From the Y Blog

Is your consent meaningful?

Do you read the privacy policies of every site you visit? Can any of us truly say that we know who has access to our personal information and how they are using it, whether or not we consented to its collection and use? In this day and age, is our consent ever truly informed and meaningful? It should be.

Advancements in technology and the dawn of the internet of things have spawned new business models and entire new ecosystems based on the collection, use, and access to data. Big data analytics tools can associate information in unprecedented and, at times, invasive ways. We are barraged by relentless demands to share information in the name of efficiency and seamless personalized service. Our personal information is being collected and used both with and without our knowledge and consent. We have privacy legislation that intends to hold those who take and use our personal information accountable, but the system simply was not designed to withstand this attack – it struggles to keep up with the breakneck pace of information flow in the technological revolution. 

The principle of consent forms the bedrock of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). We protect our privacy by exercising control over how much of our personal information we consent to share with others. Organizations subject to PIPEDA may not collect, use, or disclose our personal information in the reasonable course of their business without first obtaining our consent either before or at the time they collect our personal information. If an organization wishes to use our personal information that it already collected from us for a different purpose, it must seek our consent again.  

Recognizing that consent must strike a balance between preserving our autonomy over our personal information and an organization’s need to access some of our personal information to conduct business in the modern age, as part of its strategic priority work on the Economics of Privacy, the Office of the Privacy Commissioner of Canada (the “OPCC”) set out to explore potential enhancements to consent models in 2016. That work laid the foundation for the OPCC’s release of its Guidelines for Obtaining Meaningful Consent (the “Guidelines”) in May 2018, which it began to apply on January 1, 2019.

The Guidelines are predicated on seven guiding principles for meaningful consent that serve as a framework on which organizations are expected to layer innovative and creative solutions to develop a contextual consent process that is compliant with privacy law and that:

  1. Promotes easy access to clear explanations of why a particular piece of personal information is being collected, how it will be used, to whom it will be disclosed, and whether its disclosure and use may pose significant harm to you;
  • Provides information in a way that allows you to control the level of detail you wish to see, possibly through a layered approach, rather than being confronted with the digital equivalent of a printout of that information;
  • Recognize that consent must be clear to be meaningful and therefore provide clear consent mechanisms that allow you to give or withhold consent as well as to reconsider your initial consent;
  • Use a variety of interactive communication strategies such as “just-in-time” notices – meaning notices explaining why the information is needed that appear near the space where you would input the information requested – or interactive walkthroughs of privacy settings, videos explaining key concepts, and/or infographics and similar visual tools. The Guidelines call for particular attention to mobile interfaces. Given the limited screen real-estate on mobile devices, your attention should be drawn to key decision points where you may appreciate additional guidance. The mobile apps guidance document is a good reference tool when designing the mobile consent experience;
  • Walks the path of its customers to ensure that the privacy content is accessible from all types of electronic devices, uses clear language at a level of comprehension suitable to a diverse audience, is user-friendly, and is tailored to the product or service being offered. Organizations are even encouraged to engage interaction/user experience (UI/UX) designers in the development of the consent process;
  • Anticipate that the complexity of information flows will give rise to follow-up questions and address these questions preemptively by developing and regularly updating FAQs and implementing technologies such as chatbots;
  • Be accountable and be ready to demonstrate that legislation-compliant processes to obtain consent from individuals are in place and that the organization has considered and has implemented the principles in the Guidelines. The OPCC’s expectation of an organization’s compliance and accountability and the steps it has taken to demonstrate them will consider the size of the organization and the amount and type of personal information it collects, uses or discloses.

Despite the Supreme Court of Canada’s proclamation that “Privacy is at the heart of liberty in a modern state…Grounded in man’s physical and moral autonomy, privacy is essential for the well-being of the individual,” the impetus to protect one’s privacy in the technological age is sadly waning because, according to some, “(u)nderstanding how our personal information is being used in this environment is becoming increasingly difficult if not impossible for the average person. Thus, expecting individuals to take an active role in deciding how their personal information is used in all instances is increasingly unrealistic.”[1]

Despite that fatalistic sentiment, making the consent process more transparent, meaningful, and accessible by implementing the seven Guidelines, coupled with embedding privacy at all levels of education will make great strides toward stemming the erosion of our privacy rights.

While these guidelines refer to personal information, their application to the collection and use of personal health information  – the distinctly sensitive subset of personal information governed by the Personal Health Information Protection Act (“PHIPA”) – would be a welcome development.       

[1] Center for Information Policy Leadership. “The Role of Enhanced Accountability in Creating a Sustainable Data-driven Economy and Information Society.” Discussion draft. October 21, 2015.

You may also like

Privacy: PIPEDA Data Breach Requirements

New PIPEDA Data Breach Reporting and Notification Requirements: What You Need to Know The Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”) provides the privacy legislation framework for Canadian organizations that operate in the private sector. PIPEDA requires organizations to protect information that they collect about an identifiable individual. This information is defined as “personal information” under the Act. Personal information includes personal e-mail addresses, home address, personal telephone number, age, date of […]