17 February 2020
The European Union's General Data Protection Regulation (GDPR) has indirectly led to tighter rules in Canada for getting "meaningful consent." Federal and provincial regulators issued more explicit guidelines on making sure individuals really do understand the permission they give. Despite the GDPR connection, these guidelines involve domestic laws that Canadian organizations must follow.
The GDPR is a set of European Union rules that have legal force across its member countries. Taking effect in May 2018, it was the first overhaul of European data rules in two decades and was designed to reflect the major changes in technology during that time. As with all European Union "directives," the GDPR sets down principles which each member country incorporates into its domestic law.
The GDPR brings together rights for individuals regarding their personal data and obligations for organizations that collect that data. The key points include easier access by individuals to the data an organization holds about them, an explicit requirement for organizations to get informed consent from the individual, and fines for organizations that breach the rules.
The respective privacy commissioners of Canada as a whole, Alberta and British Columbia issued a new set of guidelines (taking effect from January 2019) for how organizations must make sure they get meaningful consent from individuals before collecting data.
The guidelines cover seven key principles for doing this. The guidelines are not merely advice or tips; instead the commissioners will directly refer to them when assessing if an organization has breached data privacy laws.
Quebec was a notable absence from the joint guidelines. However, its existing data privacy laws already explicitly refer to individuals giving "manifest, free, and enlightened" consent.
The guidelines appear to be a direct response to the GDPR. This may seem odd as European Union rules don't have direct jurisdiction over Canadian activity. However, they are significant because of a concept called data adequacy.
This is the basis of EU restrictions on transmitting data to a country outside the EU. The idea is to make sure organizations aren't able to bypass European privacy controls, for example by sending data for processing in a country with looser privacy rules.
Canada is among a limited list of countries with data adequacy status, albeit restricted to private organizations using data for commercial purposes. This status means the EU considers Canadian privacy laws strong enough to adequately protect EU citizens if their data is handled or processed in Canada.
The new Canadian guidelines are therefore a way of making sure this data adequacy status continues to hold. However, they apply to all Canadian organizations affected by the relevant rules, whether or not they hold or process any data on European individuals.
The guidelines affect the application of three laws, one under the jurisdiction of each of the privacy commissioners.
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to most organizations collecting data on individuals as part of commercial activity. The main exception is for data collected and processed entirely in a province with its own privacy laws that have similar effects.
PIPEDA requires organizations to follow ten "fair information principles" with key points including getting informed consent before collecting personal data, making sure data is accurate and secure and making sure individuals can access data and challenge or correct any mistakes.
Alberta's Personal Information Protection Act (PIPA) offers similar protection for individuals as PIPEDA. The act specifically applies to organizations that operate in the private sector and are under provincial regulation. One significant difference is that Alberta's PIPA covers employee information. This is normally only covered by PIPEDA in the case of federal activity.
British Columbia's Personal Information Protection Act (PIPA) has similar measures and goals as both PIPEDA and Alberta's PIPA. One of the act's most notable points is that organizations must not only tell individuals what data they collect but also specifically state how and why they will use it. Having collected the data this way, they cannot use it for other purposes without getting fresh consent.
The GDPR has upped the standards when it comes to consent. It promotes getting clear, informed consent that leaves no doubt as to whether the individual actually is consenting to have their personal data collected and processed.
PIPEDA and the provincial laws say you must always have consent, but sometimes this can be implied. For example, if you ask for an email address to sign somebody up for a newsletter and you will not use the address for any other purpose, you may be able to rely on implied consent from the user signing up.
The situations where implied consent is insufficient and you must get express consent are as follows:
These are the seven "guiding principles" for obtaining meaningful consent in the joint guidelines from the Canada, Alberta and British Columbia privacy commissioners. They all work towards a common goal: that individuals give meaningful consent. In other words, the individual is freely choosing to give consent, knowing exactly what that entails.
This is not merely about what you say but how you say it. The aim is to strike a balance so that people understand the important facts about what data you collect and why, without being overwhelmed with detail.
One way to do this is to decide whether a particular piece of information is not only useful for the individual to know, but could affect whether or not they are willing to give consent.
Businesses must generally emphasize the following key elements:
This example from CPA Canada has a lot of legalistic detail but uses headlines that summarize the key principles of the policy:
While the first principle suggests finding a balance between detail and accessibility, this second principle means individuals should be able to opt for a different balance if they wish.
In print this could be a pyramid structure with the key points listed first, then more detailed information. Online this could mean a summary document with the option to expand a particular section for more detail.
The guidelines also say individuals must be able to come back to check the information even after they've given consent. That's because people have the right to withdraw consent later on.
GDPR parallels: The GDPR says individuals "should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing."
This doesn't mean an all-or-nothing approach with individuals either giving or withholding overall consent. You can require an individual to consent to giving the information that's needed to provide a service. However, you should let the individual give this consent while saying no to you collecting other information. This could be data that makes your operations easier but isn't necessary for the service.
GDPR parallels: This guideline won't always be enough to satisfy the GDPR, which notes that consent might not be valid "where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation."
This doesn't mean using technology or presenting information about Privacy Policies in an unusual manner just for the sake of it. Instead it's about recognizing the context in which users make consent decisions and identifying the challenges and opportunities this presents.
Some recommendations include using "just-in-time" notices, interactive tools and customized mobile interfaces.
Tapping another question will hide the previous answer and expand to give the newly requested answer without extending the page or requiring the user to scroll down, which makes it easy to navigate through the policy, find specific information and do so even on a small mobile device.
GDPR parallels: The GDPR gives specific examples of technical methods of confirming consent including "a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data."
One way around this mismatch is to carry out user-testing or focus groups when developing Privacy Policies and sign-up/consent processes. Don't just rely on asking if testers found the process simple, but ask questions to see if they really did comprehend the information needed to give meaningful consent.
Remember that the experience of a customer deciding whether to give consent may vary depending on their device. For example, the Toronto Star's mobile app Privacy and Anti-Spam Notice begins with a list of key points that are just short enough to fit on a mobile phone screen without the user needing to scroll down:
GDPR parallels: The GDPR notes that when using electronic means to ask for consent, "the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."
GDPR parallels: The GDPR explicitly and succinctly states that "it shall be as easy to withdraw as to give consent."
In effect, this is about privacy and consent being a comprehensive process rather than trying to get by on technicalities and small print.
Meeting this requirement is partly about procedures. For example, you may need to show that your website creation team are trained to understand the need for consent and to include details of the user's rights and options wherever possible. You'll also need to show that you have thought carefully about what personal data you really need to collect to provide your services.
GDPR parallels: The GDPR notes that "where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given."
With both Canada's data privacy legislation and its implementation, the rules on consent are not based primarily on age. Instead, the emphasis is on whether or not the person is able to give meaningful consent, taking into account their maturity and the complexity of the relevant information.
Some good guidelines for dealing with consent from children are as follows.
Get parental (or guardian) consent for children aged under 13. This will avoid any confusion and will also make life easier if you come under laws from other countries such as COPPA from the United States that bars consent from those under 13.
Let's recap the key points and context of the new Canadian guidelines:
The guidelines cover seven key principles about gathering consent. To meet these principles you need to: