One of the main principles, and a cornerstone of many privacy legislations, is consent. The principle of consent states that an organization may collect, use, disclose personal information only if an individual consents, provided it is meaningful and informed. The words ‘informed’ and ‘meaningful’ are of paramount importance here and ensure that the individual knows and understands the nature, purpose, and consequences for the collection, use or disclosure of their personal information.
The topic of consent plays an important role in Canada’s upcoming new privacy law, CPPA, and in this article we’re going to explore the ins and outs of consent under both PIPEDA and CPPA.
Consent under PIPEDA
Under PIPEDA, the principle of consent has been flexible. Flexibility here means that when the personal information being collected is not a privacy encroachment and the purpose of the collection is straightforward, it allows an organization to rely on a form of consent that is more implied. That said, there are various aspects that can affect how consent is used under PIPEDA.
Sensitivity of Information
When the personal information is sensitive then opt-in options are the way to go. There is no clear demarcation of what sensitive information is (under PIPEDA). However, as explained by the Supreme Court of Canada at various times, sensitive information can be any information that is more significantly related to the notion of privacy such as medical or financial information.
For that matter, even non-sensitive information can become sensitive depending on what it is capable of revealing when combined with other personal info. For instance, the name and address of an individual shared with a grocery delivery service, in general, would not be considered sensitive information. However, the name and address of the same individual in relation to a particular health care clinic would be considered sensitive because it may disclose a number of other aspects about them such as existing health conditions or a particular illness.
Appropriate Use of Consent
The other relevant aspect of consent under PIPEDA is of the appropriate use of consent. Even with consent, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. Continuing our previous example, the individual sharing name and address with a grocery delivery service would expect the organization to use the information for delivery purposes. Beyond this, they may also reasonably expect the organization to contact them in order to request the renewal of services (e.g. delivery subscription). On the other hand, an individual would not reasonably expect that the personal information given to the health care clinic would be shared with another company selling health-care products, unless consent was obtained explicitly.
An organization cannot require an individual, as a condition of the supply of a product or service, to consent to the collection, use or disclosure of more personal information than is necessary to fulfill the organization’s explicitly stated and legitimate purposes. Again, the grocery delivery service cannot require a customer to provide the license plate number of their car when it is not needed for any transaction.
Withdrawal of Consent
PIPEDA also includes a requirement to be able to withdraw consent at any time subject to two conditions:
- The individual must give reasonable notice to the organization for withdrawal of the consent.
- There shouldn’t be any contractual restrictions to do so.
Exceptions for Consent
Under PIPEDA consent is not required in situations when:
- it cannot be obtained timely and collection is clearly in the interest of the individual;
- it would compromise the availability or accuracy of information (e.g. investigations);
- it is contained in a witness statement and collection is necessary to assess, process or settle an insurance claim;
- it is given in the course of employment and the collection is consistent with the purpose;
- information is publicly available;
- the collection is made for a disclosure required under the law.
Challenges of Using Consent
Meeting all these requirements with respect to consent can be, at times, difficult to manage especially when an organization collects, uses or discloses multiple types of personal information. The subjective nature of the aspect of “appropriateness” also requires an organization to be prepared to demonstrate that it is always acting reasonably in its treatment of personal information. Indeed, this can be tricky sometimes. There can be instances where an individual may have consented to the collection of their personal information, but the organization is still exposed to the risk that the collection itself is not reasonable. For example, when an individual consents to an unreasonable collection of their personal information in order to derive some benefit such as employment.
Consequently, in an attempt to act reasonably and to make consent informed, organizations often resort to privacy policies and notices that are notoriously long and complex. Overly detailed information in the consent process can overwhelm individuals and thereby defeat the very purpose of the consent process. On the other hand, without making the policies detailed and amply clear, the businesses run the risk of not meeting their obligations of obtaining an informed and reasonable consent. Thus, the most practical and efficient way to check the reasonability box is by conducting regular privacy audits and assessments. One of the primary aims of these audits should be to evaluate if the purposes of collection are appropriate and amply defined. And secondly, that an individual’s un-informed consent has not been used as an open pass by organizations to collect and use personal information indiscriminately for undefined purposes. But the question remains, has PIPEDA been able to actually achieve the objective of informed and meaningful consent? This is a hotly debated topic and with the introduction of CPPA, we anticipate a lot more clarity for consumers and businesses.
Consent under Bill C-11 (CPPA)
Consent Has To Be “Express”
Bill C-11 intends to apply the principle of consent in a very pragmatic way. Among other things, it mandates express consent for all collection, use and disclosure unless an organization could demonstrate that implied consent was appropriate or the consent was exempted. Express consent is when a customer directly communicates their positive and explicit consent to an organization for processing of their personal information. An express consent is backed by evidence for e.g. a written consent or consent given by voluntarily clicking a checkbox on an internet page.
Consent Has To Be “Informed”
Under Bill C-11, the consent is considered valid – meaningful and informed – only when it is obtained at or before the time of collection and the organizations provide “information” in plain simple language. What specifically that information must include has been codified in the body of legislation itself:
- the purpose of the collection, use or disclosure;
- the method opted for collection, usage or disclosure;
- reasonably foreseeable consequences” of such collection, use or disclosure;
- the specific type of information that is to be collected, used or disclosed; and
- the names or types of any third parties to which the organization may disclose the personal information;
The aim of this clause in the legislation is to ensure that the consumers understand the context better and make informed choices about the use of their personal information, a shade that is considered lacking in PIPEDA.
Appropriate Use of Consent Under Bill C-11
Under PIPEDA, an organization may collect, use or disclose personal information only for purposes that a reasonable person considers appropriate under given circumstances. The appropriateness obligations related to consent will remain the same under Bill C-11 (just as they existed under PIPEDA) but it adds further clarifications to the same:
First, it outlines the factors that ‘must’ be considered by organizations to determine whether the purpose is appropriate or not. The factors are:
- the sensitivity of the personal information;
- whether the purposes represent legitimate business needs of the organization;
- the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;
- whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
- whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
Second, it explicitly describes that each purpose for which the organization plans to collect, use or disclose personal information has to be determined at or before the time of collection itself and the organization must record it. If the organization plans to use or disclose the collected personal information for a new purpose, then it must determine & record that new purpose and obtain consent before using or disclosing the information. Furthermore, an organization may collect only the personal information that is necessary for that purpose. Pre-determining the purposes and their appropriateness may certainly require a significant revamping of the existing privacy policies and business processes. Nonetheless, the appropriateness of purpose will no longer be subjective. Both the organization and consumer will be on the same page when it comes to foreseeable appropriate purposes as they will be clearly communicated at or before the point of collection itself.
Bill C-11 further tightens the noose on ‘tied selling’. As mentioned earlier, under PIPEDA an organization cannot compel an individual to consent to the collection, use, or disclosure of information as a condition of the supply of a product or service, beyond that required to fulfill the “explicitly specified”, and “legitimate purposes”. Bill C-11 removes the idiosyncratic term “legitimate purposes”, exempting only the explicitly specified purposes.
Bill C-11 adds a new clause which states that any consent obtained by presenting false or misleading information or using deceptive or misleading practices would be considered null and void. Again, this is a provision that is missing from the text of PIPEDA. The way forward for businesses with this obligation is to review their existing privacy policies and procedures to make sure that the consent obtained under their current processes is not misleading or deceptive in any form.
Notable exceptions to consent
Exceptions to consent exist under PIPEDA as well. However, Bill C-11 adds further to those exceptions especially for processes related to day-to-day business operations.
First, an organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for a certain set of “business activities”. The term business activity includes activity that is:
- necessary to provide or deliver a product or service that the individual has requested from the organization;
- carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk;
- necessary for the organization’s information, system or network security;
- necessary for the safety of a product or service that the organization provides or delivers;
- of type in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual; and
- prescribed under law.
It is important to note that the onus to prove that a particular activity falls under the definition of business activity lies on the organization. Any activity falling outside the ambit of “business activities” as mentioned above will not be exempted under this category unless added later.
Second, other than the business activities, exemptions to consent under Bill C-11 also extend to the collection and use of personal info when:
- a reasonable person would expect such a collection or use for that activity; and
- personal information is not collected or used for the purpose of influencing the individual’s behavior or decisions.
Third, Bill C-11 adds another exception in terms of service providers which states that an organization may transfer an individual’s personal information to a service provider without their knowledge or consent. A service provider can be any organization that provides services to another organization to assist in fulfilling its purposes. The justification that underpins this exception is that the purposes for which personal information may be transferred to service providers is generally foreseeable by a reasonable person. For instance, the fact that an organization may transfer a consumer’s name and address to a delivery service provider for delivery of the product to the consumer is foreseeable by a reasonable person. The major difference here is that Bill C-11 explicitly mentions transfers to service providers as an exception, something which PIPEDA did not. This exception should alleviate some of the concerns of the organizations in terms of redundancy of consent obligations. Notwithstanding, if an organization receives personal info as a service provider but acts beyond the terms of the service contract in processing that information, it will no more be considered a mere service provider, thus inviting all the obligations of CPPA.
Other Exceptions to Consent Requirement
Bill C-11 contains several other exceptions to the general requirements for consent. The ones which are not included in PIPEDA are:
- the use of an individual’s personal information to de-identify the information;
- the use of an individual’s de-identified personal information for the organization’s internal research and development purposes; and
- the disclosure of an individual’s de-identified personal information to government bodies, post-secondary educational institutions, healthcare institutions, public libraries or an organization mandated by law for socially beneficial purposes (purposes related to the improvement of public services, infrastructure, health or environment).
The important point to note here is that CPPA will permit only de-identified information to be disclosed without consent under certain exceptional circumstances, whereas under PIPEDA the exceptions allowed to disclose the personal information itself. Undoubtedly, this is a significant leap towards striking the balance between information privacy and the digital innovation/expansion of businesses, something that Bill C-11 aims to achieve.
Withdrawal of Consent
Bill C-11 also outlines a provision that allows an individual to withdraw their consent upon reasonable notice to an organization but subject to law or terms of a contract. Upon receipt of such notice, the organization must inform the individual of the consequences of withdrawing consent and, as soon as feasible after that, cease collecting, using, or disclosing the individual’s personal information for which the consent was withdrawn.
Next Steps for Organizations
All in all, Bill C-11 purports to clarify various provisions that are open to subjectivity under PIPEDA. How much it is able to achieve that is yet to be seen. While it may still take some time for Bill C-11 to become a law, there are a number of steps that organizations can take to prepare for early compliance. Some of those initial steps are:
- predetermining (with sufficient clarity) the purposes for which the organization plans to obtain consent and making it a continual process. This will not only set a strong base for overall businesses processes but will also make compliance considerably uncomplicated and demonstrable;
- conducting current state assessments and revising the existing consent processes, privacy policies, practices, and procedures in order to obtain consent that is sufficiently clear and ensures meaningful choice. Few ways to make consent more meaningful are by introducing interactive layered notices, regularly updating FAQs and using chatbots. Early action would allow organizations to achieve smooth and thorough compliance;
- tracing the type (sensitive or not) and volume of personal information collected, used or disclosed by the organization and mapping it to the consent and appropriateness obligations.aa