The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #1: Obtaining Valid Consent
The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #1: Obtaining Valid Consent
Canadian privacy and data protection laws are consent-based. For the private non-health sector, express or implied consent is always required to collect, use or disclose personal information (“PI”), subject to limited exceptions that vary across jurisdictions. Unlike other countries, most Canadian laws do not recognize “legitimate interests”, or even “performance of a contract”, as lawful bases to process PI without consent.
Many organizations are aware that they need consent to process Canadian personal information, but they are not familiar with all the specific rules and restrictions that must be followed.
For example, under the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), consent is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of their PI. The Office of the Privacy Commissioner of Canada (the “OPC”) has interpreted this to mean that organizations cannot rely on information “buried” in a privacy policy or terms of use. Rather, certain key elements must be brought to the attention of individuals, including: (1) what PI is being collected; (2) the parties with whom PI will be shared; (3) the purposes for which PI will be collected, used and disclosed; and (4) risk of harm and other consequences.
Some of the provincial equivalents to PIPEDA also prescribe validity requirements applicable to consent. In particular, without limitation, Quebec’s Act respecting the protection of personal information in the private sector (the “Quebec Act”) provides that: (i) consent must be clear, free, informed, and given for specific purposes; (ii) consent must be requested for each purpose in clear and simple language; (iii) if the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned; and (iv) consent is valid only for the time necessary to achieve the purposes for which it was requested. Like the OPC, the Commission d’accès à l’information du Québec (the “CAI”) has published detailed guidance on obtaining valid consent. Among other things, the CAI has indicated that consent must be “granular”. Accordingly, if there are multiple intended purposes for using and disclosing PI, consent must be requested separately for each of them (i.e., individuals must not be provided with only one choice to accept or reject all uses and disclosures “en bloc”).
The guidance published by the OPC (here) and the CAI (here) sets out a number of other mandatory and recommended criteria for obtaining consent, which should be taken into account when organizations are designing their consent strategies for Canada.
The basic validity requirements for consent are just the tip of the iceberg. Here’s some other things you may not know about consent:
- Although consent can sometimes be deemed or implied, the circumstances where this is permitted vary across jurisdictions. Implied consent must still be “informed”, and so a legally-compliant privacy notice is usually still required.
- Consent cannot fix an unreasonable data processing activity. Organizations must have a reasonable purpose for collecting, using or disclosing PI (or, in Quebec, a serious and legitimate purpose), regardless of whether consent is obtained.
- Organizations cannot require consent to any non-essential collection, use or disclosure of PI, as a condition of providing a product or services.
- Organizations are responsible for ensuring the validity and sufficiency of any consents provided by individuals, even if they rely on another organization to obtain consents on their behalf. This is especially relevant for service providers, which often contractually assign responsibility for obtaining consents to their clients who have a direct relationship with the relevant individuals (see: PIPEDA Findings #2019-004).
Action Items
Consent is a complex issue. To get consent right, your organization should: (1) confirm that consent is being obtained for every collection, use and disclosure of PI, and that updated consents are obtained for any new uses or disclosures of PI after collection, or that there is a permitted exception in all relevant jurisdictions; (2) consider the sufficiency of contractual terms and oversight activities when relying on another organization to collect consents; (3) review and update legacy consent processes for compliance with recent statutory changes and regulatory guidance; (4) implement a process to document and retain records of consents, including defined retention periods for such records; (5) develop a process to respond to any withdrawal of consent from an individual; (6) establish a consent management policy and procedures; and (7) train employees on consent requirements and your organization’s consent processes.
McMillan’s Privacy and Data Protection team can help your organization to implement the action items outlined above. Contact your McMillan representative to obtain the support your organization needs to ensure compliance with this critical privacy law requirement.
by Lyndsay Wasser and Kristen Pennington
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2024
Insights (5 Posts)View More
Canada’s Anti-Money Laundering and Sanctions Overhaul Gets Serious: New Players, More Rules and Broad Reports
Canada’s Anti-Money Laundering Overhaul Gets Serious: New Players, More Rules and Broad Reports
Alert for Advisers: What Registered Advisers Need to Know About “National Instrument 93-101 – Derivatives: Business Conduct”
NI 93-101 - Derivatives: Business Conduct establishes a comprehensive framework for the conduct of dealers and advisers in the OTC derivatives market.
What’s New in the FAQs: Recent Competition Bureau Guidance on the Amendments to Canada’s Competition Act
Commenting on the Competition Bureau's FAQs describing how the Bureau will enforce the amended merger and reviewable conduct provisions of the Competition Act.
Developer-Friendly Changes Proposed for Ontario’s Record of Site Condition Regime
Ontario is proposing to amend its Record of Site Condition legislation to streamline brownfield development and support other development projects.
Buyer’s Remorse: Asset Purchaser Liable for Pre-Closing Employment Liabilities of Vendor
In a recent British Columbia decision, an asset purchaser was held liable for the pre-closing employment-related liabilities of the vendor.
Get updates delivered right to your inbox. You can unsubscribe at any time.