Canadian organizations come under both federal and provincial laws on data privacy, including the need to get "meaningful consent."

In 2019, Canadian privacy commissioners issued new guidelines detailing principles for such consent. The principles are sometimes described as 'GDPR-like' because one of the reasons for issuing them was to make sure Canadian privacy laws are compatible with those in the European Union.

We'll break down consent requirements under Canadian privacy laws, show you how to satisfy them and describe how they compare to the GDPR's consent requirements.


The Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a federal law with the following key points:

  • It covers most cases where a Canadian organization collects personal information in the course of commercial activity.
  • The organization must follow 10 detailed privacy principles. These include only collecting the data needed for a specified purpose, getting "meaningful" consent to collect data and letting the person see and correct the data that relates to them.
  • Breaching PIPEDA could ultimately lead to a court order to change an organization's behavior. A few particularly serious breaches are classed as criminal acts.

Provincial Laws

Alberta and British Columbia both have privacy laws (known as Alberta PIPA and British Columbia PIPA respectively) that pre-date PIPA. For the most part the aims and measures in these laws are similar to those in PIPEDA.

To reflect this similarity, an organization is normally exempt from PIPEDA if it is already covered by Alberta PIPA or British Columbia PIPA. However, PIPEDA will still apply in two cases:

  • The personal information crosses provincial or national borders, or
  • The organization is federally regulated

The GDPR Connection

The GDPR Connection

The General Data Protection Regulation (GDPR) is a European Union law that covers personal data collection in either of two circumstances:

  • The organization collecting the data operates in a European Union country, or
  • The data is about a person who is in a European Union country

(Note that it doesn't matter where the data is stored or processed.)

Even if you don't fall under the scope of the GDPR, you will still feel its effects in PIPEDA, Alberta PIPA and BC PIPA, specifically in the way consent is interpreted.

This is because of a concept called data adequacy. In short, GDPR says data can normally only be transferred from the European Union to another country if that country's data laws are adequate to offer a similar level of protection. The EU says transfers to Canada are allowed as long as the data falls under the scope of PIPEDA.

In January 2019, the privacy commissioners for Canada as a whole, Alberta and British Columbia issued new guidelines on how they define the meaningful consent required under PIPEDA, Alberta PIPA and BC PIPA. One of the main reasons they did this was to make certain the EU would continue to maintain Canada's data adequacy status.

Meaningful Consent Principles

The privacy commissioners laid down seven "guiding principles" that organizations should follow to make sure they get the required meaningful consent. These principles help make sure Canadian laws are compatible with GDPRs definition of valid consent as:

"freely given, specific, informed and unambiguous"

Accountability

You must be able to prove that you comply with the requirement for meaningful consent. The key here is proving that you've actively worked to make sure consent is meaningful rather than just doing the bare minimum to comply.

Some of the key ways to do this are:

  • Create a process to make sure you get meaningful consent.
  • Make sure the process follows all seven principles in the guidelines.
  • Document the way you considered the principles and designed the process.

Choice

You must give people a genuine choice about whether or not they consent to you collecting their data.

Some of the key ways to do this are:

  • Make sure people understand they have a choice.
  • Think carefully about whether opt-in or opt-out consent is appropriate to a particular situation.
  • Minimize cases where giving consent is mandatory to use a product or service. Only do this where it's not possible to provide the product or service without getting the relevant personal data. Make sure you can explain why this is the case.

This example from Age UK clearly details the choices users have when it comes to data collection:

Age UK Privacy Policy: Your Choices clause

This example from the New Statesman gives users three separate choices. If the user clicks Subscribe without ticking the "I consent to..." box, they are told they must tick it to proceed with the newsletter sign-up:

New Statesman email subscribe form with checkboxes

Creativity

You should take advantage of technology to make your consent process more effective and useful for the individual.

Some of the key ways to do this are:

  • Avoid simply copying paper consent forms and documents onto a website.
  • Try to provide relevant information and ask for consent at the most appropriate time. For example, if you offer an email newsletter, show the relevant privacy information and policies right at the point where you are about to collect an email address.
  • Consider using interactive tools such as videos or graphics to explain your data collection and privacy policies rather than just relying on written explanations.
  • Take account of screen size and other limitations when designing privacy and consent information for users on mobile devices.

This excerpt from the Principality Building Society covers the key points in a visually engaging manner before the user reads on to see the full policy wording:

Principality Building Society: Excerpt of Privacy Policy infographic

Detail

Different people have different levels of interest and concern when it comes to giving consent for data collection. This means you may face a balancing act between giving everyone enough detail that they feel comfortable with choosing whether to give consent, and being concise enough that people aren't deterred from reading and instead just give consent without properly considering it.

Some of the key ways to do this are:

  • Organize the information you provide into different levels of detail.
  • Let people choose the level of detail they want to access, for example by showing everyone a summary of the key points and then linking to a full Privacy Policy.
  • Set your site and documentation up so that people can come back and review in further detail later on (and withdraw their consent if they choose.)

This example from Verizon lets users easily choose whether to skip past a particular element of the Privacy Policy, read it in summary form, or click through for more detail:

Verizon Privacy Policy- Summary Excerpt

While getting consent might seem like a one-and-done process, this isn't enough to get truly meaningful consent. Instead individuals must have the opportunity to review and reconsider the information they provide, particularly if the way you use it changes later on.

Some of the key ways to do this are:

  • Make it easy for people to contact you with any questions about the data collection and handling and their consent.
  • Make sure you warn people in advance if you are going to change how you use or share their data. Give them a chance to withdraw their consent. If the changes are significant, it may be worth asking for active consent again and treating anyone who doesn't reply as having withdrawn consent.
  • Review your data policies at regular intervals to make sure the way you handle data hasn't changed.
  • Remind people at regular intervals that they have the right to review and withdraw their consent.

This example from Dell explains how users can withdraw consent and what implications doing so will have:

Dell Privacy Statement: Legal Basis of Processing clause - Consent section

The Information Commissioner's Office uses a two-step approach, including using two different forms of wording that amount to the same effect. It gives people information about "withdrawing consent" for receiving a newsletter at the point they are about to sign up:

iICO email subscribe form with opt-out information

It then includes two "unsubscribe" links at the end of each newsletter it mails out:

ICO email with unsubscribe links

Emphasis

Privacy Policies can be extremely detailed, even when you've made the effort to keep them clear and concise. This can mean the most important points get lost among the full barrage of information.

The privacy commissioners recommend emphasizing four points:

  • What data you collect
  • Why you are collecting the data and how you'll use it
  • Who you share the data with
  • What risks the user faces by sharing their data (You can detail how you mitigate these risks.)

Some of the key ways to do this are:

  • Make these the first four points you include in a Privacy Policy.
  • Address these four points in the summary notice that people see just before giving consent, then link to the full policy.
  • Use a common format for emphasizing these four points if you need to develop multiple Privacy Policies, for example for different situations or services.

Perspective

Develop your consent process with the user's perspective in mind. Remember that meaningful consent is about the individual understanding and choosing the way they share data.

Some of the key ways to do this include:

  • Use clear language suitable for your audience.
  • Take into account the devices people will use to access privacy information and give consent.
  • Hire outside experts on user interaction and privacy to help develop your consent process.
  • Test your process on real people to pick up any confusion or shortfalls.

This example from the BBC uses clear language that demonstrates keeping the user in mind:

BBC: Your Information and Privacy - Data retention summary

Using a combination of brief guidelines and a link to the full policy recognizes that different users will have different levels of interest in the Privacy Policy.

Summary

Let's recap what you need to know and do in light of the new guidelines:

  • Canada has privacy laws at both federal and provincial level.
  • The federal law (PIPEDA) works alongside the relevant laws for Alberta and British Columbia.
  • All three laws share a new set of guidelines clarifying how you must get "meaningful consent."
  • The clarification helps make Canadian laws compatible with GDPR, the European Union's data privacy system.
  • The guidelines lay down seven principles to follow:

    • Be accountable by showing you've developed a privacy procedure.
    • Give individuals a genuine choice to give consent and only make it mandatory where strictly necessary.
    • Use technology creatively to help users understand privacy and consent.
    • Let users decide how much detail they want to read.
    • Make sure users can review and reconsider consent later on, particularly if you change your privacy procedure.
    • Emphasize four key points: what data you collect; why and how you use it; who you share it with; what risks providing data entails.
    • Design your privacy procedure with the user in mind.