Canadian privacy and data protection laws are consent-based. For the private non-health sector, express or implied consent is always required to collect, use or disclose personal information ("PI"), subject to limited exceptions that vary across jurisdictions. Unlike other countries, most Canadian laws do not recognize "legitimate interests", or even "performance of a contract", as lawful bases to process PI without consent.
Many organizations are aware that they need consent to process Canadian personal information, but they are not familiar with all the specific rules and restrictions that must be followed.
For example, under the Federal Personal Information Protection and Electronic Documents Act ("PIPEDA"), consent is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of their PI. The Office of the Privacy Commissioner of Canada (the "OPC") has interpreted this to mean that organizations cannot rely on information "buried" in a privacy policy or terms of use. Rather, certain key elements must be brought to the attention of individuals, including: (1) what PI is being collected; (2) the parties with whom PI will be shared; (3) the purposes for which PI will be collected, used and disclosed; and (4) risk of harm and other consequences.
Some of the provincial equivalents to PIPEDA also prescribe validity requirements applicable to consent. In particular, without limitation, Quebec's Act respecting the protection of personal information in the private sector (the "Quebec Act") provides that: (i) consent must be clear, free, informed, and given for specific purposes; (ii) consent must be requested for each purpose in clear and simple language; (iii) if the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned; and (iv) consent is valid only for the time necessary to achieve the purposes for which it was requested. Like the OPC, the Commission d'accès à l'information du Québec (the "CAI") has published detailed guidance on obtaining valid consent. Among other things, the CAI has indicated that consent must be "granular". Accordingly, if there are multiple intended purposes for using and disclosing PI, consent must be requested separately for each of them (i.e., individuals must not be provided with only one choice to accept or reject all uses and disclosures "en bloc").
The guidance published by the OPC (here- New Window) and the CAI (here- This link will open a PDF document) sets out a number of other mandatory and recommended criteria for obtaining consent, which should be taken into account when organizations are designing their consent strategies for Canada.
The basic validity requirements for consent are just the tip of the iceberg. Here's some other things you may not know about consent:
- Although consent can sometimes be deemed or implied, the circumstances where this is permitted vary across jurisdictions. Implied consent must still be "informed", and so a legally-compliant privacy notice is usually still required.
- Consent cannot fix an unreasonable data processing activity. Organizations must have a reasonable purpose for collecting, using or disclosing PI (or, in Quebec, a serious and legitimate purpose), regardless of whether consent is obtained.
- Organizations cannot require consent to any non-essential collection, use or disclosure of PI, as a condition of providing a product or services.
- Organizations are responsible for ensuring the validity and sufficiency of any consents provided by individuals, even if they rely on another organization to obtain consents on their behalf. This is especially relevant for service providers, which often contractually assign responsibility for obtaining consents to their clients who have a direct relationship with the relevant individuals (see: PIPEDA Findings #2019-004- New Window).
Action Items
Consent is a complex issue. To get consent right, your organization should: (1) confirm that consent is being obtained for every collection, use and disclosure of PI, and that updated consents are obtained for any new uses or disclosures of PI after collection, or that there is a permitted exception in all relevant jurisdictions; (2) consider the sufficiency of contractual terms and oversight activities when relying on another organization to collect consents; (3) review and update legacy consent processes for compliance with recent statutory changes and regulatory guidance; (4) implement a process to document and retain records of consents, including defined retention periods for such records; (5) develop a process to respond to any withdrawal of consent from an individual; (6) establish a consent management policy and procedures; and (7) train employees on consent requirements and your organization's consent processes.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2024