia.
  • The guidelines help make sure Canadian privacy laws offer adequate protection to allow the export of data about European Union citizens to Canada. They reflect changes to EU privacy law through the GDPR.
  • Regardless of whether the GDPR directly affects your operations, you must follow the guidelines to comply with the federal PIPEDA legislation and the PIPA legislation of both Alberta and British Columbia.
  • The guidelines cover seven key principles about gathering consent. To meet these principles you need to:

    • Emphasize the most important information, including what personal data you gather, why you use it, who (if anyone) you share it with, and what the consequences of consenting to data collection are.
    • Let users decide how much detail they need: don't overwhelm them with detail to the point they might switch off completely.
    • Let users consent to necessary data collection while having the option to refuse other data collection. Don't make blanket consent mandatory as part of using a service.
    • Use creative technology where useful. Consider when and how users will be making the choice of whether to consent.
    • Put yourself in the consumer's shoes. Use focus groups and user testing to make sure you've understood the consumer's perspective.
    • Make sure consumers have a chance to reconsider and even withdraw consent later on. Explain the consequences of doing so.
    • Make gathering meaningful consent a process rather than just a checklist. Show what work you've done to make sure users can give meaningful informed consent.

You can get consent from children but must be confident they understand the process. It's best to avoid getting consent for under-13s. If you gather consent from teenagers, make sure your Privacy Policy is clear and simple enough that they can understand it.

Other Categories:

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.