On May 24, 2018, the Office of the Privacy Commissioner of Canada (OPC) released its guidelines for obtaining meaningful consent (Meaningful Consent Guidelines). The OPC will begin applying its Meaningful Consent Guidelines in January 1, 2019.

A fundamental principle of the Personal Information Protection and Electronic Documents Act (PIPEDA) is that the “knowledge and consent” of the individual is required for the collection, use or disclosure of its personal information (Section 4.3 of Schedule 1). Section 6.1 of PIPEDA provides that “[f]or the purposes of [this principle], the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.” The Meaningful Consent Guidelines constitute further guidance by the OPC on how organizations may obtain “meaningful” consent.

The Meaningful Consent Guidelines provide organizations with seven (7) guiding principles as follows:

Emphasize key elements

While information about the collection, use or disclosure of personal information must be readily available in complete form, organizations must take care to avoid information overload. In order to strike this balance, organizations must allow individuals to quickly review key elements impacting their privacy decisions right up front. These key elements include what personal information is being collected, with which parties personal information is being shared, for what purposes personal information is collected, used or disclosed, and any meaningful risks. This is a risk that falls below the balance of probabilities but is more than a minimal or mere possibility.

Allow individuals to control the level of detail they get and when

Information must be provided to individuals in manageable and easily-accessible ways and individuals should be able to control how much detail they wish to receive and when. The OPC provides that presenting information in a layered-format would help make better sense of lengthy, complex information by offering a summary of the key highlights up front.

Provide individuals with clear options to say ‘yes’ or ‘no’

Individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service. If the personal information is not essential to the product or service, individuals must be given a choice.

Be innovative and creative

Organizations should design innovative consent processes that can be implemented “just-in-time”, are specific to the context, and are appropriate to the type of interface used. An example of a “just-in-time” notice is where a user’s age is being requested to register for an online service, a just-in-time notice explaining why the user’s age is necessary should appear near the space where the user would input the information.

Consider the consumer’s perspective

Organizations should consider the point of view of the target audience. The OPC’s view is that organizations put significant resources into the design of user experiences and interactions so they can also put similar efforts into ensuring the consent process is understandable. This may involve seeking user input, pilot testing consent processes, consulting with privacy experts and following an established best practice.

Make consent a dynamic and ongoing process

Organizations should treat consent as a dynamic and ongoing process rather than a static moment in time. Organizations must obtain user consent before introducing significant changes to their privacy policies. When information flows are complex, organizations should provide interactive and dynamic ways to anticipate and answer user’s questions if the information is not clear or gives rise to follow up questions. This could include regularly updating FAQs, using new smart technologies, chatbots etc.

Be accountable: Stand ready to demonstrate compliance

When asked, organizations should be able to demonstrate compliance including that the consent process they have implemented is sufficiently understandable from the general perspective of the target audience. Pointing to a line buried in a privacy policy will not suffice.

The OPC has provided a checklist of things that an organization “must do” versus “should do” in order to comply with PIPEDA and obtain meaningful consent. Modifying consent processes to comply with PIPEDA is not an easy task and will take time. Accordingly, if they have not already started this process, businesses should review their existing consent practices against the OPC’s “must do” checklist and make any necessary modifications to ensure compliance with PIPEDA. As stated above, the OPC will begin applying the Meaningful Consent Guidelines on January 1, 2019.